- New Cifas data reveals 173,000 cases recorded in 2016, record high
- Nine out of 10 fraudulent applications for bank accounts and other
financial products made online. Cifas, the UK's fraud prevention
service, has released new figures showing that identity fraud has
hit the highest levels ever recorded.
Becky Bace's passing hits cybersecurity community hard - The
security industry today is mourning the death of security expert,
mentor and Infidel President/CEO Rebecca “Becky” Bace, who passed
Spam hitting Germans with personalized messages - A spam campaign
that targets recipients with personalized messages is spreading in
Germany, similar to a previous scourge there earlier this year and
another that spread in the U.K. in April 2016.
Cybersecurity made simple - No one said it was going to be easy, but
the task of locking down enterprise networks seems to be getting
more and more complex as attackers devise ever more sophisticated
ways of penetrating defenses.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Association of British Travel Agents web server breach impacts
43,000 individuals - The Association of British Travel Agents (ABTA)
has suffered a data breach affecting approximately 43,000
individuals after an unauthorized intruder exploited a vulnerability
in a third-party web server, the trade organization has acknowledged
in a statement.
Celebgate repeat? Private images of Emma Watson and others leaked -
In an all-too-familiar scenario, hackers have once again broken into
the iCloud accounts of female celebrities, this time exposing
intimate images of Beauty and the Beast star Emma Watson, Mischa
Barton, Amanda Seyfried, and others.
Saks Fifth Avenue leaves customer data exposed - Saks Fifth Avenue
reportedly exposed the personal information of tens of thousands of
customers in plain text on publicly accessible pages.
Government contractor Defense Point Security hit with W-2 scam - The
cybersecurity firm Defense Point Security that holds several
government contracts told its employees it was hit with a W-2
phishing scam resulting in the exposure of all the personally
Hacker defaces celebrity websites in the name of Kurdish Homeland -
A hacker has vandalised the websites of a number of mid-level
American celebrities for the cause of a Kurdish homeland.
W-2 phishing scam scourge continues hitting Powhatan County (Va.)
schools - Almost 1,000 Powhatan County (Va.) school district
employees had their personal information compromised when a district
employee fell for a W-2 phishing scam.
Website hacks up by a third in 2016, Google - Looking at the State
of Website Security in 2016, researchers at Google have detected a
sharp rise in the number of hacked sites.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
- Principle 14:
Banks should develop appropriate incident response plans to manage,
contain and minimize problems arising from unexpected events,
including internal and external attacks, that may hamper the
provision of e-banking systems and services.
Effective incident response mechanisms are critical to minimize
operational, legal and reputational risks arising from unexpected
events such as internal and external attacks that The current and
future capacity of critical e-banking delivery systems should be
assessed on an ongoing basis may affect the provision of e-banking
systems and services. Banks should develop appropriate incident
response plans, including communication strategies, that ensure
business continuity, control reputation risk and limit liability
associated with disruptions in their e-banking services, including
those originating from outsourced systems and operations.
To ensure effective response to unforeseen incidents, banks should
1) Incident response plans to address recovery of e-banking
systems and services under various scenarios, businesses and
geographic locations. Scenario analysis should include consideration
of the likelihood of the risk occurring and its impact on the bank.
E-banking systems that are outsourced to third-party service
providers should be an integral part of these plans.
2) Mechanisms to identify an incident or crisis as soon as it
occurs, assess its materiality, and control the reputation risk
associated with any disruption in service.
3) A communication strategy to adequately address external market
and media concerns that may arise in the event of security breaches,
online attacks and/or failures of e-banking systems.
4) A clear process for alerting the appropriate regulatory
authorities in the event of material security breaches or disruptive
5) Incident response teams with the authority to act in an
emergency and sufficiently trained in analyzing incident
detection/response systems and interpreting the significance of
6) A clear chain of command, encompassing both internal as well
as outsourced operations, to ensure that prompt action is taken
appropriate for the significance of the incident. In addition,
escalation and internal communication procedures should be developed
and include notification of the Board where appropriate.
7) A process to ensure all relevant external parties, including
bank customers, counterparties and the media, are informed in a
timely and appropriate manner of material e-banking disruptions and
business resumption developments.
8) A process for collecting and preserving forensic evidence to
facilitate appropriate post-mortem reviews of any e-banking
incidents as well as to assist in the prosecution of attackers.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Development and Support
Development and support activities should ensure that new software
and software changes do not compromise security. Financial
institutions should have an effective application and system change
control process for developing, implementing, and testing changes to
internally developed software and purchased software. Weak change
control procedures can corrupt applications and introduce new
security vulnerabilities. Change control considerations relating to
security include the following:
! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the
! Ensuring the application or system owner has authorized changes
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.
Changes to operating systems may degrade the efficiency and
effectiveness of applications that rely on the operating system for
interfaces to the network, other applications, or data. Generally,
management should implement an operating system change control
process similar to the change control process used for application
changes. In addition, management should review application systems
following operating system changes to protect against a potential
compromise of security or operational integrity.
When creating and maintaining software, separate software libraries
should be used to assist in enforcing access controls and
segregation of duties. Typically, separate libraries exist for
development, test, and production.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.1.3 Filling the Position -- Screening and Selecting
Once a position's sensitivity has been determined, the position is
ready to be staffed. In the federal government, this typically
includes publishing a formal vacancy announcement and identifying
which applicants meet the position requirements. More sensitive
positions typically require preemployment background screening;
screening after employment has commenced (post-entry-on-duty) may
suffice for less sensitive positions.
Background screening helps determine whether a particular
individual is suitable for a given position. For example, in
positions with high-level fiduciary responsibility, the screening
process will attempt to ascertain the person's trustworthiness and
appropriateness for a particular position. In the federal
government, the screening process is formalized through a series of
background checks conducted through a central investigative office
within the organization or through another organization (e.g., the
Office of Personnel Management).
Within the Federal Government, the most basic screening
technique involves a check for a criminal history, checking FBI
fingerprint records, and other federal indices.78 More extensive
background checks examine other factors, such as a person's work and
educational history, personal interview, history of possession or
use of illegal substances, and interviews with current and former
colleagues, neighbors, and friends. The exact type of screening that
takes place depends upon the sensitivity of the position and
applicable agency implementing regulations. Screening is not
conducted by the prospective employee's manager; rather, agency
security and personnel officers should be consulted for
Outside of the Federal Government, employee screening is
accomplished in many ways. Policies vary considerably among
organizations due to the sensitivity of examining an individual's
background and qualifications. Organizational policies and
procedures normally try to balance fears of invasiveness and slander
against the need to develop confidence in the integrity of
employees. One technique may be to place the individual in a less
sensitive position initially.
For both the Federal Government and private sector, finding
something compromising in a person's background does not necessarily
mean they are unsuitable for a particular job. A determination
should be made based on the type of job, the type of finding or
incident, and other relevant factors. In the federal government,
this process is referred to as adjudication.
In general, it is more effective to use separation of duties and
least privilege to limit the sensitivity of the position, rather
than relying on screening to reduce the risk to the organization.