- Global financial firms prepare to step up cyber-security defences
- In the next year, 86 percent of financial services firms plan to
increase the time and resources they spend on cyber-security.
Chinese APT compromised trade association's website to keep tabs on
members - A Chinese hacking group is accused of compromising the
website of the National Foreign Trade Council in an apparent attempt
to spy on the U.S. trade association's members in the days leading
up to a key summit between President Donald Trump and Chinese
President Xi Jinping.
Competing interests exist between two of the predominant federal
agencies tasked with stopping hackers from attacking the U.S.,
officials say, and that dynamic shapes how and when the government
notifies Americans if they’ve been breached.
SC Media honors women in security, calls for recommendations - Each
year at SC Media, the editorial team along with some of our most
trusted advisers consider the tireless, accomplished, well-educated
and knowledgeable women practitioners in cybersecurity to profile in
our annual Women in Security issue (July-August).
Large Teaching Hospitals more prone to breaches - Large teaching
hospitals, or hospitals affiliated with medical schools, are more
prone to data breaches according to a recent report published JAMA
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Researchers spotted a backdoor trojan that uses torrents as a
delivery medium and uses distributed brute force attacks to exploit
weak WordPress administrator accounts as well as an infection that
injects malicious code into .js files.
Scottrade Bank data breach exposes 20,000 customers' personal
information - Scottrade Bank publicly confirmed that the personal
information of 20,000 customers was inadvertently left open to the
public when a third-party vendor uploaded a file to a server without
putting the proper security protocols in place.
Hacker sets off emergency sirens in Dallas - A hacker set off all
156 of Dallas's emergency sirens Friday night. "It does appear at
this time it was a hack, and it does appear this came from the
Dallas area," Sana Syed, the city's managing director of public
information, said at a Saturday news conference.
GameStop investigating point of sale data breach - GameStop is
investigating a possible payment card breach on the retailer's
GameStop.com online store, according to published reports.
SWIFT codes targeted in Union Bank of India cyberattack - Hackers
launched an attack against the Union Bank of India that was very
similar to the Bangladesh bank heist that resulted in the theft of
$81 million last year.
Data on 918K seniors exposed on diabetes site - A database
containing personal information of 918,000 seniors seeking discounts
on diabetes supplies was revealed to be exposing its contents for
months freely online.
Hackers use college student loans tool to steal $30 million - Up to
100,000 people are exposed to identity theft after thieves exploited
an IRS tool meant to help students apply for college loans.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking
Systems and Services
(Part 2 of 3)3. Banks should adopt appropriate procedures for ensuring
the adequacy of contracts governing e-banking. Contracts governing
outsourced e-banking activities should address, for example, the
a) The contractual liabilities of the respective parties as well
as responsibilities for making decisions, including any
sub-contracting of material services are clearly defined.
b) Responsibilities for providing information to and receiving
information from the service provider are clearly defined.
Information from the service provider should be timely and
comprehensive enough to allow the bank to adequately assess service
levels and risks. Materiality thresholds and procedures to be used
to notify the bank of service disruptions, security breaches and
other events that pose a material risk to the bank should be spelled
c) Provisions that specifically address insurance coverage, the
ownership of the data stored on the service provider's servers or
databases, and the right of the bank to recover its data upon
expiration or termination of the contract should be clearly defined.
d) Performance expectations, under both normal and contingency
circumstances, are defined.
e) Adequate means and guarantees, for instance through audit
clauses, are defined to insure that the service provider complies
with the bank's policies.
f) Provisions are in place for timely and orderly intervention
and rectification in the event of substandard performance by the
g) For cross-border outsourcing arrangements, determining which
country laws and regulations, including those relating to privacy
and other customer protections, are applicable.
h) The right of the bank to conduct independent reviews and/or
audits of security, internal controls and business continuity and
contingency plans is explicitly defined.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Many financial institutions use commercial off-the-shelf (COTS)
software for operating systems and applications. COTS systems
generally provide more functions than are required for the specific
purposes for which it is employed. For example, a default
installation of a server operating system may install mail, Web, and
file-sharing services on a system whose sole function is a DNS
server. Unnecessary software and services represent a potential
security weakness. Their presence increases the potential number of
discovered and undiscovered vulnerabilities present in the system.
Additionally, system administrators may not install patches or
monitor the unused software and services to the same degree as
operational software and services. Protection against those risks
begins when the systems are constructed and software installed
through a process that is referred to as hardening a system.
When deploying off-the-shelf software, management should harden
the resulting system. Hardening includes the following actions:
! Determining the purpose of the system and minimum software and
! Documenting the minimum hardware, software and services to be
included on the system;
! Installing the minimum hardware, software, and services
necessary to meet the requirements using a documented installation
! Installing necessary patches;
! Installing the most secure and up-to-date versions of
! Configuring privilege and access controls by first denying all,
then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed
activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage
prior to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically
configured systems, making configuration changes on a case-by-case
! Changing all default passwords; and
! Testing the resulting systems.
After deployment, the COTS systems may need updating with current
security patches. Additionally, the systems should be periodically
audited to ensure that the software present on the systems is
authorized and properly configured.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.2.2 Audit and Management Reviews
From time to time, it is necessary to review user account
management on a system. Within the area of user access issues, such
reviews may examine the levels of access each individual has,
conformity with the concept of least privilege, whether all accounts
are still active, whether management authorizations are up-to-date,
whether required training has been completed, and so forth.
These reviews can be conducted on at least two levels:80 (1) on an
application-by-application basis or (2) on a systemwide basis. Both
kinds of reviews can be conducted by, among others, in-house systems
personnel (a self-audit), the organization's internal audit staff,
or external auditors. For example, a good practice is for
application managers (and data owners, if different) to review all
access levels of all application users every month -- and sign a
formal access approval list, which will provide a written record of
the approvals. While it may initially appear that such reviews
should be conducted by systems personnel, they usually are not fully
effective. System personnel can verify that users only have those
accesses that their managers have specified. However because access
requirements may change over time, it is important to involve the
application manager, who is often the only individual in a position
to know current access requirements.
Outside audit organizations (e.g., the Inspector General [IG] or
the General Accounting Office) may also conduct audits. For example,
the IG may direct a more extensive review of permissions. This may
involve discussing the need for particular access levels for
specific individuals or the number of users with sensitive access.
For example, how many employees should really have authorization to
the check-printing function? (Auditors will also examine
non-computer access by reviewing, for example, who should have
physical access to the check printer or blank-check stock.)