FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com. 

FYI - The FDIC and the OCC do not have a requirement that financial institutions change third-party vendors on a periodic basis.  Any such decision is a management decision not a regulatory decision.  Refer to http://www.yennik.com/occ_10-12-16_rotation_letter.pdf and at http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf.

Is your incident response team ready? - One of the best ways to test incident readiness is a tabletop exercise, a mock incident administered for senior leadership, IT, security, legal, corporate communications and business line readiness. https://www.scmagazine.com/is-your-incident-response-team-ready/article/574893/

UMass to pay $650K in HIPAA settlement - As a consequence of a malware infection on one workstation, which resulted in the exposure of personal data on nearly 1,700 individuals, the University of Massachusetts at Amherst will pay $650,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, according to a release from the U.S. Department of Health & Human Services (HHS). https://www.scmagazine.com/umass-to-pay-650k-in-hipaa-settlement/article/574905/

Consumer IoT devices bring new security and privacy risks, BITAG report - While acknowledging that the rapid rise of Interet of Things (IoT) devices contribute immeasurably to convenience for consumers in running appliances in their homes, the risk to security and privacy for consumers installing, configuring and administering these devices is unique. https://www.scmagazine.com/consumer-iot-devices-bring-new-security-and-privacy-risks-bitag-report/article/574898/

Compliance doesn't equal security, but it sure does help - Imagine using faulty information in creating a building design or developing a product or running a political campaign or formulating a new drug. https://www.scmagazine.com/compliance-doesnt-equal-security-but-it-sure-does-help/article/575399/

Cloud security concerns linger, but not enough to stop adoption - Organizations are increasingly willing to migrate their applications, data and processes to the cloud in spite of lingering security concerns. https://www.scmagazine.com/survey-cloud-security-concerns-linger-but-not-enough-to-stop-adoption/article/571891/

Pentagon expands white-hat hacker challenge to all comers - The Defense Department undertook a significant expansion of its new crowdsourced approach to cybersecurity Monday, opening its “Hack the Pentagon” challenge to literally anyone and providing them a legal route to report any security holes they find. http://federalnewsradio.com/defense/2016/11/pentagon-expands-white-hat-hacker-challenge-comers/

Most cybercriminals earn $1K to $3K a month, report - It's not that organized cybergangs are raking it in. It's more that a larger number of small operators are benefiting from automated services that can earn them an average of $2,000 a month. https://www.scmagazine.com/most-cybercriminals-earn-1k-to-3k-a-month-report/article/575963/

Everyone is worried about internal cybersecurity threats, report - There are few things everyone can agree upon, but according to a new study almost all security professionals are concerned about insider threats. https://www.scmagazine.com/everyone-is-worried-about-internal-cybersecurity-threats-report/article/575977/

NetWire RAT acts as keylogger, steals payment card data - Criminals used a remote access trojan with keylogging capabilities rather than traditional point-of-sale malware. https://www.scmagazine.com/netwire-rat-acts-as-keylogger-steals-payment-card-data/article/575784/

Michigan State breach may come with $3M pricetag - A database breach that exposed social security numbers as well as names and Michigan State University (MSU) ID numbers will cost the school about $3 million to remediate and to bolster system safeguards. https://www.scmagazine.com/michigan-state-breach-may-come-with-3m-pricetag/article/575949/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - US Navy suffers data breach - The US Navy announced today that the personal data of 130,000 of its enlisted men was accessed after a contractor's laptop was breached back in October. https://www.scmagazine.com/us-navy-suffers-data-breach/article/575184/

San Francisco public transport ticket system shut down by ransomware - San Francisco's Municipal Transportation Agency was caught with a HDDCryptor Ransomware infection over the weekend, leaving the agency unable to sell tickets or charge customers for transport, unless they pay the hackers demands of 100 Bitcoin.
https://www.scmagazine.com/san-francisco-public-transport-ticket-system-shut-down-by-ransomware/article/575211/
https://www.wired.com/2016/11/sfs-transit-hack-couldve-way-worse-cities-must-prepare

