- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- U.S., Canada issue ransomware alert - With a new ransomware
incidents popping up almost on a daily basis, the U.S. Department of
Homeland Security (DHS), in collaboration with Canadian Cyber
Incident Response Centre (CCIRC), have issued an official ransomware
- Ransomware epidemic could become historic crime spree, warns alert
- A new cybersecurity alert warns that the exponential growth of
ransomware as a cybercriminal tool may be turning this malware
epidemic into the “largest crime wave in modern history.”
Over 300 incidents of ransomware on federal networks since June -
There have been 321 incident reports of "ransomware-related
activity" affecting 29 different federal networks since June 2015,
according to the Department of Homeland Security.
US Marine Corps launches hacker support unit - Team will conduct OCO,
CNE and ISR to stop SNAFUs on MCEN and ODIN - The United States
Marine Corps has launched a hacking support unit.
Will the Panama Papers change legal firms' cyber practices? -
Following the massive 2.6 terabyte leak from the Panamanian
corporate service provider and legal firm Mossack Fonseca, a
sentiment emerges among security professionals assessing the
wreckage at the secretive company.
Survey finds 'accountability gap' among execs dealing with
cybersecurity - The cybersecurity “accountability gap” is growing as
40 percent of executives admitted they didn't feel responsible for
the impact of a cyberattack and a lack of understanding concerning
cybersecurity could be a contributing factor.
- Hack the Pentagon: First US government bug bounty programme opens
for business - If you're not afraid of the Pentagon running a
criminal background check on you, the department has some cash to
fork out on security bugs in its public websites.
- Cyber insurance rates fall with lull in major hacks - A lull in
high-profile data breaches prompted insurers to cut cyber insurance
rates for high-risk businesses such as retailers and healthcare
companies during the first three months of this year, according to
insurance industry brokers.
- Hack-for-hire services booming, new report - Hackers are offering
their services to break into corporate email for anyone paying $500.
- GAO - Cloud Computing: Agencies Need to Incorporate Key Practices
to Ensure Effective Performance.
- 14% of doctors keep patient data on cell phones, don't use
password - As the healthcare industry reacts to a streak of
ransomware attacks against hospitals, a new report sheds light on a
looming but poorly-publicized threat: doctor's mobile communications
- Cybersecurity being overlooked by American universities -
CloudPassage released a report today slamming the U.S. university
system for failing to give cybersecurity a higher profile in its
computer science and engineering programs.
- Reports find high security risks among policies for third-party
vendors - Two recent reports highlight the security and privacy
threats posed by third-party vendors. The reports examine company's
procedures for handling third-party vendor permissions and the
ability of companies to track these vendors' activities.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- MedStar Health partially restores services after ransomware attack
- The organization was reportedly hit with the Samsam ransomware
family - MedStar Health said Wednesday it is restoring computer
systems following a cyberattack that reportedly involved
Another Canadian hospital hit with ransomware attack, spreads
TeslaCrypt - Malwarebytes researchers spotted ransomware attack
against another Canadian hospital.
Email server hack behind Panamanian law firm leaks - An email server
hack is thought to be behind the leaking of top-secret documents
from Panamanian law firm, Mossack Fonseca.
50 million exposed in Turkish data breach - As many as 50 million
Turkish citizens, including the nation's current and former
presidents, may have been impacted in a data breach that was
revealed to the public today.
Ghost Squad Hackers hit Trump sites with DDoS attacks - Ghost Squad
Hackers, an offshoot of the hacktivist group Anonymous, claim to
have taken down two websites belonging to Donald Trump.
- MedStar Health almost back online, but other hospitals hit -
MedStar Health is reporting that its clinical and management
computer systems are almost fully back online, eight days after the
medical organization suffered a cyber attack that forced it to shut
down its network.
- Domino's hack: A lifetime of free pizza just one poor security
practice away - A poor security practice in the payment
authentication process in the Domino's Pizza Android mobile
application allowed a U.K. security consultant to order a pizza free
- Personal laptop, possibly containing data on 5M patients, stolen
from HHS facility - A personal laptop and hard drives that may
contain sensitive data on close to 5 million medical patients,
including Social Security numbers, was stolen from a Washington
State federal building, prompting calls for the U.S. Department of
Health and Human Services to reveal the extent of the damage.
