- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- FDA Issues More Medical Device Security Guidance - Latest
Recommendations Focus on Postmarket Cybersecurity Risks - New
proposed cybersecurity guidance from the Food and Drug
Administration is an important step in getting medical device
manufacturers more focused on the risks posed by their products as
they're used in healthcare settings, security experts say.
- 'Uber of banking' banks on no fees, no branches - BankMobile CEO
Jay Sidhu was pleased that I cover personal technology and not
- Cyberattacks on critical manufacturing doubled in 2015 - The
Department of Homeland Security investigated almost twice as many
cyberattacks on the nation’s critical manufacturing sector in fiscal
year 2015 as the year before, according to a new government report.
- Trustwave failed to spot casino hackers right under its nose –
lawsuit - And rival Mandiant sticks the boot in: 'Woefully
inadequate' probe cited in court allegations - IT security biz
Trustwave is being sued by a Las Vegas casino operator for allegedly
bungling a hacking investigation. Trustwave denies any wrongdoing.
- Firm Sues Cyber Insurer Over $480K Loss - A Texas manufacturing
firm is suing its cyber insurance provider for refusing to cover a
$480,000 loss following an email scam that impersonated the firm’s
- Nuclear Facilities Around the World Vulnerable to Cyber Attacks -
Many countries are leaving themselves wide open to cyber attacks on
their nuclear facilities, a watchdog group reports.
Network of U.S. Nuclear Regulatory Commission not optimized against
cyberthreats - An audit of the Security Operations Center (SOC)
responsible for securing the U.S. Nuclear Regulatory Commission's
(NRC) network infrastructure reveals the SOC's procedures are
currently not optimized to meet the rapidly escalating needs of its
government client, in light of growing cyberthreats.
Power plants, utilities 'just hanging right off the internet's
tubes' - US Homeland Security guy fed up with critical stuff
accessible on the 'net - Utilities opening their infrastructure to
the internet are creating an irresistible honeypot for criminals,
says the US government's Industrial Control Systems Cyber Emergency
Vermont bill would allow police to seize cell phones without warrant
- A Vermont legislator who introduced a draft law allowing police
officers to seize mobile devices without a warrant told a local news
outlet that he hasn't “really thought about” how to limit officers
from taking advantage of the warrantless searches that would be
allowed under his bill.
May the brute force be with you: Worst 2015 passwords pay homage to
Star Wars - As Obi-Wan Kenobi would say, "These aren't the passwords
you're looking for."
Ransomware and POS attackers to zero in on small businesses,
retailers - Small businesses and retailers should expect
cybercriminals to pay extra attention to them in the coming months
with ransomware and point of sale attacks becoming even more common.
Princeton PhD candidate develops framework for measuring web privacy
- Speaking at the first ever PrivacyCon in Washington DC, a PhD
candidate at Princeton University unveiled an open source web
measurement platform which he and his colleagues developed to
measure the extent of browser tracking on the web.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hyatt discovers malware at 250 hotels - After reporting in
December that it had found malware on the computers operating the
company's payment processing systems, Hyatt Hotels Corp. listed 250
hotels that could have exposed information stored on the payment
cards, including cardholder names, payment card numbers and internal
verification codes and expiration dates.
- Zombie OS lurches through Royal Melbourne Hospital spreading virus
- Windows XP shocker is 'willful negligence', OWASP boffin chimes.
The pathology wing of the Royal Melbourne Hospital in the Australian
state of Victoria is suffering from an virus infection on its
Windows XP PCs.
- Details of 325K Earbits.com users available on public database -
MacKeeper discovered 13 million Earbits.com account records that
were left exposed on a database server.
