- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
FDIC Publication Focuses on Enhancing Banks' Cybersecurity
Programs -"A Framework for Cybersecurity," which appears in the
Winter 2015 issue of Supervisory Insights, released today, discusses
the cyber threat landscape and how financial institutions'
information security programs can be enhanced to address evolving
- How Incident Response Fails In Industrial Control System Networks
- Experts say a solid incident response plan is the best way to
minimize the damage of a cyberattack--but IR isn't so simple for the
ICS/SCADA world. Worries of eventual cyberattacks on utilities as
well as chemical and other industrial sites have intensified in the
wake of the recent attacks that led to a power blackout in western
- NSA Hacking Chief: Internet of Things Security Keeps Me Up at
Night - The leader of the National Security Agency’s hackers says
that putting industrial control systems online has made America less
- Congress to federal agencies: You have two weeks to tally your
backdoored Juniper kit - A House committee wants to gauge the impact
of the recent Juniper ScreenOS backdoors on government departments
- CISO salaries and demand for cyber-skills skyrockets,
surprising no-one - Two new studies have shown that vacancies in
cyber-security positions have skyrocketed as have CISOs salaries.
- Cybercrime for sale - When the United States Secret Service
started to focus on cybercrimes nearly two decades ago, the market
for this kind of electronic malfeasance was not nearly as large or
as organized as it would quickly become.
- TalkTalk loses 250,000 customers post-breach - now supplier
scam too - “Customers have lost faith in TalkTalk as a trustworthy
brand," following the October breach of the broadand, TV and
- Major banks to roll out ATMs that use smartphones for
authentication - Bank of America, Wells Fargo and JPMorgan Chase
have announced plans to roll out ATMs that take smartphones as well
as ATM cards to authenticate transactions in an effort to reduce the
likelihood of skimming and other security attacks as well as make
ATM use more convenient for users.
- Cybersecurity Gap Blocks Pentagon From a Lockheed F-35
Database - The Pentagon hasn’t had updated information on
maintenance of the F-35 jet since May because a Lockheed Martin
Corp. database doesn’t meet new government cybersecurity
requirements, according to the Defense Department’s testing office.
- No BYOD for Census workers - The Census Bureau has opted not
to pursue a bring-your-own-device strategy for gathering information
during the 2020 census.
- Teaming up IT and legal departments for better corporate
security - Companies looking to create strong security and privacy
protocols have to encourage their IT and legal departments to not
only work together, but each should learn a little of the other's
- Information governance hard to achieve, worth effort to
protect data - Information governance (IG) is nearly impossible to
achieve, but is a goal worth pursuing to protect the privacy of
sensitive data and ensure organizations can meet discovery requests,
according to a panel at the LegalTech show in New York.
- Law enforcement's encryption claims overblown, study finds -
The surge in Internet-connected devices will offer ample new
surveillance opportunities, according to a Harvard study. Encryption
may not protect criminals as much as we have been led to believe.
- Smart office buildings have more backdoors than the designers
intended - All of the convenience created by installing smart
appliances and controls in an office is being countered by the
inherent threat these devices can then pose to the network to which
they are attached.
- New research reveals 71 percent of UK organisations not
cyber-resilient - Study of 450 UK IT and security professionals
uncovers insufficient planning and lack of clear ownership as major
inhibitors to achieving cyber resilience.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Would you like fraud with that? Burger chain giant Wendy's
'hacked' - Wendy's – the third largest fast-food chain in the world
– has become the latest retail giant to lose customers' credit card
numbers to crooks, it appears.
- Website admin cPanel hacked, loses a bunch of folks' contact
details - Website administration firm cPanel told customers that it
had been hacked over the weekend, potentially exposing contact
information in the process.
- HSBC UK online banking operations disrupted by DDoS attack -
HSBC UK this morning was the target of a DDoS attack that flooded
the financial institution's systems with manufactured traffic, much
to the dismay of online banking customers who were unable to access
and manage their accounts.
- Unauthorized access leads to Neiman Marcus Group breach, 5,200
affected - Neiman Marcus Group (NMG) reported that someone gained
unauthorized access to online customer accounts on the Neiman
Marcus, Bergdorf Goodman, Last Call, and CUSP websites.
- TaxSlayer breached: 8,800 customers notified PII may be
compromised - Tax preparation software publisher TaxSlayer notified
about 8,800 of its customers last week that an unauthorized third
party may have gained access to the personal information contained
on their tax return.
- Lincolnshire county council resolves ransomware restlessness -
Lincolnshire council has restored itself to full capacity after its
systems were infected with ransomware. On 26th January, a phishing
email loaded with an infectious attachment deployed ransomware on
the local authority's computers.
- US police contracts and private forum posts dumped online -
Fraternal Order of the Police not feeling very fraternal - A data
dump covering hundreds of police contracts and thousands of private
forum posts by US law enforcement officers has been posted online.
