- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- Most Windows security flaws mitigated by 'removing admin rights' -
Almost nine-out-of-ten vulnerabilities targeting Windows last year
could have been prevented by removing accounts with administrative
Glitch In Time - Last week, a software glitch caused the GPS system
to broadcast incorrect time signals. This post looks at the impact,
and how organisations that depend on precise time can protect
Energy sector execs see successful cyberattack as likely - A cyber
attack on an organization in the energy, utility, oil and gas
sectors is fully capable of causing harm to the physical plant,
according to a Tripwire survey of IT professionals working in these
Hacker threatens to expose info on DHS, FBI employees - Just two
days before Director of National Intelligence James Clapper was to
appear before the Senate Select Committee on Intelligence and offer
an assessment of worldwide threats, a hacker threatened to release
information on 20,000 FBI employees and 9,000 who work for the
Department of Homeland Security (DHS).
Need to call the FBI? Hacker offers you 20,000 numbers - The names,
titles and contact information of thousands of FBI and Department of
Homeland Security employees are allegedly dumped online.
Obama asks Congress for $19 billion to stop hacks - The White House
has submitted a massive budget proposal that shows just how serious
the president is about cybersecurity.
- Phishing scams a major cause of bank breaches - Malicious
attachments and links, ShellShock and Denial of Service (DOS)
attacks were the top three cyber threats facing the financial
sector, which suffered having 20 million records breached last year,
according to a new study released by IBM.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Student SSNs exposed in University of Central Florida breach - The
University of Central Florida today publicly acknowledged a data
breach in which the Social Security (SSN) numbers of 63,000 current
and former students were illegally accessed.
Mysterious spike in WordPress hacks silently delivers ransomware to
visitors - It's still not clear how, but a disproportionately large
number of websites that run on the WordPress content management
system are being hacked to deliver crypto ransomware and other
malicious software to unwitting end users.
Panther Creek senior arrested for hacking school, changing grades -
Authorities arrested a Panther Creek High senior who is accused of
hacking into a computer system last fall and changing students'
grades between Oct. 6-22, 2015.
Rip-off artists use Southwest Airlines in Facebook scam - Facebook
users' news feeds are lighting up with a new scam, this one centered
on Southwest Airlines supposedly giving away hundreds of free
tickets and $5,000 in cash.
Wendy's finds malware at some locations - Wendy's found malware on
the systems at some of its restaurants that have been under
investigation after some customers reported unusual activity on
their payment cards used at several of the fast-food retailers'
Employees mishandle data, violate HIPAA in Washington State Medicaid
breach - The Washington State Health Care Authority (HCA) announced
yesterday that employees at two state agencies committed a HIPAA
violation by improperly exchanging private data pertaining to its
Apple Health Medicaid clients.
- Phishing scam nets PII from 730 Brightview employees - The
Rockville, Md.-based landscape services firm Brightview, formerly
called The Brickman Group, said an employee fell for a phishing scam
and sent the personal information of about 700 workers to an unknown
- Alumni, deceased students among 1,100 affected in Montana school
breach - A data breach last December that affected approximately
1,100 students and led to the resignation of a high school assistant
principal exposed the information of nearly 200 alumni and at least
two deceased students.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer
Act, Regulation E (Part 2 of 2)
Federal Reserve Board Official Staff Commentary (OSC) also clarifies
that terminal receipts are unnecessary for transfers initiated
on-line. Specifically, OSC regulations provides that, because the
term "electronic terminal" excludes a telephone operated by a
consumer, financial institutions need not provide a terminal receipt
when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
Additionally, the regulations clarifies that a written
authorization for preauthorized transfers from a consumer's account
includes an electronic authorization that is not signed, but
similarly authenticated by the consumer, such as through the use of
a security code. According to the OSC, an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated" is a consumer's authorization via
a home banking system. To satisfy the regulatory requirements, the
institution must have some means to identify the consumer (such as a
security code) and make a paper copy of the authorization available
(automatically or upon request). The text of the electronic
authorization must be displayed on a computer screen or other visual
display that enables the consumer to read the communication from the
Only the consumer may authorize the transfer and not, for example,
a third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (2 of 2)
Since specific scenarios can become too numerous for financial
institutions to address individually, various techniques are used to
generalize and extend the scenarios. For instance, one technique
starts with a specific scenario and looks at additional damage that
could occur if the attacker had different knowledge or motivation.
