- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- 20% of employees are willing to sell their work email passwords -
One in five employees say they’d be willing to sell their
work-related passwords, according to a survey of 1,000 office
workers at private organizations.
- London Police Chief Sir Bernard Hogan-Howe's comment that banks
should not reimburse fraud victims who fail to protect themselves
are simply rewarding bad cyber security hygiene has received some
backlash, with one group saying he is attempting to shift the blame
from cybercriminals to their victims.
Cyberespionage groups are stealing digital certificates to sign
malware - An increasing number of cyberespionage groups are using
stolen code-signing certificates to make their hacking tools and
malware look like legitimate applications.
Only 17 percent of surveyed U.K. students 'genuinely concerned'
about cybersecurity - About three-quarters of higher and continuing
education students, or 77 percent, recognize cyberattacks as a
burgeoning threat, yet only 17 percent of the collective student
body are “genuinely concerned” over cybersecurity, according to a
new U.K.-based survey study.
NIST releases updated telework guidance - Government agencies should
establish virtual mobile infrastructure (VMI) technology, in which
telecommuting employees would access network information through
customized mobile operating systems hosted on virtual machines, and
the intermediary connection is destroyed when the session ends,
according to draft guidance for telework protocol released by the
National Institute of Standards and Technology (NIST).
25% of knowledge workers don't trust their IT teams with personal
data - Due to lack of a clearly defined security strategy, IT
decision makers (ITDMs) risk losing the trust of knowledge workers.
FBI says car hacking is a real risk - Security researchers have
shown they can take over steering and disable the brakes of moving
vehicles. If you're not already worried about your car being hacked,
you really should be, the US government says.
GAO - Healthcare.gov: Actions Needed to Enhance Information Security
and Privacy Controls.
Fitch Ratings warns insurers that aggressive cyber policies will be
deemed credit-negative - Prominent credit rating agency Fitch
Ratings issued a warning on Monday that aggressive growth strategies
in the cyber insurance market could negatively impact its ratings,
due to the inherent risks of such an emerging, inchoate business
House subcommittee hearing discusses making cyber insurance more
accessible - A lack of actuarial data on cybersecurity risks places
a significant hurdle that may be keeping some small business from
acquiring cyber insurance, according to industry leaders testifying
before a Homeland Security subcommittee hearing.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Donald Trump doxxed by Anonymous group, SSN revealed - Anonymous
made good on its promise to launch a full frontal assault on Trump,
revealing private information, including his social security number
and cell phone, while chiding the billionaire presidential hopeful
in a video, saying he “should have expected us.”
Amex warns of breach, cardholders should protect data - After a
merchant breach prompting American Express to warn customers that
card member information may have been compromised, cardholders
should take multiple steps to protect their sensitive data.
Canadian hospital infected with ransomware - Yet another hospital,
this time in Canada, has been infected with Ransomware. A hospital
in Canada is the latest victim in a rash of cyber-attacks on
hospitals. The Ottawa Hospital in Canada's southeastern region of
Ontario was hit with ransomware on several of its computers
Apparent DDoS attack knocks Swedish news services offline - Seven of
Sweden's top online newspapers were disabled for several hours this
past weekend after a series of apparent distributed denial of
service (DDoS) attacks, the Agence France-Presse has reported.
Hospitals in Kentucky, SoCal become latest targets of hackers - The
scourge of malware attacks against hospitals continued this week,
including a ransomware assault targeting Henderson, Ky.-based
Methodist Hospital and another possible ransomware incident at two
Southern California facilities.
Lenovo-related website redirected visitors to Angler EK - A
Lenovo-related website apparently redirected visitors on March 13 to
the Angler exploit kit, “a source of no small amount of crypto-ransomware,”
according to an F-Secure.
SWIFT To Issue Warning In Wake Of Cyberattack On Bagladesh Central
Bank - After a recent cyber-theft of over $80 million from
Bangladesh Bank, SWIFT today plans to advise banks to implement
security measures to avoid similar attacks.
W-2 Data Breach places 21K Sprouts Farmers Market employees at risk
- Sprouts Farmers Market is the latest corporation to fall victim to
a W-2 phishing scam, with the company admitting an employee sent off
the tax data for all its workers to an unknown person.
indicted in hacks on US banks, New York dam - The formal accusation
comes as the government warns of hacking dangers to US
infrastructure. Score one for the US government in its fight against
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
TRUTH IN SAVINGS ACT (REG
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
The goal of logical and administrative access control is to
restrict access to system resources. Access should be provided only
to authorized individuals whose identity is established, and their
activities should be limited to the minimum required for business
purposes. Authorized individuals (users) may be employees, TSP
employees, vendors, contractors, customers, or visitors.
An effective control mechanism includes numerous controls to
safeguard and limit access to key information system assets. This
section addresses logical and administrative controls, including
access rights administration and authentication through network,
operating system, application, and remote access. A subsequent
section addresses physical security controls.
ACCESS RIGHTS ADMINISTRATION (1 of 5)
Action Summary - Financial institutions should have an effective
process to administer access rights. The process should include the
1) Assign users and system resources only the access required to
perform their required functions,
2) Update access rights based on personnel or system changes,
3) Periodically review users' access rights at an appropriate
frequency based on the risk to the application or system, and
4) Design appropriate acceptable-use policies and require users to
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
Policy is related to many of the topics covered in this handbook:
Program Management. Policy is used to establish an
organization's computer security program, and is therefore closely
tied to program management and administration. Both program and
system-specific policy may be established in any of the areas
covered in this handbook. For example, an organization may wish to
have a consistent approach to incident handling for all its systems
- and would issue appropriate program policy to do so. On the other
hand, it may decide that its applications are sufficiently
independent of each other that application managers should deal with
incidents on an individual basis.
Access Controls. System-specific policy is often implemented
through the use of access controls. For example, it may be a policy
decision that only two individuals in an organization are authorized
to run a check-printing program. Access controls are used by the
system to implement (or enforce) this policy.
Links to Broader Organizational Policies. This chapter has
focused on the types and components of computer security policy.
However, it is important to realize that computer security policies
are often extensions of an organization's information security
policies for handling information in other forms (e.g., paper
documents). For example, an organization's e-mail policy would
probably be tied to its broader policy on privacy. Computer security
policies may also be extensions of other policies, such as those
about appropriate use of equipment and facilities.