The Department of Justice (DOJ) has
made clear that it interprets the ADA as applicable to websites.
Is your web site compliant with the Americans with
Disabilities Act? For the past 20 years, our bank web
site audits have covered the ADA guidelines. Help reduce
any liability, please contact me for more information at
- NIST updates Cybersecurity Framework, seeks comment - The National
Institute of Standards and Technology (NIST) issued a draft update
on Tuesday to its Framework for Improving Critical Infrastructure
Cybersecurity, aka the Cybersecurity Framework, aimed at forging
stronger cybersecurity measures.
FYI - The TBA and IBAT filed a barratry
lawsuit in Tarrant County District Court challenging the Carlson
Lynch Pennsylvania law firm and its solicitation letters to Texas
banks relative to ADA website compliance.
Additionally, a complaint was filed with the Unauthorized Practice
of Law Committee of the State Bar of Texas.
Symantec caught issuing illegal certificates for second time in
two years - Independent researcher Andrew Ayer spotted Symantec once
again improperly issuing 108 invalidated transport layer security
BankBot created with leaked banking trojan source code - One of the
newer Android banking Trojans to be found in the wild is the result
of leaked banking malware source code that was found and improved
upon by cybercriminals.
80 percent of IoT devices not tested for security flaws - A recent
study found 80 percent of Internet of Things apps aren't tested for
vulnerabilities and there is still a lack of urgency to address the
Who is Anna-Senpai, the Mirai Worm Author? - On September 22, 2016,
this site was forced offline for nearly four days after it was hit
with “Mirai,” a malware strain that enslaves poorly secured Internet
of Things (IoT) devices like wireless routers and security cameras
into a botnet for use in large cyberattacks.
China announces mass shutdown of VPNs that bypass Great Firewall -
China says all VPN providers must get permission from government to
GSA readies single sign-on platform - The General Services
Administration is moving ahead with its Login.gov project that
creates a single sign-on platform for access to federal government
12 stats that tell you about the State of Federal IT - As one of his
last acts as federal chief information officer, Tony Scott and the
CIO Council released the State of Federal IT report Jan. 19. A team
of federal IT executives, with the help of two contractors,
interviewed 45 federal CIOs and deputy CIOs, and chief information
security officers and deputy CISOs as well as other federal IT
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Data of 19K Delaware Blue Cross Blue Shield customers compromised
- A ransomware attack involving the Summit Reinsurance Services,
Inc. (“SummitRe”) and BCS Financial Corporation, both subcontractors
of Highmark Blue Cross Blue Shield of Delaware, compromised customer
Giuliani and top Trump White House officials hacked, passwords
leaked - The Trump Presidency's new cyber tsar, former New York
Mayor Rudy Giuliani has had his passwords leaked online along with a
whole host of top officials.
Dodgy Dutch developer built backdoors into thousands of sites - Then
hoovered out users' personal data, stole identities galore and spent
Ransomware looks to take, not borrow, from St. Louis Public Library
- A ransomware infection has effectively paralyzed the St. Louis
Public Library System, affecting 700 public computers in 16
locations and preventing visitors from checking out books or
browsing the Internet.
Lloyds Bank services hit by denial-of-service attack - Reports
suggest a large-scale DDoS attack from overseas blocked Lloyds,
Halifax, and Bank of Scotland customers from accessing online
United Airlines resumes flights after temporary ground order -
United Airlines resumed operations Sunday night after a computer
problem temporarily grounded all domestic mainline flights, two
sources familiar with the incident told CNN.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
- Principle 6: Banks
should ensure that appropriate measures are in place to promote
adequate segregation of duties within e-banking systems, databases
Segregation of duties is a basic internal control measure
designed to reduce the risk of fraud in operational processes and
systems and ensure that transactions and company assets are properly
authorized, recorded and safeguarded. Segregation of duties is
critical to ensuring the accuracy and integrity of data and is used
to prevent the perpetration of fraud by an individual. If duties are
adequately separated, fraud can only be committed through collusion.