This technique allows the reviewers to see the full extent of risk
that exists from a given vulnerability. Another technique aggregates
scenarios by high-value system components.
Scenarios should consider attacks against the logical security,
physical security, and combinations of logical and physical attacks.
In addition, scenarios could consider social engineering, which
involves manipulation of human trust by an attacker to obtain access
to computer systems. It is often easier for an attacker to obtain
access through manipulation of one or more employees than to perform
a logical or physical intrusion.
The risk from any given scenario is a function of the probability
of the event occurring and the impact on the institution. The
probability and impact are directly influenced by the financial
institution's business profile, the effectiveness of the financial
institution's controls, and the relative strength of controls when
compared to other industry targets.
The probability of an event occurring is reflected in one of two
ways. If reliable and timely probability data is available,
institutions can use it. Since probability data is often limited,
institutions can assign a qualitative probability, such as frequent,
occasional, remote, and improbable.
Frequently, TSPs perform some or all of the institution's
information processing and storage. Reliance on a third party for
hosting systems or processing does not remove the institution's
responsibility for securing the information. It does change how the
financial institution will fulfill its role. Accordingly, risk
assessments should evaluate the sensitivity of information
accessible to or processed by TSPs, the importance of the processing
conducted by TSPs, communications between the TSP's systems and the
institution, contractually required controls, and the testing of
those controls. Additional vendor management guidance is contained
in the FFIEC's statement on "Risk Management of Outsourced
Technology Services," dated November 28, 2000.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
5.1 Program Policy
A management official, normally the head of the organization or the
senior administration official, issues program policy to establish
(or restructure) the organization's computer security program and
its basic structure. This high-level policy defines the purpose of
the program and its scope within the organization; assigns
responsibilities (to the computer security organization) for direct
program implementation, as well as other responsibilities to related
offices (such as the Information Resources Management [IRM]
organization); and addresses compliance issues.
Program policy sets organizational strategic directions for security
and assigns resources for its implementation.
5.1.1 Basic Components of Program Policy
Components of program policy should address:
Purpose. Program policy normally includes a statement
describing why the program is being established. This may include
defining the goals of the program. Security-related needs, such as
integrity, availability, and confidentiality, can form the basis of
organizational goals established in policy. For instance, in an
organization responsible for maintaining large mission-critical
databases, reduction in errors, data loss, data corruption, and
recovery might be specifically stressed. In an organization
responsible for maintaining confidential personal data, however,
goals might emphasize stronger protection against unauthorized
Scope. Program policy should be clear as to which
resources-including facilities, hardware, and software, information,
and personnel - the computer security program covers. In many cases,
the program will encompass all systems and organizational personnel,
but this is not always true. In some instances, it may be
appropriate for an organization's computer security program to be
more limited in scope.
Responsibilities. Once the computer security program is
established, its management is normally assigned to either a
newly-created or existing office.
Program policy establishes the security program and assigns program
management and supporting responsibilities
The responsibilities of officials and offices throughout the
organization also need to be addressed, including line managers,
applications owners, users, and the data processing or IRM
organizations. This section of the policy statement, for example,
would distinguish between the responsibilities of computer services
providers and those of the managers of applications using the
provided services. The policy could also establish operational
security offices for major systems, particularly those at high risk
or most critical to organizational operations. It also can serve as
the basis for establishing employee accountability.
At the program level, responsibilities should be specifically
assigned to those organizational elements and officials responsible
for the implementation and continuity of the computer security
Compliance. Program policy typically will address two
1) General compliance to ensure meeting the requirements to
establish a program and the responsibilities assigned therein to
various organizational components. Often an oversight office (e.g.,
the Inspector General) is assigned responsibility for monitoring
compliance, including how well the organization is implementing
management's priorities for the program.
2) The use of specified penalties and disciplinary actions.
Since the security policy is a high-level document, specific
penalties for various infractions are normally not detailed here;
instead, the policy may authorize the creation of compliance
structures that include violations and specific disciplinary
Those developing compliance policy should remember that violations
of policy can be unintentional on the part of employees. For
example, nonconformance can often be due to a lack of knowledge or