FYI - It was Déjà vu all over again when it came to bad passwords in 2017 - The worst password of 2016 remains the number one worst password of 2017 as “123456” tops the list of the most commonly chosen passwords spotted in data leaks. https://www.scmagazine.com/bad-passwords-still-common-at-the-close-of-2017/article/733387/

The economics of cybersecurity - Georgia jumped onto the cybersecurity bandwagon in a big way this year with the state investing in a massive training center to be constructed adjacent to the Augusta University Riverfront Campus, which is very close to the U.S. Army Cyber Command, the US Army Cyber Center of Excellence and the National Security Agency at Fort Gordon. https://www.scmagazine.com/the-economics-of-cybersecurity/article/720084/

2017 Biggest Data Breaches - June – Hackers accessed 8tracks's user database and pilfered information, including email addresses and encrypted passwords, from at least 18 million accounts signed up for the Internet radio service using email. https://www.scmagazine.com/2017-biggest-data-breaches/article/720104/

Russia's Globex bank says hackers targeted its SWIFT computers - Hackers tried to steal 55 million rubles ($940,000) from Russian state bank Globex using the SWIFT international payments messaging system, the bank said on Thursday, the latest in a string of attempted cyber heists that use fraudulent wire-transfer requests. https://www.reuters.com/article/us-russia-cyber-globex/russias-globex-bank-says-hackers-targeted-its-swift-computers-idUSKBN1EF294

Washington, D.C. police computers used by two Romanians to operate ransomware campaign - The U.S. Secret Service has filed a complaint against two Romanian nationals for allegedly compromising more than 100 Washington, D.C. police computers in order to spread ransomware. https://www.scmagazine.com/washington-dc-police-computers-used-by-two-romanians-to-operate-ransomware-campaign/article/720259/

Criminals spoof scanners and printers by the millions to spread malware - Cybercriminals are spoofing scanners by the millions to launch attacks containing malicious attachments that appear to be coming from the network printer. https://www.scmagazine.com/criminals-spoof-scanners-and-printers-to-infect-office-networks-with-malware/article/720774/

Third of UK Cybersecurity Execs Expect to Be Hacked: Report - Ransomware, phishing attacks and data loss are the three biggest issues that concern UK cybersecurity executives. https://www.scmagazine.com/third-of-uk-cybersecurity-execs-expect-to-be-hacked-report/article/733383/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Open AWS S3 bucket exposes sensitive Experian and census info on 123 million U.S. households - Experian and the U.S. Census Bureau that contain sensitive personal information on 123 million U.S. households. https://www.scmagazine.com/open-aws-s3-bucket-exposes-sensitive-experian-and-census-info-on-123-million-us-households/article/720067/

Pyramid scheme: AnubisSpy Android malware steals data, seemingly links to old Sphinx campaign - A newly discovered Android spyware that victimizes Arabic-speakers has been potentially linked to the 2014-15 Sphinx cyber espionage campaign, which was launched by the threat group APT-C-15 to target PC users in the Middle East. https://www.scmagazine.com/pyramid-scheme-anubisspy-android-malware-steals-data-seemingly-links-to-old-sphinx-campaign/article/719741/

Chinese hackers tried to spy on U.S. think tanks to steal military strategy documents - A series of cyberattacks against Western think tanks and nongovernmental organizations appear to be attempts by the Chinese government to gain insight on the military strategies of Western governments. https://www.cyberscoop.com/chinese-hackers-tried-to-spy-on-u-s-think-tanks-to-steal-military-strategy-documents/

Nissan Canada Finance Alerts 1.13 Million Customers of Unauthorized Info Access - Nissan Canada Finance (NCF) reported last week that it became aware on Dec. 11 of unauthorized access to personal information of some of its 1.13 million customers. https://www.scmagazine.com/nissan-canada-finance-alerts-113-million-customers-of-unauthorized-info-access/article/720576/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
  
  Due Diligence in Selecting a Service Provider - Contract Issues
  
  Ownership and License
  
  The contract should address ownership and allowable use by the service provider of the institution’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution’s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.
  
  Duration
  
  Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions’ intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Return to the top of the newsletter

FFIEC IT SECURITY - This concludes our coverage of  the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
  
  Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices
  
  Evolution and Obsolescence
  
  As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.
  
  Controlling the Impact of Obsolescence
  
  Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:
  
  1)  What is the upgrade path to the next class of network?
  2)  Do the devices support firmware (Flash) upgrades for security patches and upgrades?
  3)  How does the vendor distribute security information and patches?
  
  The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.
  
  The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

Computer support and operations refers to everything done to run a computer system. This includes both system administration and tasks external to the system that support its operation (e.g., maintaining documentation). It does not include system planning or design. The support and operation of any computer system, from a three-person local area network to a worldwide application serving thousands of users, is critical to maintaining the security of a system. Support and operations are routine activities that enable computer systems to function correctly. These include fixing software or hardware problems, loading and maintaining software, and helping users resolve problems.

System management and administration staff generally perform support and operations tasks although sometimes users do. Larger systems may have full-time operators, system programmers, and support staff performing these tasks. Smaller systems may have a part-time administrator.

The failure to consider security as part of the support and operations of computer systems is, for many organizations, their Achilles heel. Computer security system literature includes many examples of how organizations undermined their often expensive security measures because of poor documentation, old user accounts, conflicting software, or poor control of maintenance accounts. Also, an organization's policies and procedures often fail to address many of these important issues.

The important security considerations within some of the major categories of support and operations are:

1)  user support,
2)  software support,
3)  configuration management,
4)  backups,
5)  media controls,
6)  documentation, and
7)  maintenance.

Some special considerations are noted for larger or smaller systems.

The primary goal of computer support and operations is the continued and correct operation of a computer system. One of the goals of computer security is the availability and integrity of systems. These goals are very closely linked.

This chapter addresses the support and operations activities directly related to security. Every control discussed in this handbook relies, in one way or another, on computer system support and operations. This chapter, however, focuses on areas not covered in other chapters. For example, operations personnel normally create user accounts on the system. This topic is covered in the Identification and Authentication chapter, so it is not discussed here. Similarly, the input from support and operations staff to the security awareness and training program is covered in the Security Awareness, Training, and Education chapter.