Japanse SDF officials mum over reported cyberattack - Japanese Defense Ministry and Self-Defense Force (SDF) was targeted in September by a sophisticated cyberattack. https://www.scmagazine.com/japanse-sdf-officials-mum-over-reported-cyberattack/article/575220/

Deutsche Telekom customers left hanging by possible hack - Nearly a million fixed-line network customers of German telecommunications company Deutsche Telekom AG on Sunday began experiencing service disruptions, possibly to due hacker sabotage, the company has announced. https://www.scmagazine.com/deutsche-telekom-customers-left-hanging-by-possible-hack/article/575227/

Mirai variant caused German telecom disruption; 5M routers reportedly susceptible if left unpatched - Service disruptions affecting nearly one million Deutsche Telekom landline customers since last weekend are the result of a worldwide cyberattack aimed at infecting routers with a variant of Mirai Internet of Things (IoT) botnet malware, German authorities and security researchers have now confirmed. https://www.scmagazine.com/mirai-variant-caused-german-telecom-disruption-5m-routers-reportedly-susceptible-if-left-unpatched/article/575673/

European Commission gets DDoSed - The European Commission was the victim of a DDoS attack this afternoon that blocked internet connectivity on-and-off for several hours. https://www.scmagazine.com/european-commission-gets-ddosed/article/575485/

Carleton University hit with ransomware attack - Carleton University in Ontario, Canada, was hit with a ransomware attack Tuesday that may have affected any Windows-based system connected to the network. https://www.scmagazine.com/ransomware-attack-targets-carleton-university-networks/article/575798/

Hacker threatens to release Liechtenstein bank customers' finances in extortion bid - An unknown cybercriminal is attempting to extort customers of a Liechtenstein bank, threatening to send potentially incriminating customer financial information to government authorities and the media if the victims don't pay 10 percent of their balances. https://www.scmagazine.com/hacker-threatens-to-release-liechtenstein-bank-customers-finances-in-extortion-bid/article/575799/

26,500 National Lottery accounts hacked, says operator Camelot - Camelot, operator of the UK's National Lottery, has cited possible password reuse as the reason for a breach of 26,500 of its user accounts. https://www.scmagazine.com/26500-national-lottery-accounts-hacked-says-operator-camelot/article/575786/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 CONTROLS TO PROTECT AGAINST MALICIOUS CODE
 
 Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.
 
 Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.
 
 Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.
 
 Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.
 
 Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.
 
 Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."
 
 Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.
 
 An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 1 of 2)
 
 Sensitive or mission - critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their database should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.
 
 Some security software programs will integrate access control for the operating system and some applications. That software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application's access controls. Examples of such security software products for mainframe computers include RACF, CA - ACF2, and CA - TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.1 Accreditation and Assurance
 
 Accreditation is a management official's formal acceptance of the adequacy of a system's security. The best way to view computer security accreditation is as a form of quality control. It forces managers and technical staff to work together to find workable, cost-effective solutions given security needs, technical constraints, operational constraints, and mission or business requirements. The accreditation process obliges managers to make the critical decision regarding the adequacy of security safeguards and, therefore, to recognize and perform their role in securing their systems. In order for the decisions to be sound, they need to be based on reliable information about the implementation of both technical and nontechnical safeguards. These include:
 
 !  Technical features (Do they operate as intended?).
 
 !  Operational practices (Is the system operated according to stated procedures?).
 
 !  Overall security (Are there threats which the technical features and operational practices do not address?).
 
 !  Remaining risks (Are they acceptable?).
 
 A computer system should be accredited before the system becomes operational with periodic reaccreditation after major system changes or when significant time has elapsed.72 Even if a system was not initially accredited, the accreditation process can be initiated at any time. Chapter 8 further discusses accreditation.
 
 9.1.1 Accreditation and Assurance
 
 Assurance is an extremely important -- but not the only -- element in accreditation. As shown in the diagram, assurance addresses whether the technical measures and procedures operate either (1) according to a set of security requirements and specifications or (2) according to general quality principles. Accreditation also addresses whether the system's security requirements are correct and well implemented and whether the level of quality is sufficiently high.