- Banks need to step up tech for mobile users, report - Banks
worldwide are at risk of incurring costly consequences to their
operations if they don't move away from legacy systems and get in
step with digital advancements.
IoT liability: Legal issues abound - The fact that U.S. intelligence
agencies have the ability to use connected devices as spy tools may
or may not be surprising, depending on one's level of cynicism.
10 Words to Watch in Security for 2017 - Cybersecurity has dominated
the news cycle this year and 2017 will continue that trend, bringing
the issue front and center in boardrooms and the situation room, but
a new vocabulary is evolving to describe and deal with these
Insurer sues Rosen Hotels over data breach payments - St. Paul Fire
& Marine Insurance has filed a lawsuit asking a Florida judge to
formally state that the insurance company is not responsible for
paying any costs related to a data breach that took place at Rosen
Hotels & Resorts last year.
U.S., U.K. warn airports, nuclear facilities of cyberattacks -
Airports and nuclear power plants in the U.S. and U.K. are on alert
for cyberattacks after governments in both countries issued alerts.
Yee-hacked! Fired Texan sysadmin goes rogue, trashes boot business -
A former IT administrator working at a cowboy boot manufacturer has
pled guilty to hacking the servers and cloud accounts of his
employer after they fired him and had him removed from the building.
Clues from Russian banking machine theft leads investigators to
ATMitch malware - Kaspersky Lab on Tuesday revealed further details
about a memory-only "fileless malware" campaign that a cybercriminal
organization has been employing to steal money remotely from ATMs
while leaving behind virtually no trace of malicious activity.
Gigs up, Bossland ordered to pay Blizzard $8.5M for game hacks -
Blizzard Entertainment was awarded $8.5 million in a lawsuit against
German company Bossland for making in-game cheats.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Yu-Gi-Oh fan forum breached, 6.5M email addresses, passwords
compromised - A hacker has made off with at least 6.5 million email
addresses and poorly hashed passwords from a Yu-Gi-Oh fan project
called “Dueling Network.”
Hacker compromises nearly 100k McDonald's Canada job applications -
The McDonald's Canada career website has suffered a data breach that
compromised about 95,000 restaurant job applications, the fast-food
giant acknowledged on Friday in a company statement.
4,000 WordPress sites infected through fake plugin - About 4,000
WordPress websites have been infected with malware that disguises
itself as a search engine optimization plugin to attract unwary
Brazilian bank hacked, loses control of its online presense - A
Brazilian bank had all of its 36 domains and other online assets
seized by hackers who then used the pages to push malware onto the
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking
Systems and Services
(Part 1 of 3)
1. Banks should adopt appropriate processes for evaluating
decisions to outsource e-banking systems or services.
a) Bank management should clearly identify the strategic
purposes, benefits and costs associated with entering into
outsourcing arrangements for e-banking with third parties.
b) The decision to outsource a key e-banking function or service
should be consistent with the bank's business strategies, be based
on a clearly defined business need, and recognize the specific risks
that outsourcing entails.
c) All affected areas of the bank need to understand how the
service provider(s) will support the bank's e-banking strategy and
fit into its operating structure.
2. Banks should conduct appropriate risk analysis and due
diligence prior to selecting an e-banking service provider and at
appropriate intervals thereafter.
a) Banks should consider developing processes for soliciting
proposals from several e-banking service providers and criteria for
choosing among the various proposals.
b) Once a potential service provider has been identified, the
bank should conduct an appropriate due diligence review, including a
risk analysis of the service provider's financial strength,
reputation, risk management policies and controls, and ability to
fulfill its obligations.
c) Thereafter, banks should regularly monitor and, as
appropriate, conduct due diligence reviews of the ability of the
service provider to fulfill its service and associated risk
management obligations throughout the duration of the contract.
d) Banks need to ensure that adequate resources are committed to
overseeing outsourcing arrangements supporting e-banking.
e) Responsibilities for overseeing e-banking outsourcing
arrangements should be clearly assigned.
