FYI - The FFIEC members revised and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks and the increased focus on ongoing, enterprise-wide business continuity and resilience. The new Handbook can be found at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

PHONE NUMBER CHANGE - Because of the never-ending increasing fees, I am going to stop using my AT&T business landline in January 2020.  If you have not already done so, please change our phone number to my cell phone 806-535-8300.

FYI - Cleveland Fed's Mester urges regulators to be more agile on cybersecurity risks - Cleveland Federal Reserve President Loretta Mester said on Thursday that financial firms and regulators should be more agile and share information to better combat cybersecurity threats. https://www.reuters.com/article/us-usa-fed-cyber/cleveland-feds-mester-urges-regulators-to-be-more-agile-on-cybersecurity-risks-idUSKBN1XV1L3

Target files $74 million suit against Chubb over breach coverage - The Target has filed a lawsuit against Chubb with the retailer claiming the insurance carrier did not properly compensate it for costs incurred following the 2013 data breach. https://www.scmagazine.com/home/security-news/legal-security-news/target-files-74-million-suit-against-chubb-over-breach-coverage/

Russia bans sale of gadgets without Russian-made software - Russia has passed a law banning the sale of certain devices that are not pre-installed with Russian software. https://www.bbc.com/news/world-europe-50507849

PN-G pays ransom to regain access to district files - Port Neches-Groves ISD paid an undisclosed amount of money via Bitcoin to a suspected overseas cyberattacker who encrypted millions of the district’s files and issued a four-day deadline to respond to the criminal demands. https://www.beaumontenterprise.com/news/article/PN-G-pays-ransom-to-regain-access-to-district-14844446.php

Stolen GateHub and EpicBot credentials spotted on hacking forum - Millions of credentials stolen from the GateHub cryptocurrency wallet service and gaming bot provider EpicBot were reportedly posted on popular hacking forum site RaidForums last month, along with other personal information. https://www.scmagazine.com/home/security-news/cybercrime/stolen-gatehub-and-epicbot-credentials-spotted-on-hacking-forum/

Cyberattackers taking auto industry for a ride, FBI reportedly warns - Malicious attackers have notably stepped up attacks on the U.S. auto industry since late year, hitting car manufacturers with ransomware, compromising their systems, and exfiltrating their data, the FBI reportedly warned this week. https://www.scmagazine.com/home/security-news/cybercrime/cyberattackers-taking-auto-industry-for-a-ride-fbi-reportedly-warns/

DoE Audit Flags Numerous Cyber Issues, 54 Fix Recommendations - The Department of Energy’s (DoE) Office of the Inspector General (OIG) reported numerous cybersecurity weaknesses at DoE and issued 54 recommendations to the agency throughout Fiscal Year 2019, according to a report released on Nov. 19. https://www.meritalk.com/articles/doe-audit-flags-numerous-cyber-issues-54-fix-recommendations/

Lights That Warn Planes of Obstacles Were Exposed to Open Internet - Control panels for lights placed on tall structures to warn airplanes not to hit them were exposed to the open internet, meaning hackers could have turned the lights off. https://www.vice.com/en_us/article/7x5nkg/airplane-warning-lights-hacked

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Leaky Gekko Group database exposes info on hotel brands, travelers - European hotel booking platform provider Gekko Group mistakenly stored over 1 terabyte of information on a publicly configured server, exposing troves of data related to its hotel B2B clients, as well as travel agents and their customers. https://www.scmagazine.com/home/security-news/data-breach/leaky-gekko-group-database-exposes-info-on-hotel-brands-travelers/

GitHub repository exposes WeWork customer contracts - Data belonging to clients of shared workspace company WeWork was reportedly left exposed and accessible to the public via GitHub, while a web portal separately leaked information on prospective customers. https://www.scmagazine.com/home/security-news/report-github-repository-exposes-wework-customer-contracts/

PayMyTab database leaked PII on diners - An exposed database belonging to PayMyTab leaked PII on customers who dined at restaurants using the mobile payment system. https://www.scmagazine.com/home/security-news/paymytab-database-leaked-pii-on-diners/

Ransomware Bites 400 Veterinary Hospitals - National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is still working to recover from a ransomware attack late last month that affected more than half of those properties, separating many veterinary practices from their patient records, payment systems and practice management software. NVA says it expects to have all facilities fully back up and running normally within the next week. https://krebsonsecurity.com/2019/11/ransomware-bites-400-veterinary-hospitals/

Bon sang! French hospital contracts 6,000 PC-locking ransomware infection - A French hospital has suffered a ransomware attack that reportedly caused the lockdown of 6,000 computers. https://www.theregister.co.uk/2019/11/21/french_hospital_rouen_ransomware/

Unsecured server exposes 4 billion records, 1.2 billion people - Two security researchers have uncovered four billion records on 1.2 billion people on an unsecured Elasticsearch server impacting what is estimated to be hundreds of millions of people. https://www.scmagazine.com/home/security-news/data-breach/unsecured-server-exposes-4-billion-records-1-2-billion-people/

