- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- Quarter of respondents would pay ransom to protect stolen data,
survey says - Nearly a quarter (24.6 percent) of company executives
and IT leaders would be willing to pay hackers a ransom to prevent
them from leaking critically sensitive stolen data, a global survey
of more than 200 execs and IT managers found.
- ICO questions 12-month data retention plans under Snoopers'
Charter draft - Information commissioner Christopher Graham has
voiced concerns about the government’s intention to force internet
firms to store customer data for 12 months, claiming that no clear
justification has been made for this time period.
Microsoft to axe support for older Internet Explorer next week -
Don't say we didn't warn ya ... because we did - In less than one
week, Microsoft will end support for several versions of its
Internet Explorer web browser.
Cybergang targets Japanese banks with Rovnix Trojan - Researchers at
IBM X-Force spotted the cybergang that controls the Rovnix Trojan
launching an aggressive campaign against 14 major Japanese Banks.
St. Louis Cards official pleads guilty to hacking Astros site - The
former director of baseball development for the St. Louis Cardinals,
pleaded guilty Friday to charges of accessing computers belonging to
the Houston Astros without authorization, according to a release on
Friday from the Department of Justice.
Payment card data attacks worry over half of UK and US businesses -
Well over half (60 percent) of US and 52 percent of UK enterprises
feel that an attack on payment card data is likely or more than
Thousands of Interior Department laptops vulnerable to cyber attack
- Nearly 15,000 laptops used by U.S. Department of the Interior
employees don't have proper safeguards to protect sensitive
information from being hacked by a cyber criminal because of a
management decision to depart from best practices.
- Audit: Network of U.S. Nuclear Regulatory Commission not
optimized against cyberthreats - An audit of the Security Operations
Center (SOC) responsible for securing the U.S. Nuclear Regulatory
Commission's (NRC) network infrastructure reveals the SOC's
procedures are currently not optimized to meet the rapidly
escalating needs of its government client, in light of growing
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Ring's smart doorbell can leave your house vulnerable to hacks -
The $199 Ring Video Doorbell may be "smarter" than your average
buzzer, but a major vulnerability can leave your Wi-Fi network wide
open to hackers. Pen Test Partners, a limited liability partnership
(LLP) that assesses computer systems, apps and more for potential
network security vulnerabilities, took a close look at the Ring
Video Doorbell recently and found a serious flaw for hackers to
- IoT 'ding-donger' reveals WiFi passwords - The Ring WiFi
doorbell, an IoT device, not only allows users to view whomever is
on their doorstep via the internet from a mobile device when they
are not home, but also gives away the homeowners WiFi password.
- Linode Resets Passwords as DDoS Attacks Continue - The cloud
hosting provider forces users to change passwords after an
unauthorized log-in is detected.
Indiana University Health Arnett Hospital loses USB drive with 29K
records - Indiana University Health Arnett Hospital reported the
loss of an unencrypted USB drives containing information on 29,000
emergency room patients.
Breathalyzer maker hacked in possible extortion case - A company
specializing in car breathalyzer technology has seemingly become an
extortion target, after a hacker uploaded what appears to be
internal documents and source code onto an online hacking forum,
according to a report in Motherboard.
Jeremy Corbyn's Twitter account hacked for a few minutes - In what
is being hailed a model of fast response, the Labour Party moved
swiftly last night to regain control of the Twitter account of its
leader, Jeremy Corbyn, following a hack.
Amex, affiliate reports three breaches to California AG - An
American Express Travel Related Services Company and or one of its
affiliates reported three data breaches to the California Attorney
General (AG) in early January.
- TaxAct breached: Customer banking and Social Security
information compromised - Tax software maker TaxAct is informing
some of its customers that an unauthorized third party accessed
their TaxAct account in late 2015.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
4 of 6)
As a result of guidelines issued by the FDIC, together with other
federal agencies, financial institutions are required to develop and
implement a written program to safeguard customer information,
including the proper disposal of consumer information (Security
Guidelines).5 The FDIC considers this programmatic requirement to be
one of the foundations of identity theft prevention. In guidance
that became effective on January 1, 2007, the federal banking
agencies made it clear that they expect institutions to use stronger
and more reliable methods to authenticate the identity of customers
using electronic banking systems. Moreover, the FDIC has also issued
guidance stating that financial institutions are expected to notify
customers of unauthorized access to sensitive customer information
under certain circumstances. The FDIC has issued a number of other
supervisory guidance documents articulating its position and
expectations concerning identity theft. Industry compliance with
these expectations will help to prevent and mitigate the effects of
Risk management examiners trained in information technology (IT)
and the requirements of the Bank Secrecy Act (BSA) evaluate a number
of aspects of a bank's operations that raise identity theft issues.
