Saturday, June 28, 2014

FFIEC Cybersecurity Assessments Begin

FFIEC Cybersecurity Assessments Begin
500 Community Institutions to Be Examined in Pilot

The Federal Financial Institutions Examination Council has started its cybersecurity assessment pilot program, which will examine more than 500 community banking institutions. Plus, the council has launched a Web page dedicated to cybersecurity information.

The pilot program is slated to run through July, says Stephanie Collins, spokesperson for the Office of the Comptroller of the Currency.

The aim of the pilot program is to help smaller banking institutions address potential security gaps. The assessments will be conducted by state and federal regulators during regularly scheduled examinations, the FFIEC says.

"Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks," the council says.

Areas the regulators will be focusing on during the cyber-assessments include risk management and oversight; threat intelligence and collaboration; cybersecurity controls; service provider and vendor risk management; and cyber-incident management and resilience.

"Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance and examiner training," the FFIEC says.

Read more here.

Thursday, June 26, 2014

Healthcare Cyber Security – TSCM & Risk Management

Healthcare Cyber Security – TSCM & Risk Management

By J. D. LeaSure, President/CEO ComSec LLC

Healthcare related cybercrime continues its very remarkable upward trend. Electronic Health Records (EHRs), online healthcare portals, the street value of stolen Protected Health Information (PHI / e-PHI) / Individually Identifiable Health Information (IIHI) and limited cyber security programs have all contributed to this steady increase. And, as healthcare related cybercrime rises, regulators continue to develop or modify laws and regulations aimed at protecting the information, and ultimately the consumer.

Healthcare companies tasked with protection of personal and/or protected health information must implement a thorough and effective risk analysis and risk management program to comply with the legal and regulatory requirements. If your cyber security risk program focuses too strongly on IT security, the program needs to be reevaluated. Electronic eavesdropping devices are inexpensive, easy to use, and can capture a great amount of data in an inconspicuous manner. Data breaches are costly, create criminal and civil liability and can irreparably damage your company’s reputation and future earnings potential. Omitting Cyber TSCM and TSCM from your risk management process could be a very costly mistake.

Friday, June 20, 2014

TSCM & Cyber TSCM – A Vital Part of Your Financial Institution’s Cyber Security Program

TSCM & Cyber TSCM – A Vital Part of Your Financial Institution’s Cyber Security Program

By J. D. LeaSure, President/CEO ComSec LLC

The cybersecurity programs of American businesses need to improve! Ask consumers and they’ll agree. With major data leaks by large retailers and financial institutions, most consumers have been impacted, either directly or indirectly. Regulators have noticed the frequency and severity of the breaches too, particularly their ultimate impact on our national security.

How can financial institutions improve their cybersecurity programs? Arm yourself with the knowledge you need to protect your organization, and implement an effective cybersecurity program. Helpful information follows:

Wednesday, June 18, 2014

Hackers reverse-engineer NSA's leaked bugging devices

Using documents leaked by Edward Snowden, hackers have built bugs that can be attached to computers to steal information in a host of intrusive ways
RADIO hackers have reverse-engineered some of the wireless spying gadgets used by the US National Security Agency. Using documents leaked by Edward Snowden, researchers have built simple but effective tools that can be attached to parts of a computer to gather private information in a host of intrusive ways.
The NSA's Advanced Network Technology catalogue was part of the avalanche of classified documents leaked by Snowden, a former agency contractor. The catalogue lists and pictures devices that agents can use to spy on a target's computer or phone. The technologies include fake base stations for hijacking and monitoring cellphone calls and radio-equipped USB sticks that transmit a computer's contents.
But the catalogue also lists a number of mysterious computer-implantable devices called "retro reflectors" that boast a number of different surreptitious skills, including listening in on ambient sounds and harvesting keystrokes and on-screen images.
Because no one outside the NSA and its partners knows how retro reflectors operate, security engineers cannot defend against their use. Now a group of security researchers led by Michael Ossmann of Great Scott Gadgets in Evergreen, Colorado, have not only figured out how these devices work, but also recreated them.

Friday, June 13, 2014

Access Health data breach

June 10--State Republicans are raising questions about the security of Connecticut's health care exchange, Access Health CT, after an employee of the exchange's call center left a backpack filled with customer data at a Hartford deli.
But representatives of Access Health and the company that manages the call center said the worker, who has been placed on administrative leave, made an honest mistake and there's no reason to believe the information was misused.
"The individual is deeply sorry and has been cooperating with investigators," said Ilene Baylinson, president of health services of the eastern region of Maximus, the Virginia-based company that runs the Access Health call center.
Vital information
The problem came to light Friday afternoon, when Access Health officials announced that someone had discovered a backpack on Trumbull Street in Hartford containing four note pads with personal information for more than 400 Access Health customers. That information included names, birth dates and 151 social security numbers.
Customers affected by the breach will be notified through certified mail. Both Access Health and Maximus representatives said free fraud prevention services would be offered to affected individuals.
Access Health Chief Marketing Officer Jason Madrak said exchange official learned about the backpack from staffers of state Rep. Jay Case, R-63. A constituent of Case called his office Friday, saying he had found the backpack at New York Deli on Trumbull Street.

Bugging your own office NSA-style

In the past year many have grown increasingly incensed at news regarding pervasive surveillance.
Then again, many have yawned.
For those who remain unconvinced that National Security Agency (NSA)-style blanket surveillance might uncover anything that could come back to haunt them, Project Eavesdrop will hopefully be an eye-opener.
That's the code name for a project designed by the US's National Public Radio (NPR) news agency to find out just what, exactly, the NSA could see about a person if it cared to look.
The answer: a lot.
To get to that answer, Steve Henn, a reporter for NPR, had his office bugged.
NPR worked with Sean Gallagher, a reporter at Ars Technica, and Dave Porcello, a computer security expert at Pwnie Express, to have the internet traffic coming into and out of his home office in California, tapped.
They set up the tap so as to mimic the broad, passive surveillance of internet traffic that's done by NSA systems, and they let it run for a week.

Tuesday, June 10, 2014

Cybercrime and espionage costs $445 billion annually

A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income.
The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm.
“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.
The report, funded by the security firm McAfee, which is part of Intel Security, represents one of the first efforts to analyze the costs, drawing on a variety of data.
“Cybercrime costs are big, and they’re growing,” said Stewart A. Baker, a former Department of Homeland Security policy official and a co-author of the report. “The more that governments understand what those costs are, the more likely they are to bring their laws and policies into line with preventing those sorts of losses.”
According to the report, the most advanced economies suffered the greatest losses. The United States, Germany and China together accounted for about $200 billion of the total in 2013. Much of that was due to theft of intellectual property by foreign governments.
Though the report does not break out a figure for that, or name countries behind such theft, the U.S. government has publicly named China as the major perpetrator of cyber economic espionage against the United States.