- First-in-nation state-mandated cybersecurity regulation takes
effect March 1 - The nation's first state-mandated cybersecurity
regulations regarding banking and financial services companies are
scheduled to go into effect in New York state on March 1.
Almost all organizations lack the technology to defend against cyberattacks - A new survey shows that just three percent of IT
security professionals believe their organization has the technology
in place to deal with the most common cyber problems that they face.
New Mexico close to data breach bill - New Mexico's House of
Representatives passed a data breach bill on Wednesday night by a
Homeland Security Chairman: We're in the Fight of Our Digital Lives
- The chairman of the House of Representatives Homeland Security
Committee, Republican Michael McCaul, didn't mince words to describe
threats to the country's cyber-security during a keynote here.
NIST Wants To Know How Utility Companies Can Deter Hackers - A new
federal effort aims to help energy companies protect themselves from
hackers trying to shut down the power grid.
Smash up your kid's Bluetooth-connected Cayla 'surveillance' doll,
Germany urges parents - Or switch it off, bin it, bury it,
whatever's necessary - Germany's Federal Network Agency, or
Bundesnetzagentur, has banned Genesis Toys' Cayla doll as an illegal
Reworked N.Y. Cybersecurity Regulation Takes Effect in March - New
York's controversial new cybersecurity regulation will come into
effect March 1, imposing new rules on the banking and insurance
sectors with the aim of better protecting institutions and consumers
Malware targeting banks contains apparent false flags designed to
frame Russians - Malware samples recovered from watering hole
attacks that have recently targeted banks across the globe contain
false flags that fraudulently suggest Russian actors are behind the
campaign, even though the most likely culprit remains the North
Korea-linked APT Lazarus Group, BAE Systems reported in a Monday
Lawsuit claims employee who moved to rival firm stole confidential
info - Court filings have accused ticketing company Ticketmaster of
using information stolen from a rival firm's computers to spy on its
activities. The information was allegedly stolen by a previous
employee of the firm, who now works for Ticketmaster.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Israeli soldiers hit by Android malware from cyberespionage group
- More than 100 soldiers from the Israel Defense Forces had their
Android phones infected with malware by a cyberespionage group.
Trump fundraising website hacked - A fundraising website of
President Donald Trump was defaced on Feb. 19, according to a post
on Graham Cluley's security news site.
17K affected in W-2 data breach at American Senior Communities -
American Senior Communities reported that several employees have had
their federal tax returns rejected by the IRS with the government
stating they were duplicates. This is most likely due to a company
payroll worker falling for a W-2 phishing scam in January resulting
in cybercriminals filing false returns using the stolen data.
400K patient records lost in January health care breaches - Insider
threats dominated Protenus' Health Care Breach Barometer with just
over half of the compromised patient records that were lost in
January being the result of either malicious or unintentional action
by an insider.
Yahoo reveals more breachiness to users victimized by forged cookies
- Some accounts may have been accessed with forged cookies as
recently as 2016.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
- Principle 10:
Banks should take appropriate measures to preserve the
confidentiality of key e-banking information. Measures taken to
preserve confidentiality should be commensurate with the sensitivity
of the information being transmitted and/or stored in databases.
Confidentiality is the assurance that key information remains
private to the bank and is not viewed or used by those unauthorized
to do so. Misuse or unauthorized disclosure of data exposes a bank
to both reputation and legal risk. The advent of e-banking presents
additional security challenges for banks because it increases the
exposure that information transmitted over the public network or
stored in databases may be accessible by unauthorized or
inappropriate parties or used in ways the customer providing the
information did not intend. Additionally, increased use of service
providers may expose key bank data to other parties.
To meet these challenges concerning the preservation of
confidentiality of key e-banking information, banks need to ensure
1) All confidential bank data and records are only accessible by
duly authorized and authenticated individuals, agents or systems.
2) All confidential bank data are maintained in a secure manner
and protected from unauthorized viewing or modification during
transmission over public, private or internal networks.
3) The bank's standards and controls for data use and protection
must be met when third parties have access to the data through
4) All access to restricted data is logged and appropriate
efforts are made to ensure that access logs are resistant to
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
Malicious code is any program that acts in unexpected and
potentially damaging ways. Common types of malicious code are
viruses, worms, and Trojan horses. The functions of each were once
mutually exclusive; however, developers combined functions to create
more powerful malicious code. Currently malicious code can replicate
itself within a computer and transmit itself between computers.
Malicious code also can change, delete, or insert data, transmit
data outside the institution, and insert backdoors into institution
systems. Malicious code can attack institutions at either the server
or the client level. It can also attack routers, switches, and other
parts of the institution infrastructure. Malicious code can also
monitor users in many ways, such as logging keystrokes, and
transmitting screenshots to the attacker.
Typically malicious code is mobile, using e - mail, Instant
Messenger, and other peer-to-peer (P2P) applications, or active
content attached to Web pages as transmission mechanisms. The code
also can be hidden in programs that are downloaded from the Internet
or brought into the institution on diskette. At times, the malicious
code can be created on the institution's systems either by intruders
or by authorized users. The code can also be introduced to a Web
server in numerous ways, such as entering the code in a response
form on a Web page.
Malicious code does not have to be targeted at the institution to
damage the institution's systems or steal the institution's data.
Most malicious code is general in application, potentially affecting
all Internet users with whatever operating system or application the
code needs to function.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
184.108.40.206 Configuration Management
From a security point of view, configuration management provides
assurance that the system in operation is the correct version
(configuration) of the system and that any changes to be made are
reviewed for security implications. Configuration management can be
used to help ensure that changes take place in an identifiable and
controlled environment and that they do not unintentionally harm any
of the system's properties, including its security. Some
organizations, particularly those with very large systems (such as
the federal government), use a configuration control board for
configuration management. When such a board exists, it is helpful to
have a computer security expert participate. In any case, it is
useful to have computer security officers participate in system
Changes to the system can have security implications because they
may introduce or remove vulnerabilities and because significant
changes may require updating the contingency plan, risk analysis, or
220.127.116.11 Trade Literature/Publications/Electronic News
In addition to monitoring the system, it is useful to monitor
external sources for information. Such sources as trade literature,
both printed and electronic, have information about security
vulnerabilities, patches, and other areas that impact security. The
Forum of Incident Response Teams (FIRST) has an electronic mailing
list that receives information on threats, vulnerabilities, and
Assurance is an issue for every control and safeguard discussed in
this Handbook. Are user ID and access privileges kept up to date?
Has the contingency plan been tested? Can the audit trail be
tampered with? One important point to be reemphasized here is that
assurance is not only for technical controls, but for operational
controls as well. Although the chapter focused on information
systems assurance, it is also important to have assurance that
management controls are working well. Is the security program
effective? Are policies understood and followed? As noted in the
introduction to this chapter, the need for assurance is more
widespread than people often realize.
Life Cycle. Assurance is closely linked to the planning for
security in the system life cycle. Systems can be designed to
facilitate various kinds of testing against specified security
requirements. By planning for such testing early in the process,
costs can be reduced; in some cases, without proper planning, some
kinds of assurance cannot be otherwise obtained.
9.6 Cost Considerations
There are many methods of obtaining assurance that security
features work as anticipated. Since assurance methods tend to be
qualitative rather than quantitative, they will need to be
evaluated. Assurance can also be quite expensive, especially if
extensive testing is done. It is useful to evaluate the amount of
assurance received for the cost to make a best-value decision. In
general, personnel costs drive up the cost of assurance. Automated
tools are generally limited to addressing specific problems, but
they tend to be less expensive.