IT examiners are well-qualified to evaluate whether banks are
incorporating emerging IT guidance into their Identity Theft
Programs and GLBA 501(b) Information Security Programs; responsibly
overseeing service provider arrangements; and taking action when a
security breach occurs. In addition, IT examiners will consult with
BSA examiners during the course of an examination to ensure that the
procedures institutions employ to verify the identity of new
customers are consistent with existing laws and regulations to
prevent financial fraud, including identity theft.
The FDIC has also issued revised examination procedures for the
Fair Credit Reporting Act (FCRA), through the auspices of the
Federal Financial Institutions Examination Council's (FFIEC)
Consumer Compliance Task Force. These procedures are used during
consumer compliance examinations and include steps to ensure that
institutions comply with the FCRA's fraud and active duty alert
provisions. These provisions enable consumers to place alerts on
their consumer reports that require users, such as banks, to take
additional steps to identify the consumer before new credit is
extended. The procedures also include reviews of institutions'
compliance with requirements governing the accuracy of data provided
to consumer reporting agencies. These requirements include the
blocking of data that may be the result of an identity theft.
Compliance examiners are trained in the various requirements of the
FCRA and ensure that institutions have effective programs to comply
with the identity theft provisions. Consumers are protected from
identity theft through the vigilant enforcement of all the
examination programs, including Risk Management, Compliance, IT and
The Fair and Accurate Credit Transactions Act directed the FDIC and
other federal agencies to jointly promulgate regulations and
guidelines that focus on identity theft "red flags" and customer
address discrepancies. As proposed, the guidelines would require
financial institutions and creditors to establish a program to
identify patterns, practices, and specific forms of activity that
indicate the possible existence of identity theft. The proposed
joint regulation would require financial institutions and creditors
to establish reasonable policies to implement the guidelines,
including a provision requiring debit and credit card issuers to
assess the validity of a request for a change of address. In
addition, the agencies proposed joint regulations that provide
guidance regarding reasonable policies and procedures that a user of
consumer reports must employ when the user receives a notice of
address discrepancy. When promulgated in final form, these joint
regulations and guidelines will comprise another element of the
FDIC's program to prevent and mitigate identity theft.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
Action Summary -Financial institutions must maintain an ongoing
information security risk assessment program that effectively
1) Gathers data regarding the information and technology assets of
the organization, threats to those assets, vulnerabilities, existing
security controls and processes, and the current security standards
2) Analyzes the probability and impact associated with the known
threats and vulnerabilities to its assets; and
3) Prioritizes the risks present due to threats and vulnerabilities
to determine the appropriate level of training, controls, and
testing necessary for effective mitigation.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.7 Malicious Code
Malicious code refers to viruses, worms, Trojan horses, logic
bombs, and other "uninvited" software. Sometimes mistakenly
associated only with personal computers, malicious code can attack
A 1993 study of viruses found that while the number of known
viruses is increasing exponentially, the number of virus incidents
is not. The study concluded that viruses are becoming more
prevalent, but only "gradually."
The rate of PC-DOS virus incidents in medium to large North
American businesses appears to be approximately 1 per 1,000 PCs per
quarter; the number of infected machines is perhaps 3 or 4 times
this figure if we assume that most such businesses are at least
weakly protected against viruses.
Actual costs attributed to the presence of malicious code have
resulted primarily from system outages and staff time involved in
repairing the systems. Nonetheless, these costs can be significant.
Malicious Software: A Few Key Terms
1) Virus: A code segment that replicates by attaching copies of
itself to existing executables. The new copy of the virus is
executed when a user executes the new host program. The virus may
include an additional "payload" that triggers when specific
conditions are met. For example, some viruses display a text string
on a particular date. There are many types of viruses, including
variants, overwriting, resident, stealth, and polymorphic.
2) Trojan Horse: A program that performs a desired task, but that
also includes unexpected (and undesirable) functions. Consider as an
example an editing program for a multi-user system. This program
could be modified to randomly delete one of the users' files each
time they perform a useful function (editing), but the deletions are
unexpected and definitely undesired!
3) Worm: A self-replicating program that is self-contained and
does not require a host program. The program creates a copy of
itself and causes it to execute; no user intervention is required.
Worms commonly use network services to propagate to other host
4.8 Foreign Government Espionage
In some instances, threats posed by foreign government intelligence
services may be present. In addition to possible economic espionage,
foreign intelligence services may target unclassified systems to
further their intelligence missions. Some unclassified information
that may be of interest includes travel plans of senior officials,
civil defense and emergency preparedness, manufacturing
technologies, satellite data, personnel and payroll data, and law
enforcement, investigative, and security files. Guidance should be
sought from the cognizant security office regarding such threats.