- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- UK high-street banks accused of "shockingly bad" online security -
Over half of the UK's high-street banks and building societies use
outdated SSL security that means their online customers can be
attacked by low-skilled cyber-criminals, and “they don't seem to
care”, according to a security firm.
- BIMCO releases first cybersecurity guidelines for shipping
industry - The Baltic and International Maritime Council (BIMCO)
today launched the first set of cybersecurity guidelines for the
global shipping industry to prevent issues that could arise from
cyber incidents at sea.
- Dutch govt says no to backdoors, slides $540k into OpenSSL without
breaking eye contact - People need encryption to be safe and secure,
says ministry - A government position paper, published by the
Ministry of Security and Justice on Monday and signed by the
security and business ministers, concludes that "the government
believes that it is currently not appropriate to adopt restrictive
legal measures against the development, availability and use of
encryption within the Netherlands."
- Pentagon Grants Contractors an Extension on Hack Detection Rules -
The Pentagon has updated data breach rules for defense contractors
to allow companies an extra year-and-a-half to comply with one
- BlackBerry to stay in Pakistan after government backs down on
access and content demands - The Canadian phone maker has reneged on
its decision to exit the Pakistani market following talks with the
country's government on the privacy of its customers.
- NYC begins rolling out free public Wi-Fi. Will others follow suit?
- The city plans to provide up to 10,000 hotspots over the next
decade, replacing phonebooths with hi-tech kiosks. The first hubs
were installed this week.
- Canadian cyberthreats differ from those in the U.S., report says -
The U.S. and Canada both see their fair shares of malware such as
Dridex and other banking trojans, but there was one threat
conspicuously absent from Canada's list of common threats -
- Loose talk on social media big security risk for firms - Employees
are risking their organisations' IT security and their own personal
data by sharing too much information on social media.
- House Small Business Committee grills SBA on weak security - Weak
information security was at the top of the House Small Business
Committee's agenda when it met Wednesday and Thursday to discuss
several areas of mismanagement at the Small Business Administration
- Henry Schein to pay $250K to FTC for misleading encryption claims
- In an enforcement action that aimed the spotlight squarely at
encryption, the Federal Trade Commission (FTC) and the Henry Schein
Practice Solutions, Inc. agreed to pay a $250,000 fine for falsely
advertising the level of encryption it used to safeguard patient
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Series of DDoS attacks plague Linode data centers, infrastructure
- Cloud hosting company Linode reported that a set of distributed
denial of service (DDoS) attacks have caused service interruptions
at DNS infrastructure and data center locations in the U.S. and the
U.K., including Dallas, London, Atlanta, Frankfurt, Newark, N.J.,
Tokyo, Singapore and Fremont, Calif.
- BBC sites hit with possible DDoS attack - The British Broadcasting
Corporation's (BBC) websites were shut down Thursday morning by what
is believed to have been a massive distributed denial-of-service
- Steam confirms info on 34K users likely exposed in Christmas Day
DoS attack - Steam confirmed in a statement on its website that a
midday denial-of-service attack on Christmas likely exposed the
personal information of 34,000 users via store page requests made
between 11:52 a.m. and 13:20 p.m. PST.
- U.K. school tries to improve cyber hygiene after memory stick lost
- The third-oldest school in the U.K. is working to improve cyber
hygiene after an employee lost a memory stick that belonged to the
school while on public transport.
- Hillsides worker emails PII to unencrypted address, 1,000 affected
- Hillsides child-services and welfare agency in Pasadena, Calif.,
reported a data breach on December 30 that could impact about 1,000
clients and staff members.
- Did AVG leave your personal data exposed? - It turns out that even
the companies whose job it is to keep us safe can't seem to do it.
What hope is there?
- Kurdish group claims responsibility for hacking Idaho city website
- McCall City, Idaho's municipal website was hacked and defaced late
last week by a Kurdish group claiming to be anti-ISIS and
- "Russian" BlackEnergy malware strikes at Ukrainian media and
energy firms - Cyber-criminals behind the BlackEnergy trojan made a
comeback in 2015, launching attacks against media and energy
companies in the Ukraine, according to infosec researchers.
- Hackers cause electricity 'blackout' in Ukraine - In a worrying
sign of potential cyber attacks to come, thousands of people in
Ukraine were left without electricity after hackers hit electrical
substations, it has been claimed.
- Researchers Out Default Passwords Packaged With ICS/SCADA Wares -
ICS/SCADA researchers from Russia have published online a list of
popular industrial systems that come packaged with default passwords
in hopes that the vendors--which include a who's who in ICS/SCADA--will
change their ways in that practice.
