FYI - Why You Need a Cybersecurity Incident Response Plan (And How to Create One) - This simple wisdom from Ben Franklin is as valuable today as it was in the 18th century. Applied to today's cybersecurity industry, the above quote can mean the difference between successful breach response and devastating loss of customer data and reputation. https://www.scmagazine.com/why-you-need-a-cybersecurity-incident-response-plan-and-how-to-create-one/article/701642/

Beyond 'Culture and Awareness' - Emerging Approaches to Internal Threats and Breaches - In looking at the plethora of recent data breaches, it's easy to think that attackers have gained an unfair advantage over security professionals. https://www.scmagazine.com/beyond-culture-and-awareness--emerging-approaches-to-internal-threats-and-breaches/article/701641/

Uber's delayed breach notification would run afoul of GDPR - If the Global Data Protection Rules (GDPR) had been in effect during the latest Uber hack, the ride-sharing company would have faced stiffed consequences – or maybe it would have chosen a more prudent, secure route by promptly revealing the attack that compromised the personal data of 57 million customers and drivers, and by taking bold steps to mitigate the damage. https://www.scmagazine.com/ubers-delayed-breach-notification-would-run-afoul-of-gdpr/article/709361/

Cellphone tracking case in front of SCOTUS could have broad privacy implications - When the Supreme Court takes up Carpenter vs. the United States Wednesday, the likely landmark case will clarify if law enforcement must obtain court-issued warrants to access location data from wireless providers rather than invoke the lower standard for access imposed by the 30-year-old Stored Communications Act. https://www.scmagazine.com/cellphone-tracking-case-in-front-of-scotus-could-have-broad-privacy-implications/article/709711/

Cottage Health fined $2M by Calif. AG for two breaches - California Attorney General Xavier Becerra has slapped Cottage Health System with $2 million in fines for a pair of breaches. https://www.scmagazine.com/cottage-health-fined-2m-by-calif-ag-for-two-breaches/article/710165/

New Ursnif variants silently targets banks and employ redirection attacks - New Ursnif variants being tested in the wild are using redirection attacks to target Australian banks and malicious TLS callback techniques to achieve process injection. https://www.scmagazine.com/new-ursnif-variants-modified-to-launch-malicious-tls-callback-technique-and-redirection-attacks/article/710416/

Majority of U.K. Uber users and drivers caught up in data breach - More than half of all Uber riders and drivers in the U.K. were impacted by the ride sharing company's data breach that was revealed last week. https://www.scmagazine.com/majority-of-uk-uber-users-and-drivers-caught-up-in-data-breach/article/710202/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Uber hid massive hack compromising data of 57M for a year - For more than a year, even as it negotiated with regulators in the U.S. over privacy infractions, Uber hid a massive hack that resulted in cyberthieves pilfering the personal information of 57 million customers and drivers and prompted the company to fire two executives. https://www.scmagazine.com/uber-hid-massive-hack-compromising-data-of-57m-for-a-year/article/709144/

Fake Symantec site spreads OSX.Proton password stealer - A security researcher using the Twitter handle @noarfromspace last week spotted a fake Symantec blog spreading a new variant of the OSX.Proton password stealer. https://www.scmagazine.com/osxproton-spread-via-fake-symantec-blog/article/709695/

Imgur acts fast to disclose years-old breach that compromised 1.7 million users - Online image sharing and hosting service Imgur was breached in 2014, resulting in the theft of roughly 1.7 million user email addresses and passwords, the company confirmed last Friday in an online notification. https://www.scmagazine.com/imgur-acts-fast-to-disclose-years-old-breach-that-compromised-17-million-users/article/709680/

Ann Arundel school workers phished, lose paychecks - Cybercriminals used what was most likely a phishing attack to gain the information needed redirect the direct deposited pay checks of 36 Ann Arundel County school employees stealing about $57,000. https://www.scmagazine.com/ann-arundel-school-workers-phished-lose-paychecks/article/710401/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Some considerations for contracting with service providers are discussed below. This listing is not all-inclusive and the institution may need to evaluate other considerations based on its unique circumstances. The level of detail and relative importance of contract provisions varies with the scope and risks of the services outsourced.

Scope of Service

The contract should clearly describe the rights and responsibilities of parties to the contract.
Considerations include:

• Timeframes and activities for implementation and assignment of responsibility.  Implementation provisions should take into consideration other existing systems or interrelated systems to be developed by different service providers (e.g., an Internet banking system being integrated with existing core applications or systems customization).
• Services to be performed by the service provider including duties such as software support and maintenance, training of employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services performed under the contract.
• Guidelines for adding new or different services and for contract re-negotiation.

Performance Standards

Institutions should generally include performance standards defining minimum service level requirements and remedies for failure to meet standards in the contract. For example, common service level metrics include percent system uptime, deadlines for completing batch processing, or number of processing errors. Industry standards for service levels may provide a reference point. The institution should periodically review overall performance standards to ensure consistency with its goals and objectives.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
  
  PART I. Risks Associated with Wireless Internal Networks
  
  Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11 Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.
  
  Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.
  
  The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:
  
  1)  Decrypting information based on statistical analysis;
  
  2)  Injecting new traffic from unauthorized mobile stations based on known plain text;
  
  3)  Decrypting traffic based on tricking the access point;
  
  4)  Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and
  
  5)  Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 13.6.4 Motivate Management and Employees
 
 To successfully implement an awareness and training program, it is important to gain the support of management and employees. Consideration should be given to using motivational techniques to show management and employees how their participation in the CSAT program will benefit the organization.
 
 Management. Motivating management normally relies upon increasing awareness. Management needs to be aware of the losses that computer security can reduce and the role of training in computer security. Management commitment is necessary because of the resources used in developing and implementing the program and also because the program affects their staff.
 
 Employees. Motivation of managers alone is not enough. Employees often need to be convinced of the merits of computer security and how it relates to their jobs. Without appropriate training, many employees will not fully comprehend the value of the system resources with which they work.
 
 Some awareness techniques were discussed above. Regardless of the techniques that are used, employees should feel that their cooperation will have a beneficial impact on the organization's future (and, consequently, their own).
 
 Employees and managers should be solicited to provide input to the CSAT program. Individuals are more likely to support a program when they have actively participated in its development.