- FDIC leads agencies in major cyber incidents - The Federal Deposit
Insurance Corporation was responsible for 10 of 16 major information
security incidents in FY2016, according to the annual report of the
Office of Management and Budget.
Government Isn't Sharing Cyber Threats As Promised, Private Sector
Says - When it comes to cyber threat information sharing, itís
government thatís not holding up its end of the bargain, industry
officials told lawmakers Thursday.
Home Depot to pay $25M in breach settlement - Following a massive
breach, retailer Home Depot has agreed to pay off a settlement of
$25 million for damages resulting from the incursion in 2014 that
exposed personal information of more than 50 million customers.
US telecoms regs bow to ISPs, customers no longer federally
protected - The US Federal Communications Commission has bowed to
the telecoms lobby in blocking a regulation which would make ISPs
take 'reasonable measures' to protect customer data.
Israel-UK cyber-security lessons - shared concerns, shared responses
- Israel is under constant threat and conscription gives its army
access to its brightest students - what can the UK learn from its
approach to and understanding of cyber-terrorism?
VA chief swears off software development - For the past year or more
at congressional hearings and public appearances, senior officials
from the Department of Veterans Affairs have been warming up to the
idea of moving to commercial software for electronic health records,
scheduling, acquisitions and other core business processes.
Researchers hack Fitbits and other IoT devices using sound -
Researchers from the University of Michigan and the University of
South Carolina were able to develop a series of attacks that
manipulate internet of things (IoT) devices using sound.
312 and counting data breaches, in 2017, report - So far this year,
there have been 312 data breaches as of March 14, 2017, which have
compromised a combined total of more than 1.3 million records.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Payments Giant Verifone Investigating Breach - Credit and debit
card payments giant Verifone is investigating a breach of its
internal computer networks that appears to have impacted a number of
companies running its point-of-sale solutions, according to sources.
Canadian tax and labor websites taken offline this weekend -
Canada's Revenue and Statistics agencies were knocked offline Friday
when officials, concerned about several vulnerabilities, took down
the sites as a precautionary measure.
Hackers steal personal data of thousands of hospital staff -
Information on staff accessed through attack on IT contractor's
server. Hackers have stolen information about thousands of NHS
medical professionals by compromising the server of a private
Encrypting data at rest is vital, but it's just not happening -
Regulators and security strategists recommend encrypting data at
rest, but few organisations do it, and most get it wrong. Good thing
there are bigger problems to tackle first. The Office of the
Australian Information Commissioner (OAIC) has been clear about
encrypting personal data, both in its guidelines and in recent data
breach investigations. But according to Chris Gatford, director of
penetration testing firm Hacklabs, very few organisations are living
up to expectations.
Over 33M records leaked from US corporate database - The database
contains email addresses and other contact information for thousands
of corporate and government employees.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
13: Banks should have effective capacity, business continuity and
contingency planning processes to help ensure the availability of
e-banking systems and services.
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with customer expectations. To achieve this, the
bank must have the ability to deliver e-banking services to
end-users from either primary (e.g. internal bank systems and
applications) or secondary sources (e.g. systems and applications of
service providers). The maintenance of adequate availability is also
dependent upon the ability of contingency back-up systems to
mitigate denial of service attacks or other events that may
potentially cause business disruption.
The challenge to maintain continued availability of e-banking
systems and applications can be considerable given the potential for
high transaction demand, especially during peak time periods. In
addition, high customer expectations regarding short transaction
processing cycle times and constant availability (24 X 7) has also
increased the importance of sound capacity, business continuity and
contingency planning. To provide customers with the continuity of
e-banking services that they expect, banks need to ensure that:
1) Current e-banking system capacity and future scalability are
analyzed in light of the overall market dynamics for e-commerce and
the projected rate of customer acceptance of e-banking products and
2) E-banking transaction processing capacity estimates are
established, stress tested and periodically reviewed.
3) Appropriate business continuity and contingency plans for
critical e-banking processing and delivery systems are in place and
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Security Controls in Application Software
Application development should incorporate appropriate security
controls, audit trails, and activity logs. Typical application
access controls are addressed in earlier sections. Application
security controls should also include validation controls for data
entry and data processing. Data entry validation controls include
access controls over entry and changes to data, error checks, review
of suspicious or unusual data, and dual entry or additional review
and authorization for highly sensitive transactions or data. Data
processing controls include: batch control totals; hash totals of
data for comparison after processing; identification of any changes
made to data outside the application (e.g., data-altering
utilities); and job control checks to ensure programs run in correct
sequence (see the booklet "Computer Operations" for additional
Some applications will require the integration of additional
authentication and encryption controls to ensure integrity and
confidentiality of the data. As customers and merchants originate an
increasing number of transactions, authentication and encryption
become increasingly important to ensure non-repudiation of
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.1.2 Determining Position Sensitivity
Knowledge of the duties and access levels that a particular
position will require is necessary for determining the sensitivity
of the position. The responsible management official should
correctly identify position sensitivity levels so that appropriate,
cost-effective screening can be completed.
Various levels of sensitivity are assigned to positions in the
federal government. Determining the appropriate level is based upon
such factors as the type and degree of harm (e.g., disclosure of
private information, interruption of critical processing, computer
fraud) the individual can cause through misuse of the computer
system as well as more traditional factors, such as access to
classified information and fiduciary responsibilities. Specific
agency guidance should be followed on this matter.
It is important to select the appropriate position sensitivity,
since controls in excess of the sensitivity of the position wastes
resources, while too little may cause unacceptable risks.