- Sony PSN downed; hacking group claims DDOS attack - The hacking
group Phantom Squad is claiming responsibility for a distributed
denial of service (DDOS) attack that brought down Sony's PlayStation
Network offline worldwide for most of the day Monday.
- PayPal investigates account compromised twice in one day - PayPal
is investigating an incident in which a user's account was
compromised and used in a thwarted attempt to send money to a dead
- Anonymous takes credit for shutting down 14 Thai police wesbites -
The hacking collective Anonymous claimed responsibility for shutting
down 14 Thailand police websites on Tuesday to protest the death
sentences of two Myanmar migrant workers convicted of murdering two
- Mystery database leaks conservative's personal details - Just
after it was revealed that 191 million voter records were exposed to
the public due to a misconfigured MongoDB database, another 56
million records have been leaked from what researchers believe is a
right-wing Christian group originating in the US.
- 2 million sets of personal records stolen in 2015 Japanese
cyber-attacks - At least 2.07 million data sets with personal
information have been leaked or feared leaked from 140 organisations
in Japan during 2015.
- Time Warner Cable says 320,000 customer emails potentially stolen
- Time Warner Cable (TWC) blamed a phishing attack conducted on one
of its vendors for a data breach that may have resulted in 320,000
TWC customer emails and other personal information being stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
3 of 6)
FDIC Response to Identity Theft
The FDIC's supervisory programs include many steps to address
identity theft. The FDIC acts directly, often in conjunction with
other Federal regulators, by promulgating standards that financial
institutions are expected to meet to protect customers' sensitive
information and accounts. The FDIC enforces these standards against
the institutions under its supervision and encourages all financial
institutions to educate their customers about steps they can take to
reduce the chances of becoming an identity theft victim. The FDIC
also sponsors and conducts a variety of consumer education efforts
to make consumers more aware of the ways they can protect themselves
from identity thieves.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
AND RESPONSIBILITIES (2 of 2)
Senior management should enforce its security program by clearly
communicating responsibilities and holding appropriate individuals
accountable for complying with these requirements. A central
authority should be responsible for establishing and monitoring the
security program. Security management responsibilities, however, may
be distributed throughout the institution from the IT department to
various lines of business depending on the institution's size,
complexity, culture, nature of operations, and other factors. The
distribution of duties should ensure an appropriate segregation of
duties between individuals or organizational groups.
Senior management also has the responsibility to ensure integration
of security controls throughout the organization. To support
integration, senior management should
1) Ensure the security process is governed by organizational
policies and practices that are consistently applied,
2) Require that data with similar criticality and sensitivity
characteristics be protected consistently regardless of where in the
organization it resides,
3) Enforce compliance with the security program in a balanced and
consistent manner across the organization, and
Coordinate information security with physical security.
Senior management should make decisions regarding the acceptance of
security risks and the performance of risk mitigation activities
using guidance approved by the board of directors.
Employees should know, understand, and be held accountable for
fulfilling their security responsibilities. Institutions should
define these responsibilities in their security policy. Job
descriptions or contracts should specify any additional security
responsibilities beyond the general policies. Financial institutions
can achieve effective employee awareness and understanding through
security training, employee certifications of compliance, self -
assessments, audits, and monitoring.
Management also should consider the roles and responsibilities of
external parties. Technology service providers (TSPs), contractors,
customers, and others who have access to the institution's systems
and data should have their security responsibilities clearly
delineated and documented in contracts.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.6 Industrial Espionage
Industrial espionage is the act of gathering proprietary data from
private companies or the government for the purpose of aiding
another company(ies). Industrial espionage can be perpetrated either
by companies seeking to improve their competitive advantage or by
governments seeking to aid their domestic industries. Foreign
industrial espionage carried out by a government is often referred
to as economic espionage. Since information is processed and stored
on computer systems, computer security can help protect against such
threats; it can do little, however, to reduce the threat of
authorized employees selling that information.
Industrial espionage is on the rise. A 1992 study sponsored by the
American Society for Industrial Security (ASIS) found that
proprietary business information theft had increased 260 percent
since 1985. The data indicated 30 percent of the reported losses in
1991 and 1992 had foreign involvement. The study also found that 58
percent of thefts were perpetrated by current or former employees.
The three most damaging types of stolen information were pricing
information, manufacturing process information, and product
development and specification information. Other types of
information stolen included customer lists, basic research, sales
data, personnel data, compensation data, cost data, proposals, and
Within the area of economic espionage, the Central Intelligence
Agency has stated that the main objective is obtaining information
related to technology, but that information on U.S. government
policy deliberations concerning foreign affairs and information on
commodities, interest rates, and other economic factors is also a
target. The Federal Bureau of Investigation concurs that
technology-related information is the main target, but also lists
corporate proprietary information, such as negotiating positions and
other contracting data, as a target.