f) An appropriate exit strategy for the bank to manage risks
should it need to terminate the outsourcing relationship.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Many financial institutions outsource software development to
third parties. Numerous vendor management issues exist when
outsourcing software development. The vendor management program
established by management should address the following:
! Verifying credentials and contracting only with reputable
! Evaluating the provider's secure development environment,
including background checks on its employees and code development
and testing processes;
! Obtaining fidelity coverage;
! Requiring signed nondisclosure agreements to protect the
financial institution's rights to source code and customer data as
! Establishing security requirements, acceptance criterion, and
! Reviewing and testing source code for security vulnerabilities,
including covert channels or backdoors that might obscure
unauthorized access into the system;
! Restricting any vendor access to production source code and
systems and monitoring their access to development systems; and
! Performing security tests to verify that the security
requirements are met before implementing the software in production.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.2.1 User Account
User account management involves (1) the process of requesting,
establishing, issuing, and closing user accounts; (2) tracking users
and their respective access authorizations; and (3) managing these
User account management typically begins with a request from the
user's supervisor to the system manager for a system account. If a
user is to have access to a particular application, this request may
be sent through the application manager to the system manager. This
will ensure that the systems office receives formal approval from
the "application manager" for the employee to be given access. The
request will normally state the level of access to be granted,
perhaps by function or by specifying a particular user profile.
(Often when more than one employee is doing the same job, a
"profile" of permitted authorizations is created.)
Systems operations staff will normally then use the account request
to create an account for the new user. The access levels of the
account will be consistent with those requested by the supervisor.
This account will normally be assigned selected access
authorizations. These are sometimes built directly into
applications, and other times rely upon the operating system.
"Add-on" access applications are also used. These access levels and
authorizations are often tied to specific access levels within an
Next, employees will be given their account information, including
the account identifier (e.g., user ID) and a means of authentication
(e.g., password or smart card/PIN). One issue that may arise at this
stage is whether the user ID is to be tied to the particular
position an employee holds (e.g., ACC5 for an accountant) or the
individual employee (e.g., BSMITH for Brenda Smith). Tying user IDs
to positions may simplify administrative overhead in some cases;
however, it may make auditing more difficult as one tries to trace
the actions of a particular individual. It is normally more
advantageous to tie the user ID to the individual employee. However,
if the user ID is created and tied to a position, procedures will
have to be established to change them if employees switch jobs or
are otherwise reassigned.
When employees are given their account, it is often convenient to
provide initial or refresher training and awareness on computer
security issues. Users should be asked to review a set of rules and
regulations for system access. To indicate their understanding of
these rules, many organizations require employees to sign an
"acknowledgment statement," which may also state causes for
dismissal or prosecution under the Computer Fraud and Abuse Act and
other applicable state and local laws.
When user accounts are no longer required, the supervisor should
inform the application manager and system management office so
accounts can be removed in a timely manner. One useful secondary
check is to work with the local organization's personnel officer to
establish a procedure for routine notification of employee
departures to the systems office.
It is essential to realize that access and authorization
administration is a continuing process. New user accounts are added
while others are deleted. Permissions change: sometimes permanently,
sometimes temporarily. New applications are added, upgraded, and
removed. Tracking this information to keep it up to date is not
easy, but is necessary to allow users access to only those functions
necessary to accomplish their assigned responsibilities -- thereby
helping to maintain the principle of least privilege. In managing
these accounts, there is a need to balance timeliness of service and
record keeping. While sound record keeping practices are necessary,
delays in processing requests (e.g., change requests) may lead to
requests for more access than is really necessary -- just to avoid
delays should such access ever be required.
Managing this process of user access is also one that, particularly
for larger systems, is often decentralized. Regional offices may be
granted the authority to create accounts and change user access
authorizations or to submit forms requesting that the centralized
access control function make the necessary changes. Approval of
these changes is important -- it may require the approval of the
file owner and the supervisor of the employee whose access is being
Example of Access Levels Within an Application
1 Create Records
2 Edit Group A records
3 Edit Group B records
4 Edit all records
Sample User Account and Password Acknowledgment Form:
"I hereby acknowledge personal receipt of the system password(s)
associated with the user Ids listed below. I understand that I am
responsible for protecting the password(s), will comply with all
applicable system security standards, and will not divulge my
password(s) to any person. I further understand that I must report
to the Information Systems Security Officer any problem I encounter
in the use of the password(s) or when I have reason to believe that
the private nature of my password(s) has been compromised."