- After high-profile hacks, many companies still nonchalant about
cybersecurity - Multiple surveys, including one recently released by
defense contractor Raytheon found that the attention paid to large
breaches at corporations such as Sony and Anthem hasn't
significantly changed attitudes about information security.
- JPMorgan beefs up cybersecurity with ex-military officers - One of
the largest financial institutions in the United States is hiring
ex-military officers to beef up its cybersecurity in the wake of a
massive hack last year.
- Older vulnerabilities a top enabler of breaches, according to
report - Organizations are not properly patching their systems and
networks, according to the HP Cyber Risk Report 2015, which took a
look back at the threat landscape in 2014 and noted that 44 percent
of known breaches were possible due to vulnerabilities identified
Business Continuity Planning Booklet Appendix J Update to FFIEC
IT Examination Handbook Series - The Federal Financial Institutions
Examination Council has issued an appendix to the Business
Continuity Planning booklet of the FFIEC Information Technology
Examination Handbook entitled "Strengthening the Resilience of
Outsourced Technology Services."
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Lenovo laptops ship with adware that hijacks HTTPS connections -
Chinese hardware manufacturer Lenovo has come under fire for
allegedly shipping consumer Windows laptops with software that
hijacks secure website connections, as well as inserting ads into
- Three Months Later, State Department Hasn’t Rooted Out Hackers -
Amount of data lost in unclassified email network is unclear;
Investigators point finger at Russia.
- Possible database compromise prompts Canadian Bitcoin exchange to
shut down - Canadian Bitcoin exchange CAVIRTEX is shutting down
following a database compromise, the company announced on Tuesday.
- Thousands impacted in Texas health clinic system breach -
Texas-based Lone Star Circle of Care is notifying roughly 8,700
individuals that their personal information was inadvertently placed
publicly on the Lone Star Circle of Care website for nearly six
months, and was accessed numerous times by unauthorized individuals.
- Illinois police department pays ransom after Cryptoware infection
- The police department in a Chicago suburb paid an unknown hacker
$500 to regain access to data on a police computer infected with
- State Department Trashed 30,000 Log-in Key Fobs After Hack - The
State Department over the past few months replaced some 30,000
network log-in fobs and digital tokens that employees had been using
to access its systems remotely, after the agency's unclassified
network was hacked, according to a department official.
- Breach affects 10K motorists in U.K. - Nearly 10,000 motorists in
the U.K. could be impacted by a breach that exposed details of their
parking tickets online.
- California dentist announces theft of server containing patient
information - The office of a dentist in California, Cathrine
Steinborn, was burglarized and a server containing patient and
responsible party information – including Social Security numbers –
- Up to 18.8 million non-Anthem members possibly affected in breach
- Anthem health insurance members might not be the only ones
affected by the company's recent data breach.
- Malware on Lime Crime website, payment cards compromised -
Cosmetics company Lime Crime is notifying an undisclosed number of
customers that unauthorized access was gained to its website server
and malware designed to intercept customer data, including payment
card information was installed – from October 2014 to February.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (5 of 12)
An institution should notify its primary Federal regulator as soon
as it becomes aware of the unauthorized access to or misuse of
sensitive customer information or customer information systems.
Notifying the regulatory agency will help it determine the potential
for broader ramifications of the incident, especially if the
incident involves a service provider, as well as assess the
effectiveness of the institution's IRP.
Institutions should develop procedures for notifying law enforcement
agencies and filing SARs in accordance with their primary Federal
regulator's requirements. Law enforcement agencies may serve as an
additional resource in handling and documenting the incident.
Institutions should also establish procedures for filing SARs in a
timely manner because regulations impose relatively quick filing
deadlines. The SAR form itself may serve as a resource in the
reporting process, as it contains specific instructions and
thresholds for when to file a report. The SAR form instructions also
clarify what constitutes a "computer intrusion" for filing purposes.
