- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- From NY To Bangladesh: Inside An Inexcusable Cyber Heist - A
spelling error was the tipoff to last month's multimillion-dollar
digital bank heist. But could multifactor authentication have
prevented it in the first place?
- Six months in, chipped credit cards gaining acceptance with
consumers, retailers - The six-month anniversary of chipped credit
cards – becoming the standard for retailers – is coming up on April
1 and the general consensus in the industry on the rollout is “so
far so good,” with a touch of “these things take time” thrown in.
- Survey says companies unprepared for ransomware, phishing attacks
- Tripwire released the results of a survey that was conducted
earlier this month at the RSA Conference that asked 200 security
pros how prepared their company is to face various cybercrimes and,
for the most part, the answers were pessimistic.
- Dangerous New USB Trojan Discovered - 'USB Thief' could be used
for targeted purposes, researchers at ESET say. The Internet and the
growing interconnectedness of networks have made it incredibly easy
for threat actors to deliver and propagate malware. But not all
cyber threats are Internet-borne.
- MedStar Health's refusal to admit it was hit with ransomware is
logical, experts - MedStar Health's attempt to hide the type of
attack that knocked its systems offline for the last few days in all
likelihood informed the world of exactly what it was trying to hide:
It was a ransomware attack.
- 10% of large companies do not use any cybersecurity framework - A
survey of IT and security professionals found that 16% of
organizations do not use any cybersecurity framework.
- Nearly 1,500 vulnerabilities found in automated medical equipment
- Security researchers have discovered 1,418 flaws in outdated
medical equipment still in use by some healthcare providers. The
vulnerabilities could allow hackers to remotely exploit systems.
- Ukraine approves new cyber-security strategy - New standards and
cyber-security strategy approved in Ukraine to thwart Russians
hacking infrastructure as Russian software purchases halted.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Water treatment plant hacked, chemical mix changed for tap
supplies - Well, that's just a little scary - Hackers infiltrated a
water utility’s control system and changed the levels of chemicals
being used to treat tap water, we're told.
- Hospital Declares ‘Internal State of Emergency’ After Ransomware
Infection - A Kentucky hospital says it is operating in an “internal
state of emergency” after a ransomware attack rattled around inside
its networks, encrypting files on computer systems and holding the
data on them hostage unless and until the hospital pays up.
- Pentagon Cut Off Access to Personal Email to Fight Malicious
Messages - Pentagon officials last week cut off employee access to
private webmail after a malicious, pervasive email campaign was
- Data breach authority Verizon Enterprise breached; 1.5 million
customers impacted - Known for its highly respected Data Breach
Investigations Report, Verizon Enterprise Solutions has suffered its
own data breach, after a cybercriminal was discovered selling
information linked to 1.5 million of its customers.
- Concordia University discovers keylogger security incident - A
university in Montréal, Québec discovered keylogger devices on
computer workstations used by students in university libraries.
- 3,000 Tidewater Community College workers victimized in W-2 scam -
Tidewater Community College (TCC) in Norfolk, Va., reported that the
tax information of all those employed at the school in 2015 was
taken in a spear phishing scam.
- Pennsylvania police warn speeding ticket scam could spread malware
- The Tredyffrin, Penn. Township Police Department is warning
residents of an email scam that sends fake speeding citations via
email and requests payment be made using an online site.
- Verizon Acknowledges Breach of 'Basic' Customer Contact Data -
Attackers used a flaw in Verizon’s enterprise-customer portal to
grab client data from the company, which has made a name for itself
as an expert in responding to breaches.
- Chinese hackers rob over 18M user credentials via Japanese server
- Over 18 million user credentials have been found on a server of a
Japanese company who let Chinese hackers use it in their attacks.
- Truecaller app risks exposing info of 100 million users - A
popular caller ID Android application that blocks incoming spam
callers has a privacy flaw that threatens to expose the personal
information of over 100 million users.
- Hacker exploits vulnerabilities to sneak bogus paint-drying game
onto Steam store - A white-hat hacker reportedly sneaked his own
video game onto Valve's online Steam store without undergoing the
usual approval process, in order to point out alleged
vulnerabilities in the system.
- FBI investigating attack against computer networks at U.S. law
firms - The Federal Bureau of Investigation (FBI) and the Manhattan
U.S. attorney's office are investigating an attack in which hackers
accessed the computer networks at U.S. law firms, including Cravath
Swaine & Moore LLP and Weil Gotshal & Manges LLP, according to a
Wall Street Journal report.
- University of Central Florida facing more than $100K cost
following breach - The University of Central Florida (UCF) released
figures for how much it will cost to notify potential victims of a
data breach it experienced last month.
- Developer's 11 lines of deleted code 'breaks the internet' - Web
development around the world was disrupted when a 28-year-old man
deleted 11 lines of his code from npm.
- Ransom notes reportedly spotted on MedStar computers - As MedStar
Health said today it is still in the process of recovering from a
cyberattack that took place two days ago, published reports said
hospital staffers observed a ransom note appearing on some company
- Hacker leaks Norfolk Admirals customer data - A hacker Wednesday
posted online the personal information of roughly 250 Norfolk
Admirals hockey team customers.
- Data on 1K staffers and students at Kentucky State University
exposed - Kentucky State University was hit with a data breach on
March 22 when an employee, responding to an email supposedly from
the school's president, sent off W-2s for employees and students.
- Founder of Oilpro.com charged with hacking into competitor's
database - The Department of Justice (DOJ) announced the arrest of
David Kent, founder of the Houston-based professional networking
website Oilpro.com, on charges relating to computer hacking and wire
- Scammers phishing using fake Macy's delivery emails - Macy's is
reportedly investigating a phishing scam that uses a fake Macy's
delivery email notification for what is usually a non-existent
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
the top of the newsletter
FFIEC IT SECURITY
our series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (2 of 5)
System devices, programs, and data are system resources. Each
system resource may need to be accessed by other system resources
and individuals in order for work to be performed. Access beyond the
minimum required for work to be performed exposes the institution's
systems and information to a loss of confidentiality, integrity, and
availability. Accordingly, the goal of access rights administration
is to identify and restrict access to any particular system resource
to the minimum required for work to be performed. The financial
institution's security policy should address access rights to system
resources and how those rights are to be administered.
Management and information system administrators should critically
evaluate information system access privileges and establish access
controls to prevent unwarranted access. Access rights should be
based upon the needs of the applicable user or system resource to
carry out legitimate and approved activities on the financial
institution's information systems. Policies, procedures, and
criteria need to be established for both the granting of appropriate
access rights and for the purpose of establishing those legitimate
activities. Formal access rights administration for users consists
of four processes:
! An enrollment process to add new users to the system;
! An authorization process to add, delete, or modify authorized
user access to operating systems, applications, directories, files,
and specific types of information;
! An authentication process to identify the user during subsequent
! A monitoring process to oversee and manage the access rights
granted to each user on the system.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
5.5 Cost Considerations
A number of potential costs are associated with developing and
implementing computer security policies. Overall, the major cost of
policy is the cost of implementing the policy and its impacts upon
the organization. For example, establishing a computer security
program, accomplished through policy, does not come at negligible
Other costs may be those incurred through the policy development
process. Numerous administrative and management activities may be
required for drafting, reviewing, coordinating, clearing,
disseminating, and publicizing policies. In many organizations,
successful policy implementation may require additional staffing and
training - and can take time. In general, the costs to an
organization for computer security policy development and
implementation will depend upon how extensive the change needed to
achieve a level of risk acceptable to management.