Data breach compromises T-Mobile prepaid accounts - Wireless communications company T-Mobile has disclosed a data breach incident that impacts certain customers with pre-paid service accounts. https://www.scmagazine.com/home/security-news/data-breach/data-breach-compromises-t-mobile-prepaid-accounts/

NYPD fingerprint database touched by ransomware - The New York City Police Department’s fingerprint database was hit with ransomware in October 2018, a local newspaper learned. https://www.scmagazine.com/home/security-news/ransomware/nypd-fingerprint-database-touched-by-ransomware/

Ransomware attack on nursing homes’ services provider threatens lives - Cybercriminals are reportedly demanding a $14 million extortion payment after using Ryuk ransomware to infect Virtual Care Provider Inc. (VCPI), a company that provides IT consulting and cloud-based data hosting and security services to roughly 110 nursing home operations around the U.S. https://www.scmagazine.com/home/security-news/cybercrime/ransomware-attack-on-nursing-homes-services-provider-threatens-lives/

Unsecured server exposes 4 billion records, 1.2 billion people - Two security researchers have uncovered four billion records on 1.2 billion people on an unsecured Elasticsearch server impacting what is estimated to be hundreds of millions of people. https://www.scmagazine.com/home/security-news/data-breach/unsecured-server-exposes-4-billion-records-1-2-billion-people/

Data breach compromises T-Mobile prepaid accounts - Wireless communications company T-Mobile has disclosed a data breach incident that impacts certain customers with pre-paid service accounts. https://www.scmagazine.com/home/security-news/data-breach/data-breach-compromises-t-mobile-prepaid-accounts/

Livingston School District in New Jersey Hit With Ransomware - Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. https://www.bleepingcomputer.com/news/security/livingston-school-district-in-new-jersey-hit-with-ransomware/

Catch NYC, Catch Steak hit with payment card skimming malware - The Catch Hospitality Group is notifying customers of its New York City restaurants of a POS malware incident that may have compromised their payment cards. https://www.scmagazine.com/home/security-news/data-breach/catch-nyc-catch-steak-hit-with-payment-card-skimming-malware/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  INTRUSION DETECTION AND RESPONSE
  
  Honeypots
  
  A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.
  
  Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.
  
  Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   PERSONNEL SECURITY
   
   AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND AUTHORIZED USE
   
   Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution's reputation, violate customer privacy and associated rights, and violate regulatory requirements.  Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.
   
   JOB DESCRIPTIONS
   
   Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable use policies and protect the institution's assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.
   
   TRAINING
   
   Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and should strengthen compliance with the security policy. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials would typically review the acceptable - use policy and include issues like desktop security, log - on requirements, password administration guidelines, etc. Training should also address social engineering, and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 2 - ELEMENTS OF COMPUTER SECURITY
 
 2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit.
 
 The responsibilities and accountability10 of owners, providers, and users of computer systems and other parties11 concerned with the security of computer systems should be explicit. The assignment of responsibilities may be internal to an organization or may extend across organizational boundaries.
 
 Depending on the size of the organization, the program may be large or small, even a collateral duty of another management official. However, even small organizations can prepare a document that states organization policy and makes explicit computer security responsibilities. This element does not specify that individual accountability must be provided for on all systems. For example, many information dissemination systems do not require user identification and, therefore, cannot hold users accountable.
 
 2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations.
 
 If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure. (This does not imply that all systems must meet any minimum level of security, but does imply that system owners should inform their clients or users about the nature of the security.)
 
 In addition to sharing information about security, organization managers "should act in a timely, coordinated manner to prevent and to respond to breaches of security" to help prevent damage to others. However, taking such action should not jeopardize the security of systems.
 
 2.6 Computer Security Requires a Comprehensive and Integrated Approach.
 
 Providing effective computer security requires a comprehensive approach that considers a variety of areas both within and outside of the computer security field. This comprehensive approach extends throughout the entire information life cycle.
 
 2.6.1 Interdependencies of Security Controls
 
 To work effectively, security controls often depend upon the proper functioning of other controls. In fact, many such interdependencies exist. If appropriately chosen, managerial, operational, and technical controls can work together synergistically. On the other hand, without a firm understanding of the interdependencies of security controls, they can actually undermine one another. For example, without proper training on how and when to use a virus-detection package, the user may apply the package incorrectly and, therefore, ineffectively. As a result, the user may mistakenly believe that their system will always be virus-free and may inadvertently spread a virus. In reality, these interdependencies are usually more complicated and difficult to ascertain.
 
 2.6.2 Other Interdependencies
 
 The effectiveness of security controls also depends on such factors as system management, legal issues, quality assurance, and internal and management controls. Computer security needs to work with traditional security disciplines including physical and personnel security. Many other important interdependencies exist that are often unique to the organization or system environment. Managers should recognize how computer security relates to other areas of systems and organizational management.