E-banking services may necessitate modifying the ways in which
segregation of duties are established and maintained because
transactions take place over electronic systems where identities can
be more readily masked or faked. In addition, operational and
transaction-based functions have in many cases become more
compressed and integrated in e-banking applications. Therefore, the
controls traditionally required to maintain segregation of duties
need to be reviewed and adapted to ensure an appropriate level of
control is maintained. Because access to poorly secured databases
can be more easily gained through internal or external networks,
strict authorization and identification procedures, safe and sound
architecture of the straight-through processes, and adequate audit
trails should be emphasized.
Common practices used to establish and maintain segregation of
duties within an e-banking environment include the following:
1) Transaction processes and systems should be designed to ensure
that no single employee/outsourced service provider could enter,
authorize and complete a transaction.
2) Segregation should be maintained between those initiating
static data (including web page content) and those responsible for
verifying its integrity.
3) E-banking systems should be tested to ensure that segregation
of duties cannot be bypassed.
4) Segregation should be maintained between those developing and
those administrating e-banking systems.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
ENCRYPTION - HOW ENCRYPTION
In general, encryption functions by taking data and a variable,
called a "key," and processing those items through a fixed algorithm
to create the encrypted text. The strength of the encrypted text is
determined by the entropy, or degree of uncertainty, in the key and
the algorithm. Key length and key selection criteria are important
determinants of entropy. Greater key lengths generally indicate more
possible keys. More important than key length, however, is the
potential limitation of possible keys posed by the key selection
criteria. For instance, a 128-bit key has much less than 128 bits of
entropy if it is selected from only certain letters or numbers. The
full 128 bits of entropy will only be realized if the key is
randomly selected across the entire 128-bit range.
The encryption algorithm is also important. Creating a mathematical
algorithm that does not limit the entropy of the key and testing the
algorithm to ensure its integrity are difficult. Since the strength
of an algorithm is related to its ability to maximize entropy
instead of its secrecy, algorithms are generally made public and
subject to peer review. The more that the algorithm is tested by
knowledgeable worldwide experts, the more the algorithm can be
trusted to perform as expected. Examples of public algorithms are
AES, DES and Triple DES, HSA - 1, and RSA.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
9.4.1 Audit Methods and Tools
An audit conducted to support operational assurance examines
whether the system is meeting stated or implied security
requirements including system and organization policies. Some audits
also examine whether security requirements are appropriate, but this
is outside the scope of operational assurance. Less formal audits
are often called security reviews.
Audits can be self-administered or independent (either internal or
external). Both types can provide excellent information about
technical, procedural, managerial, or other aspects of security. The
essential difference between a self-audit and an independent audit
is objectivity. Reviews done by system management staff, often
called self-audits/ assessments, have an inherent conflict of
interest. The system management staff may have little incentive to
say that the computer system was poorly designed or is sloppily
operated. On the other hand, they may be motivated by a strong
desire to improve the security of the system. In addition, they are
knowledgeable about the system and may be able to find hidden
The independent auditor, by contrast, should have no professional
stake in the system. Independent audit may be performed by a
professional audit staff in accordance with generally accepted
There are many methods and tools, some of which are described here,
that can be used to audit a system. Several of them overlap.
A person who performs an independent audit should be free from
personal and external constraints, which may impair their
independence and should be organizationally independent.
126.96.36.199 Automated Tools
Even for small multiuser computer systems, it is a big job to
manually review security features. Automated tools make it feasible
to review even large computer systems for a variety of security
There are two types of automated tools: (1) active tools, which
find vulnerabilities by trying to exploit them, and (2) passive
tests, which only examine the system and infer the existence of
problems from the state of the system.
Automated tools can be used to help find a variety of threats and
vulnerabilities, such as improper access controls or access control
configurations, weak passwords, lack of integrity of the system
software, or not using all relevant software updates and patches.
These tools are often very successful at finding vulnerabilities and
are sometimes used by hackers to break into systems. Not taking
advantage of these tools puts system administrators at a
disadvantage. Many of the tools are simple to use; however, some
programs (such as access-control auditing tools for large mainframe
systems) require specialized skill to use and interpret.