- Cybersecurity spending varies but best practices still save - It's
no secret that calculating an individual's or company's risk is not
easy task as the economic benefits of cybersecurity are quite
confusing and uncertain, but there are a few yardsticks that can be
used to determine how much to spend to obtain a proper security
A survey published Wednesday shows a large majority of Americans can
pick the strongest password off a list and know that public WiFi
isnít safe. But only a third knew what HTTPS (the green padlock next
to the web address bar) means, and only one in ten could distinguish
two-factor authentication from other forms of login security.
It's happening! It's happening! W3C erects DRM as web standard -
World has until April 19 to make its views known on latest draft -
The World Wide Web Consortium has formally put forward highly
controversial digital rights management as a new web standard.
70 percent of mobile devices of top networks vulnerable, study -
More than 70 percent of mobile devices on five major U.S. carriers
are susceptible to being breached due to unpatched devices being on
their network, according to a recent study.
FBI: Attackers Targeting Anonymous FTP Servers in Healthcare - The
FBI warns medical and dental organizations of cybercriminals
targeting anonymous FTP servers to steal personal health data. The
FBI has issued a warning that threat actors are going after
anonymous File Transfer Protocol (FTP) servers associated with
medical and dental organizations.
Bill Would Compel Firms to Say If CyberSec Expert Sits on Board -
Legislation introduced in the Senate would require publicly traded
companies to disclose to regulators whether any members of their
boards of directors have cybersecurity expertise.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Breach of DoL jobs database a threat to 10 states, so far - A
multi-state database was hacked, potentially revealing names, dates
of birth and Social Security numbers of hundreds of thousands of job
seekers across 10 states...so far.
Hack of ABC's Twitter account hails Trump - The Twitter accounts of
Good Morning America, GMA Pop News and ABC News were hacked on
Thursday with a series of irreverent posts being added, including
two praising Donald Trump, according to a report on CNBC.
Fake mobile base stations spreading malware in China - 'Swearing
Trojan' pushes phishing texts around carriers' controls - Chinese
phishing scum are deploying fake mobile base stations to spread
malware in text messages that might otherwise get caught by
UK Police Fed: Officers abusing investigatory powers for personal
matters - Police have reportedly been using law enforcement
resources to pursue personal matters, according to the Police
New York data breaches rise by 60% due to hacking and insiders - New
York data breaches have reached new heights according to the state's
Attorney General Eric Schneiderman. Security breaches skyrocketed by
60 percent in 2016.
Food court: Arby's reportedly faces 8 lawsuits resulting from breach
- Customers, banks and credit unions appear to have a beef with
Arby's. The fast-food sandwich chain is now facing a total of eight
lawsuits stemming from a data breach that was discovered in February
and affected around 1,000 locations, the AP reported yesterday.
Two Daytona State College breaches affect students and staff -
Daytona State College was hit with two data breaches this month that
affected both employee and student data.
Girls crack code in CyberFirst challenge and impress judges - The
competition is organised by the National Cyber Security Centre which
is looking to encourage more women into the sector, who currently
make up only seven percent of its workforce.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Security Control Practices for E-Banking
1. Security profiles should be created and maintained and specific
authorization privileges assigned to all users of e-banking systems
and applications, including all customers, internal bank users and
outsourced service providers. Logical access controls should also be
designed to support proper segregation of duties.
2. E-banking data and systems should be classified according to
their sensitivity and importance and protected accordingly.
Appropriate mechanisms, such as encryption, access control and data
recovery plans should be used to protect all sensitive and high-risk
e-banking systems, servers, databases and applications.
3. Storage of sensitive or high-risk data on the organization's
desktop and laptop systems should be minimized and properly
protected by encryption, access control and data recovery plans.
4. Sufficient physical controls should be in place to deter
unauthorized access to all critical e-banking systems, servers,
databases and applications.
5. Appropriate techniques should be employed to mitigate external
threats to e-banking systems, including the use of:
a) Virus-scanning software at all critical entry points (e.g.
remote access servers, e-mail proxy servers) and on each desktop
b) Intrusion detection software and other security assessment
tools to periodically probe networks, servers and firewalls for
weaknesses and/or violations of security policies and controls.
c) Penetration testing of internal and external networks.
6. A rigorous security review process should be applied to all
employees and service providers holding sensitive positions.
the top of the newsletter
FFIEC IT SECURITY
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Source Code Review and Testing
Application and operating system source code can have numerous
vulnerabilities due to programming errors or misconfiguration. Where
possible, financial institutions should use software that has been
subjected to independent security reviews of the source code
especially for Internet facing systems. Software can contain
erroneous or intentional code that introduces covert channels,
backdoors, and other security risks into systems and applications.
These hidden access points can often provide unauthorized access to
systems or data that circumvents built-in access controls and
logging. The source code reviews should be repeated after the
creation of potentially significant changes.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.1.4 Employee Training and Awareness
Even after a candidate has been hired, the staffing process cannot
yet be considered complete -- employees still have to be trained to
do their job, which includes computer security responsibilities and
duties. Such security training can be very cost-effective in
Some computer security experts argue that employees must receive
initial computer security training before they are granted any
access to computer systems. Others argue that this must be a
risk-based decision, perhaps granting only restricted access (or,
perhaps, only access to their PC) until the required training is
completed. Both approaches recognize that adequately trained
employees are crucial to the effective functioning of computer
systems and applications. Organizations may provide introductory
training prior to granting any access with follow-up more extensive
training. In addition, although training of new users is critical,
it is important to recognize that security training and awareness
activities should be ongoing during the time an individual is a
10.2 User Administration
Effective administration of users' computer access is essential to
maintaining system security. User account management focuses on
identification, authentication, and access authorizations. This is
augmented by the process of auditing and otherwise periodically
verifying the legitimacy of current accounts and access
authorizations. Finally, there are considerations involved in the
timely modification or removal of access and associated issues for
employees who are reassigned, promoted, or terminated, or who