The Department of Justice (DOJ) has
made clear that it interprets the ADA as applicable to websites.
Is your web site compliant with the Americans with
Disabilities Act? For the past 20 years, our bank web
site audits have covered the ADA guidelines. Help reduce
any liability, please contact me for more information at
- New York State revises its sweeping cyber regulation proposal for
financial sector - First-in-the-Nation Proposed Rule Aims to Protect
Consumer Data and Financial Systems from Terrorist Organizations and
Other Criminal Enterprises.
FDA Issues Final Guidance for Medical Device Security - With all the
current concern over IoT being insecure from cyberattacks, the U.S.
Food & Drug Administration (FDA) has posted the agency's final
guidance for medical device safety.
Accused hackers make millions off insider trading info - Three
Chinese men allegedly hacked two New York law firms and made more
than $4 million from the information they stole.
Czechs build new cyber-security HQ - A ten-fold increase in staffing
is planned for the Czech National Cyber-Security Centre (NCSC)
according to recently announced government plans.
Ransomware crime bill goes into effect in California - Beware
perpetrators of ransomware in California: Under a new bill that went
into effect on Jan.1, you will now face four years in a state
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Top-Secret-cleared SOCOM medics hit in 11GB govt database leak -
Dismissed hacker calls buddy to nix exposed database - A Pentagon
subcontractor has exposed the names, locations, Social Security
Numbers, and salaries of US Military Special Operations Command (SOCOM)
Holiday Inn Parent IHG Probes Breach Claims - InterContinental
Hotels Group (IHG), the parent company for more than 5,000 hotels
worldwide including Holiday Inn, says it is investigating claims of
a possible credit card breach at some U.S. locations.
Arenas Entertainment hit with ransomware demand - A new ransomware
attack has reportedly hit Arenas Entertainment, a Los Angeles-based
film company tailored to Hispanic audiences worldwide.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
the Board of Directors has the responsibility for ensuring that
appropriate security control processes are in place for e-banking,
the substance of these processes needs special management attention
because of the enhanced security challenges posed by e-banking.
Over the next number of weeks we will cover the principles of
Board and Management Oversight
- Principle 4: Banks should
take appropriate measures to authenticate the identity and
authorization of customers with whom it conducts business over the
Internet. (Part 1 of 2)
It is essential in banking to confirm that a particular
communication, transaction, or access request is legitimate.
Accordingly, banks should use reliable methods for verifying the
identity and authorization of new customers as well as
authenticating the identity and authorization of established
customers seeking to initiate electronic transactions.
Customer verification during account origination is important in
reducing the risk of identity theft, fraudulent account applications
and money laundering. Failure on the part of the bank to adequately
authenticate customers could result in unauthorized individuals
gaining access to e-banking accounts and ultimately financial loss
and reputational damage to the bank through fraud, disclosure of
confidential information or inadvertent involvement in criminal
Establishing and authenticating an individual's identity and
authorization to access banking systems in a purely electronic open
network environment can be a difficult task. Legitimate user
authorization can be misrepresented through a variety of techniques
generally known as "spoofing." Online hackers can also take over the
session of a legitimate authorized individual through use of a
"sniffer" and carry out activities of a mischievous or criminal
nature. Authentication control processes can in addition be
circumvented through the alteration of authentication databases.
Accordingly, it is critical that banks have formal policy and
procedures identifying appropriate methodology(ies) to ensure that
the bank properly authenticates the identity and authorization of an
individual, agent or system by means that are unique and, as far as
practical, exclude unauthorized individuals or systems. Banks can us
a variety of methods to establish authentication, including PINs,
passwords, smart cards, biometrics, and digital certificates. These
methods can be either single factor or multi-factor (e.g. using both
a password and biometric technology to authenticate). Multi-factor
authentication generally provides stronger assurance.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS
(Part 1 of 2)
Hardware and software located in a user department are often less
secure than that located in a computer room. Distributed hardware
and software environments (e.g., local area networks or LANs) that
offer a full range of applications for small financial institutions
as well as larger organizations are commonly housed throughout the
organization, without special environmental controls or raised
flooring. In such situations, physical security precautions are
often less sophisticated than those found in large data centers, and
overall building security becomes more important. Internal control
procedures are necessary for all hardware and software deployed in
distributed, and less secure, environments. The level of security
surrounding any IS hardware and software should depend on the
sensitivity of the data that can be accessed, the significance of
applications processed, the cost of the equipment, and the
availability of backup equipment.
Because of their portability and location in distributed
environments, PCs often are prime targets for theft and misuse. The
location of PCs and the sensitivity of the data and systems they
access determine the extent of physical security required. For PCs
in unrestricted areas such as a branch lobby, a counter or divider
may provide the only barrier to public access. In these cases,
institutions should consider securing PCs to workstations, locking
or removing disk drives, and using screensaver passwords or
automatic timeouts. Employees also should have only the access to
PCs and data they need to perform their job. The sensitivity of the
data processed or accessed by the computer usually dictates the
level of control required. The effectiveness of security measures
depends on employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However, as
with larger systems, PCs are sensitive to environmental factors such
as smoke, dust, heat, humidity, food particles, and liquids. Because
they are not usually located within a secure area, policies should
be adapted to provide protection from ordinary contaminants.
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause equipment
damage or loss of data. PCs in environments that generate static
electricity are susceptible to static electrical discharges that can
cause damage to PC components or memory.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND
14.2 Software Support
Software is the heart of an organization's computer operations,
whatever the size and complexity of the system. Therefore, it is
essential that software function correctly and be protected from
corruption. There are many elements of software support.
One is controlling what software is used on a system. If users or
systems personnel can load and execute any software on a system, the
system is more vulnerable to viruses, to unexpected software
interactions, and to software that may subvert or bypass security
controls. One method of controlling software is to inspect or test
software before it is loaded (e.g., to determine compatibility with
custom applications or identify other unforeseen interactions). This
can apply to new software packages, to upgrades, to off-the-shelf
products, or to custom software, as deemed appropriate. In addition
to controlling the loading and execution of new software,
organizations should also give care to the configuration and use of
powerful system utilities. System utilities can compromise the
integrity of operating systems and logical access controls.
A second element in software support can be to ensure that software
has not been modified without proper authorization. This involves
the protection of software and backup copies. This can be done with
a combination of logical and physical access controls.
Many organizations also include a program to ensure that software
is properly licensed, as required. For example, an organization may
audit systems for illegal copies of Copyright 2013ed software. This
problem is primarily associated with PCs and LANs, but can apply to
any type of system.
Viruses take advantage of the weak software controls in personal
computers. Also, there are powerful utilities available for PCs that
can restore deleted files, find hidden files, and interface directly
with PC hardware, bypassing the operating system. Some organizations
use personal computers without floppy drives in order to have better
control over the system.
There are several widely available utilities that look for security
problems in both networks and the systems attached to them. Some
utilities look for and try to exploit security vulnerabilities.