- Qbot virus still attacking Royal Melbourne Hospital - A
computer virus that can steal passwords is still causing headaches
at one of Melbourne's largest hospitals. A virus that infected
computer systems at Royal Melbourne Hospital two weeks ago still
hasn't been fixed and continues to "mutate".
- Hackers attack 20M accounts of Alibaba e-commerce unit - A
group of hackers tried to access active accounts belonging to more
than 20 million users of Taobao, Alibaba Group Holding Ltd.'s
- Student SSNs exposed in University of Central Florida breach -
The University of Central Florida today publicly acknowledged a data
breach in which the Social Security (SSN) numbers of 63,000 current
and former students were illegally accessed.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series
Federal Financial Institutions Examination Council Guidance on
Electronic Financial Services and Consumer Compliance.
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (1 of 2)
The information gathered is used to characterize the system, to
identify and measure threats to the system and the data it contains
and transmits, and to estimate the likelihood that a threat will
take action against the system or data.
System characterization articulates the understanding of the
system, including the boundaries of the system being assessed, the
system's hardware and software, and the information that is stored,
processed, and transmitted. Since operational systems may have
changed since they were last documented, a current review of the
system should be performed. Developmental systems, on the other
hand, should be analyzed to determine their key security rules and
attributes. Those rules and attributes should be documented as part
of the systems development lifecycle process. System
characterization also requires the cross-referencing of
vulnerabilities to current controls to identify those that mitigate
specific threats, and to assist in highlighting the control areas
that should be improved.
A key part of system characterization is the ranking of data and
system components according to their sensitivity and importance to
the institution's operations. Additionally, consistent with the
GLBA, the ranking should consider the potential harm to customers of
unauthorized access and disclosure of customer non - public personal
information. Ranking allows for a reasoned and measured analysis of
the relative outcome of various attacks, and the limiting of the
analysis to sensitive information or information and systems that
may materially affect the institution's condition and operations.
Threats are identified and measured through the creation and
analysis of threat scenarios. Threat scenarios should be
comprehensive in their scope (e.g., they should consider reasonably
foreseeable threats and possible attacks against information and
systems that may affect the institution's condition and operations
or may cause data disclosures that could result in substantial harm
or inconvenience to customers). They should consider the potential
effect and likelihood for failure within the control environment due
to non-malicious or malicious events. They should also be
coordinated with business continuity planning to include attacks
performed when those plans are implemented. Non-malicious scenarios
typically involve accidents related to inadequate access controls
and natural disasters. Malicious scenarios, either general or
specific, typically involve a motivated attacker (i.e., threat)
exploiting a vulnerability to gain access to an asset to create an
outcome that has an impact.
An example of a general malicious threat scenario is an unskilled
attacker using a program script to exploit a vulnerable
Internet-accessible Web server to extract customer information from
the institution's database. Assuming the attacker's motivation is to
seek recognition from others, the attacker publishes the
information, causing the financial institution to suffer damage to
its reputation. Ultimately, customers are likely to be victims of
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
Tools to Implement Policy - Standards, Guidelines, and
Because policy is written at a broad level, organizations also
develop standards, guidelines, and procedures that offer users,
managers, and others a clearer approach to implementing policy and
meeting organizational goals. Standards and guidelines specify
technologies and methodologies to be used to secure systems.
Procedures are yet more detailed steps to be followed to accomplish
particular security-related tasks. Standards, guidelines, and
procedures may be promulgated throughout an organization via
handbooks, regulations, or manuals.
Organizational standards (not to be confused with American National
Standards, FIPS, Federal Standards, or other national or
international standards) specify uniform use of specific
technologies, parameters, or procedures when such uniform use will
benefit an organization. Standardization of organization wide
identification badges is a typical example, providing ease of
employee mobility and automation of entry/exit systems. Standards
are normally compulsory within an organization.
Guidelines assist users, systems personnel, and others in
effectively securing their systems. The nature of guidelines,
however, immediately recognizes that systems vary considerably, and
imposition of standards is not always achievable, appropriate, or
cost-effective. For example, an organizational guideline may be used
to help develop system-specific standard procedures. Guidelines are
often used to help ensure that specific security measures are not
overlooked, although they can be implemented, and correctly so, in
more than one way.
Procedures normally assist in complying with applicable security
policies, standards, and guidelines. They are detailed steps to be
followed by users, system operations personnel, or others to
accomplish a particular task (e.g., preparing new user accounts and
assigning the appropriate privileges).
Some organizations issue overall computer security manuals,
regulations, handbooks, or similar documents. These may mix policy,
guidelines, standards, and procedures, since they are closely
linked. While manuals and regulations can serve as important tools,
it is often useful if they clearly distinguish between policy and
its implementation. This can help in promoting flexibility and
cost-effectiveness by offering alternative implementation approaches
to achieving policy goals.