- Mattel duped out of $3M in phishing scam, recovers loot - U.S. toy
manufacturer Mattel fell victim in April 2015 to a popular phishing
campaign known as the fake CEO or fake president scam, but was able
to recover its money.
- Australian fashion blogger's Instragram account reportedly
hijacked - The Instagram account of Australian fashion blogger
Rozalia Russian was hijacked by an American hacker, who extorted
$5,000 from her before handing back her credentials.http://www.scmagazine.com/australian-fashion-bloggers-instragram-account-reportedly-hijacked/article/488111/
compromises info on 15,085 new and expectant parents - A breach at
the National Childbirth Trust (NCT) in the U.K. compromised the
information of 15,085 users.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
Disclosures are generally required to be "clear and conspicuous."
Therefore, compliance officers should review the web site to
determine whether the disclosures have been designed to meet this
standard. Institutions may find that the format(s) previously used
for providing paper disclosures may need to be redesigned for an
electronic medium. Institutions may find it helpful to use "pointers
" and "hotlinks" that will automatically present the disclosures to
customers when selected. A financial institution's use solely of
asterisks or other symbols as pointers or hotlinks would not be as
clear as descriptive references that specifically indicate the
content of the linked material.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (3 of 5)
The enrollment process establishes the user's
identity and anticipated business needs to information and systems.
New employees, IT outsourcing relationships, and contractors may
also be identified, and the business need for access determined
during the hiring or contracting process.
During enrollment and thereafter, an authorization process
determines user access rights. In certain circumstances the
assignment of access rights may be performed only after the manager
responsible for each accessed resource approves the assignment and
documents the approval. In other circumstances, the assignment of
rights may be established by the employee's role or group
membership, and managed by pre - established authorizations for that
group. Customers, on the other hand, may be granted access based on
their relationship with the institution.
Authorization for privileged access should be tightly controlled.
Privileged access refers to the ability to override system or
application controls. Good practices for controlling privileged
! Identifying each privilege associated with each system component,
! Implementing a process to allocate privileges and allocating
those privileges either on a need - to - use or an event - by -
event basis,! Documenting the granting and administrative limits on
! Finding alternate ways of achieving the business objectives,
! Assigning privileges to a unique user ID apart from the one used
for normal business use,
! Logging and auditing the use of privileged access,
! Reviewing privileged access rights at appropriate intervals and
regularly reviewing privilege access allocations, and
! Prohibiting shared privileged access by multiple users.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
Computers and the information
they process are critical to many organizations' ability to perform
their mission and business functions. It therefore makes sense that
executives view computer security as a management issue and seek to
protect their organization's computer resources as they would any
other valuable asset. To do this effectively requires developing of
a comprehensive management approach.
This chapter presents an organization wide approach to computer
security and discusses its important management function. Because
organizations differ vastly in size, complexity, management styles,
and culture, it is not possible to describe one ideal computer
security program. However, this chapter does describe some of the
features and issues common to many federal organizations.
6.1 Structure of a Computer Security Program
Many computer security programs that are distributed throughout the
organization have different elements performing various functions.
While this approach has benefits, the distribution of the computer
security function in many organizations is haphazard, usually based
upon history (i.e., who was available in the organization to do what
when the need arose). Ideally, the distribution of computer security
functions should result from a planned and integrated management
Managing computer security at multiple levels brings many benefits.
Each level contributes to the overall computer security program with
different types of expertise, authority, and resources. In general,
higher-level officials (such as those at the headquarters or unit
levels in the agency described above) better understand the
organization as a whole and have more authority. On the other hand,
lower-level officials (at the computer facility and applications
levels) are more familiar with the specific requirements, both
technical and procedural, and problems of the systems and the users.
The levels of computer security program management should be
complementary; each can help the other be more effective.
Since many organizations have at least two levels of computer
security management, this chapter divides computer security program
management into two levels: the central level and the system level.
(Each organization, though, may have its own unique structure.) The
central computer security program can be used to address the overall
management of computer security within an organization or a major
component of an organization. The system-level computer security
program addresses the management of computer security for a