FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - 90% Of Industries, Not Just Healthcare, Have Disclosed PHI In Breaches - New Verizon PHI report finds that organizations' workers comp and wellness programs are also vulnerable repositories for personal health information. http://www.darkreading.com/analytics/90--of-industries-not-just-healthcare-have-disclosed-phi-in-breaches/d/d-id/1323535

Juniper issues patch for ScreenOS to eliminate unauthorized code - Juniper Networks issued a security warning and patches centered on its ScreenOS firewall management software to eliminate illicit code that could lead to an attacker gaining administrative control to the company's NetScreen devices. http://www.scmagazine.com/juniper-removes-illicit-code-from-screenos/article/460806/

Former national security officials urge government to embrace rise of encryption - A number of former senior national security officials are urging that the government embrace the move to strong encryption by tech companies — even if it means law enforcement will be unable to monitor some phone calls and text messages in terrorism and criminal investigations. https://www.washingtonpost.com/world/national-security/former-national-security-officials-urge-government-to-embrace-rise-of-encryption/2015/12/15/3164eae6-a27d-11e5-9c4e-be37f66848bb_story.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - MacKeeper Leak Highlights Danger of Misconfigured Databases - The Shodan port-scanning service finds at least 35,000 MongoDB databases accessible without a password. A security researcher gained access to a database holding information on millions of users of the often-criticized MacKeeper Mac OS X utility program, after a simple Internet search highlighted the developer's misconfigured MongoDB server, developer Kromtech acknowledged on Dec. 14. http://www.eweek.com/security/mackeeper-leak-highlights-danger-of-misconfigured-databases.html

Officials call City Hall 
cyberattack ‘minor’ - Hackers took down City Hall’s Internet service for a short time yesterday in a 
“minor act of cybervandalism” that officials stressed had no connection to the threats received in Los Ang­eles and New York City. http://www.bostonherald.com/news/local_coverage/2015/12/officials_call_city_hall_cyberattack_minor

Skimmers Found at Some Calif., Colo. Safeways - Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores. http://krebsonsecurity.com/2015/12/skimmers-found-at-some-calif-colo-safeways/

Landry's investigates a potential POS attack - The restaurant and hospitality company Landry's is reporting that some of its customers have had unauthorized charges placed on their payment cards after they were used at a Landry's establishment. http://www.scmagazine.com/landrys-investigates-a-potential-pos-attack/article/460772/

Hello Kitty SanrioTown breach affects 3.3 million accounts - A security researcher claims to have discovered a leaked database for SanrioTown.com, the Hello Kitty official online community, which contained the information of 3.3 million accounts. http://www.scmagazine.com/researcher-claims-to-have-found-leaked-sanriotown-database/article/460909/

Gyft resets some customer passwords following breach - Passwords have been reset for a number of Gyft users as a precaution after a trove of account data was reported for sale on an underground forum. http://www.scmagazine.com/gyft-resets-some-customer-passwords-following-breach/article/460904/

DOJ investigating data breach at Uber - The Department of Justice is probing a data breach at Uber that an internal investigation reportedly linked to an employee at rival service Lyft, Reuters reported late Friday. http://thehill.com/policy/technology/263907-report-feds-probing-uber-data-breach

Phishing campaign targets HSBC customers - Customers of HSBC are being sent phony emails "warning" them their account is locked, according to a blog post from Malwarebytes. http://www.scmagazine.com/phishing-campaign-targets-hsbc-customers/article/461152/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 1 of  6)
 
 Supervisory Policy on Identity Theft
 
 Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.  This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 
 
 SECURITY PROCESS 
 
 Action Summary - Financial institutions should implement an ongoing security process, and assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.
 
 OVERVIEW
 
 The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:
 
 1)  Information Security Risk Assessment - A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.
 
 2)  Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.
 
 3)  Security Controls Implementation - The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk - appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.
 
 4)  Security Testing - The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.
 
 5)  Monitoring and Updating - The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one - time event.
 
 Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution's defensive posture. All of these variables change constantly. Therefore, an institution's management of the risks requires an ongoing process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.3 Employee Sabotage
 
 Employees are most familiar with their employer's computers and applications, including knowing what actions might cause the most damage, mischief, or sabotage. The downsizing of organizations in both the public and private sectors has created a group of individuals with organizational knowledge, who may retain potential system access (e.g., if system accounts are not deleted in a timely manner). The number of incidents of employee sabotage is believed to be much smaller than the instances of theft, but the cost of such incidents can be quite high.
 
 Martin Sprouse, author of Sabotage in the American Workplace, reported that the motivation for sabotage can range from altruism to revenge:
 As long as people feel cheated, bored, harassed, endangered, or betrayed at work, sabotage will be used as a direct method of achieving job satisfaction -- the kind that never has to get the bosses' approval.
 
 Common examples of computer-related employee sabotage include:
 1)  destroying hardware or facilities,
 2)  planting logic bombs that destroy programs or data,
 3)  entering data incorrectly,
 4)  "crashing" systems,
 5)  deleting data,
 6)  holding data hostage, and
 7)  changing data.
 
 Chapter 4.4 Loss of Physical and Infrastructure Support
 
 The loss of supporting infrastructure includes power failures (outages, spikes, and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, and strikes. These losses include such dramatic events as the explosion at the World Trade Center and the Chicago tunnel flood, as well as more common events, such as broken water pipes. Many of these issues are covered in Chapter. A loss of infrastructure often results in system downtime, sometimes in unexpected ways. For example, employees may not be able to get to work during a winter storm, although the computer system may be functional.