- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- Morgan Stanley adviser sentenced for hacking firm's network - A
former financial adviser at Morgan Stanley received three year's
probation and will pay $600,000 in restitution for his illegal
accessing of the firm's confidential client data "in order to use it
for his personal advantage as a private wealth management adviser at
the Bank," the FBI stated in a release on Tuesday.
- Internet-connected homes open the door to hackers - Baby monitors,
thermostats, kitchen gadgets and other "smart" devices add
convenience to our daily lives. What are manufacturers doing to make
sure they don't make life easier for criminals too?
- Lessons learned from 2015 cyber attacks - Following an onslaught
year of massive breaches, 2016 promises to usher in more of the
same, but with each breach there was a lesson to be learned,
according to a Trend Micro report.
- T.S.A. Moves Closer to Rejecting Some State Driver’s Licenses for
Travel - As soon as next year, a driver’s license may no longer be
enough for airline passengers to clear security in some states, if
the Department of Homeland Security has its way.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hyatt investigates malware found on payment processors - Hyatt
Hotels Corp. reported late last week that it had found malware on
the computers that operates the company's payment processing systems
and is now conducting an investigation to discover the extent of the
- Livestream alerts registered users of suspected hack - Livestream,
the web-based video broadcaster, alerted its registered users of a
suspected data breach, urging them to change their passwords.
- Massive trove of US voter data discovered on Web - More than 191
million voter records, including personal information and voting
activity, have been exposed. It's not clear who owns the server.
- Gaming souk Steam spews credit card, personal info in Xmas Day
security meltdown - Updated Video game marketplace Steam is leaking
people's personal information – including their payment details and
billing addresses – to strangers.
- UConn website hacked and used to spread malware - The University
of Connecticut (UConn) became the most recent institution of higher
learning to be hit with a cyberattack when it was hacked on Dec. 27
and used to distribute malware.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
2 of 6)
Characteristics of Identity Theft
At this time, the majority of identity theft is committed using
hard-copy identification or other documents obtained from the victim
without his or her permission. A smaller, but significant, amount of
identity theft is committed electronically via phishing, spyware,
hacking and computer viruses. Financial institutions are among the
most frequent targets of identity thieves since they store sensitive
information about their customers and hold customer funds in
accounts that can be accessed remotely and transferred
Identity theft may harm consumers in several ways. First, an
identity thief may gain access to existing accounts maintained by
consumers and either transfer funds out of deposit accounts or incur
charges to credit card accounts. Identity thieves may also open new
accounts in the consumer's name, incur expenses, and then fail to
pay. This is likely to prompt creditors to attempt to collect
payment from the consumer for debts the consumer did not incur. In
addition, inaccurate adverse information about the consumer's
payment history may prevent the consumer from obtaining legitimate
credit when he or she needs it. An identity theft victim can spend
months or years attempting to correct errors in his or her credit
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
ROLES AND RESPONSIBILITIES (1 of 2)
Information security is the responsibility of everyone at the
institution, as well as the institution's service providers and
contractors. The board, management, and employees all have different
roles in developing and implementing an effective security process.
The board of directors is responsible for overseeing the
development, implementation, and maintenance of the institution's
information security program. Oversight requires the board to
provide management with guidance and receive reports on the
effectiveness of management's response. The board should approve
written information security policies and the information security
program at least annually. The board should provide management with
its expectations and requirements for:
1) Central oversight and coordination,
2) Areas of responsibility,
3) Risk measurement,
4) Monitoring and testing,
5) Reporting, and
6) Acceptable residual risk.
Senior management's attitude towards security affects the entire
organization's commitment to security. For example, the failure of a
financial institution president to comply with security policies
could undermine the entire organization's commitment to security.
Senior management should designate one or more individuals as
information security officers. Security officers should be
responsible and accountable for security administration. At a
minimum, they should directly manage or oversee risk assessment,
development of policies, standards, and procedures, testing, and
security reporting processes. Security officers should have the
authority to respond to a security event by ordering emergency
actions to protect the financial institution and its customers from
an imminent loss of information or value. They should have
sufficient knowledge, background, and training, as well as an
organizational position, to enable them to perform their assigned
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.5 Malicious Hackers
The term malicious hackers, sometimes called crackers, refers to
those who break into computers without authorization. They can
include both outsiders and insiders. Much of the rise of hacker
activity is often attributed to increases in connectivity in both
government and industry. One 1992 study of a particular Internet
site (i.e., one computer system) found that hackers attempted to
break in once at least every other day.
The hacker threat should be considered in terms of past and
potential future damage. Although current losses due to hacker
attacks are significantly smaller than losses due to insider theft
and sabotage, the hacker problem is widespread and serious. One
example of malicious hacker activity is that directed against the
public telephone system.
Studies by the National Research Council and the National Security
Telecommunications Advisory Committee show that hacker activity is
not limited to toll fraud. It also includes the ability to break
into telecommunications systems (such as switches), resulting in the
degradation or disruption of system availability. While unable to
reach a conclusion about the degree of threat or risk, these studies
underscore the ability of hackers to cause serious damage.
The hacker threat often receives more attention than more common
and dangerous threats. The U.S. Department of Justice's Computer
Crime Unit suggests three reasons for this.
First, the hacker threat is a more recently encountered
threat. Organizations have always had to worry about the actions of
their own employees and could use disciplinary measures to reduce
that threat. However, these measures are ineffective against
outsiders who are not subject to the rules and regulations of the
Second, organizations do not know the purposes of a hacker --
some hackers browse, some steal, some damage. This inability to
identify purposes can suggest that hacker attacks have no
Third, hacker attacks make people feel vulnerable,
particularly because their identity is unknown. For example, suppose
a painter is hired to paint a house and, once inside, steals a piece
of jewelry. Other homeowners in the neighborhood may not feel
threatened by this crime and will protect themselves by not doing
business with that painter. But if a burglar breaks into the same
house and steals the same piece of jewelry, the entire neighborhood
may feel victimized and vulnerable.