- DDoS attack disrupts Irish National Lottery - The Irish National
Lottery website and ticket machines operations have been disrupted
by a cyber-attack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
5 of 6)
The FDIC believes that consumers have an important role to play in
protecting themselves from identity theft. As identity thieves
become more sophisticated, consumers can benefit from accurate,
up-to-date information designed to educate them concerning steps
they should take to reduce their vulnerability to this type of
fraud. The financial services industry, the FDIC and other federal
regulators have made significant efforts to raise consumers'
awareness of this type of fraud and what they can do to protect
In 2005, the FDIC sponsored four identity theft symposia entitled
Fighting Back Against Phishing and Account-Hijacking. At each
symposium (held in Washington, D.C., Atlanta, Los Angeles and
Chicago), panels of experts from government, the banking industry,
consumer organizations and law enforcement discussed efforts to
combat phishing and account hijacking, and to educate consumers on
avoiding scams that can lead to account hijacking and other forms of
identity theft. Also in 2006, the FDIC sponsored a symposia series
entitled Building Confidence in an E-Commerce World. Sessions were
held in San Francisco, Phoenix and Miami. Further consumer education
efforts are planned for 2007.
In 2006, the FDIC released a multi-media educational tool, Don't Be
an On-line Victim, to help online banking customers avoid common
scams. It discusses how consumers can secure their computer, how
they can protect themselves from electronic scams that can lead to
identity theft, and what they can do if they become the victim of
identity theft. The tool is being distributed through the FDIC's web
site and via CD-ROM. Many financial institutions also now display
anti-fraud tips for consumers in a prominent place on their public
web site and send customers informational brochures discussing ways
to avoid identity theft along with their account statements.
Financial institutions are also redistributing excellent educational
materials from the Federal Trade Commission, the federal
government's lead agency for combating identity theft.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
The quality of security controls can significantly influence
all categories of risk. Traditionally, examiners and bankers
recognize the direct impact on operational/transaction risk from
incidents related to fraud, theft, or accidental damage. Many
security weaknesses, however, can directly increase exposure in
other risk areas. For example, the GLBA introduced additional
legal/compliance risk due to the potential for regulatory
noncompliance in safeguarding customer information. The potential
for legal liability related to customer privacy breaches may present
additional risk in the future. Effective application access controls
can reduce credit and market risk by imposing risk limits on loan
officers or traders. If a trader were to exceed the intended trade
authority, the institution may unknowingly assume additional market
A strong security program reduces levels of reputation and
strategic risk by limiting the institution's vulnerability to
intrusion attempts and maintaining customer confidence and trust in
the institution. Security concerns can quickly erode customer
confidence and potentially decrease the adoption rate and rate of
return on investment for strategically important products or
services. Examiners and risk managers should incorporate security
issues into their risk assessment process for each risk category.
Financial institutions should ensure that security risk assessments
adequately consider potential risk in all business lines and risk
Information security risk assessment is the process used to
identify and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
Risk assessments for most industries focus only on the risk to the
business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to 'protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer."
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.9 Threats to Personal Privacy
The accumulation of vast amounts of electronic information about
individuals by governments, credit bureaus, and private companies,
combined with the ability of computers to monitor, process, and
aggregate large amounts of information about individuals have
created a threat to individual privacy. The possibility that all of
this information and technology may be able to be linked together
has arisen as a specter of the modern information age. This is often
referred to as "Big Brother." To guard against such intrusion,
Congress has enacted legislation, over the years, such as the
Privacy Act of 1974 and the Computer Matching and Privacy Protection
Act of 1988, which defines the boundaries of the legitimate uses of
personal information collected by the government.
The threat to personal privacy arises from many sources. In several
cases federal and state employees have sold personal information to
private investigators or other "information brokers." One such case
was uncovered in 1992 when the Justice Department announced the
arrest of over two dozen individuals engaged in buying and selling
information from Social Security Administration (SSA) computer
files.42 During the investigation, auditors learned that SSA
employees had unrestricted access to over 130 million employment
records. Another investigation found that 5 percent of the employees
in one region of the IRS had browsed through tax records of friends,
relatives, and celebrities. Some of the employees used the
information to create fraudulent tax refunds, but many were acting
simply out of curiosity.
As more of these cases come to light, many individuals are becoming
increasingly concerned about threats to their personal privacy. A
July 1993 special report in MacWorld cited polling data taken by
Louis Harris and Associates showing that in 1970 only 33 percent of
respondents were concerned about personal privacy. By 1990, that
number had jumped to 79 percent.
While the magnitude and cost to society of the personal privacy
threat are difficult to gauge, it is apparent that information
technology is becoming powerful enough to warrant fears of both
government and corporate "Big Brothers." Increased awareness of the
problem is needed.