Defining procedures for notifying law enforcement agencies and
filing SARs can streamline these notification and reporting
Institutions should also address customer notification procedures in
their IRP. When an institution becomes aware of an incident
involving unauthorized access to sensitive customer information, the
institution should conduct a reasonable investigation to determine
the likelihood that such information has been or will be misused. If
the institution determines that sensitive customer information has
been misused or that misuse of such information is reasonably
possible, it should notify the affected customer(s) as soon as
possible. Developing standardized procedures for notifying customers
will assist in making timely and thorough notification. As a
resource in developing these procedures, institutions should
reference the April 2005 interpretive guidance, which specifically
addresses when customer notification is necessary, the recommended
content of the notification, and the acceptable forms of
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
Testing Risks to Data Integrity, Confidentiality, and Availability.
Management is responsible for carefully controlling information
security tests to limit the risks to data integrity,
confidentiality, and system availability. Because testing may
uncover nonpublic customer information, appropriate safeguards to
protect the information must be in place. Contracts with third
parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of
section 501(b) of the GLBA. Management also is responsible for
ensuring that employee and contract personnel who perform the tests
or have access to the test results have passed appropriate
background checks, and that contract personnel are appropriately
bonded. Because certain tests may pose more risk to system
availability than other tests, management is responsible for
considering whether to require the personnel performing those tests
to maintain logs of their testing actions. Those logs can be helpful
should the systems react in an unexpected manner.
Confidentiality of Test Plans and Data. Since knowledge of test
planning and results may facilitate a security breach, institutions
should carefully limit the distribution of their testing
information. Management is responsible for clearly identifying the
individuals responsible for protecting the data and provide guidance
for that protection, while making the results available in a useable
form to those who are responsible for following up on the tests.
Management also should consider requiring contractors to sign
nondisclosure agreements and to return to the institution
information they obtained in their testing.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.3.6 Complying with Export Rules
The US government controls the
export of cryptographic implementations. The rules governing export
can be quite complex, since they consider multiple factors. In
addition, cryptography is a rapidly changing field, and rules may
change from time to time. Questions concerning the export of a
particular implementation should be addressed to appropriate legal
There are many interdependencies
among cryptography and other security controls highlighted in this
handbook. Cryptography both depends on other security safeguards and
assists in providing them.
Physical Security. Physical
protection of a cryptographic module is required to prevent -- or at
least detect --- physical replacement or modification of the
cryptographic system and the keys within it. In many environments
(e.g., open offices, portable computers), the cryptographic module
itself has to provide the desired levels of physical security. In
other environments (e.g., closed communications facilities,
steel-encased Cash-Issuing Terminals), a cryptographic module may be
safely employed within a secured facility.
Cryptography can be used both to protect passwords that are stored
in computer systems and to protect passwords that are communicated
between computers. Furthermore, cryptographic-based authentication
techniques may be used in conjunction with, or in place of,
password-based techniques to provide stronger authentication of
Logical Access Control. In
many cases, cryptographic software may be embedded within a host
system, and it may not be feasible to provide extensive physical
protection to the host system. In these cases, logical access
control may provide a means of isolating the cryptographic software
from other parts of the host system and for protecting the
cryptographic software from tampering and the keys from replacement
or disclosure. The use of such controls should provide the
equivalent of physical protection.
Audit Trails. Cryptography
may play a useful role in audit trails. For example, audit records
may need to be signed. Cryptography may also be needed to protect
audit records stored on computer systems from disclosure or
modification. Audit trails are also used to help support electronic
Assurance. Assurance that a
cryptographic module is properly and securely implemented is
essential to the effective use of cryptography. NIST maintains
validation programs for several of its standards for cryptography.
Vendors can have their products validated for conformance to the
standard through a rigorous set of tests. Such testing provides
increased assurance that a module meets stated standards, and system
designers, integrators, and users can have greater confidence that
validated products conform to accepted standards.
NIST maintains validation
programs for several of its cryptographic standards.
A cryptographic system should be
monitored and periodically audited to ensure that it is satisfying
its security objectives. All parameters associated with correct
operation of the cryptographic system should be reviewed, and
operation of the system itself should be periodically tested and the
results audited. Certain information, such as secret keys or private
keys in public key systems, should not be subject to audit. However,
nonsecret or nonprivate keys could be used in a simulated audit