- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- Top US Undergraduate Computer Science Programs Skip Cybersecurity
Classes - New study reveals that none of the top 10 US university
computer science and engineering program degrees requires students
take a cybersecurity course.
- Maryland hospital: Ransomware success wasn’t IT department’s fault
- MedStar denies ransom payment, denies earlier JBoss bugs played
role. MedStar, the health network of 10 Maryland hospitals struck by
a ransomware attack last week, has now reportedly brought all its
systems back online without paying attackers.
Russian hacker group targeting largest EU banks - The Russian
government has begun working with Russia's Central Bank to develop a
package of measures aimed at fighting Buhtrap, the recently
discovered hacker group, which, to date, has stolen around RUB 4
billion (£42 million) from Russian and Western banks, and is
reportedly planning further attacks on the EU banking system.
FBI Warns of Cyber Threat to Electric Grid - Three months after a
Department of Homeland Security intelligence report downplayed the
threat of a cyber attack against the U.S. electrical grid, DHS and
the FBI began a nationwide program warning of the dangers faced by
U.S. utilities from damaging cyber attacks like the recent hacking
against Ukraine’s power grid.
Cyber-criminals becoming increasingly professional - Cyber-criminals
targeting the UK are becoming increasingly professional and have a
sophistication almost on par with nation-state hackers, according to
a recently published report.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- FDIC breach of 44,000 customers caused by storage device - A
former employee of the Federal Deposit Insurance Corp. (FDIC)
departed the agency with a storage device that contained data and
information involving 44,000 FDIC customers, a FDIC representative
- 'Panama Papers' Law Firm: We Were Hacked - Founding partner of
Mossack Fonseca tells Reuters his firm was a victim of an external
hacker who leaked its data. In the latest twist in the historic
"Panama Papers" data leak and scandal, the founding partner of the
law firm whose files were dumped, exposing illicit offshore holdings
of global political leaders, celebrities, and others, says his firm
was hacked by an outsider.
- Huge data breach leaves details of 55 million Filipino voters
exposed to hackers - Officials downplay impact of leak of electoral
roll, passport info and fingerprint data - The details of up to 55
million voters in the Philippines have been exposed putting much of
the country at risk of identity theft.
- Georgetown University confirms cyberattack, says no data
compromised - A cyberattack at Georgetown University didn't
compromise any data, school officials confirmed. The university sent
an email to its community saying that an outage experienced as a
result of the attack came from a firewall closing the network in
order to protect the system and data.
- Data breaches galore: state health dept., two schools, grocery
chain hit - A state agency, two educational institutions, and a
grocery chain fell victim to a wave of separate data breaches that
swept the southern states and California.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a telephone operated
by a consumer, financial institutions need not provide a terminal
receipt when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (4 of 5)
The access rights process programs the system to
allow the users only the access rights they were granted. Since
access rights do not automatically expire or update, periodic
updating and review of access rights on the system is necessary.
Updating should occur when an individual's business needs for system
use changes. Many job changes can result in an expansion or
reduction of access rights. Job events that would trigger a removal
of access rights include transfers, resignations, and terminations.
Institutions should take particular care to remove promptly the
access rights for users who have remote access privileges, and those
who administer the institution's systems.
Because updating may not always be accurate, periodic review of
user accounts is a good control to test whether the access right
removal processes are functioning, and whether users exist who
should have their rights rescinded or reduced. Financial
institutions should review access rights on a schedule commensurate
Access rights to new software and hardware present a unique
problem. Typically, hardware and software are installed with default
users, with at least one default user having full access rights.
Easily obtainable lists of popular software exist that identify the
default users and passwords, enabling anyone with access to the
system to obtain the default user's access. Default user accounts
should either be disabled, or the authentication to the account
should be changed. Additionally, access to these default accounts
should be monitored more closely than other accounts.
Sometimes software installs with a default account that allows
anonymous access. Anonymous access is appropriate, for instance,
where the general public accesses an informational web server.
Systems that allow access to or store sensitive information,
including customer information, should be protected against
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
6.2 Central Computer
The purpose of a central computer security program is to address
the overall management of computer security within an organization.
In the federal government, the organization could consist of a
department, agency, or other major operating unit.
As with the management of all resources, central computer security
management can be performed in many practical and cost-effective
ways. The importance of sound management cannot be overemphasized.
There is also a downside to centrally managed computer security
programs. Specifically, they present greater risk that errors in
judgment will be more widely propagated throughout the organization.
As they strive to meet their objectives, managers need to consider
the full impact of available options when establishing their
computer security programs.
6.2.1 Benefits of Central Computer Security Programs
A central security problem should provide two quite distinct types
! Increased efficiency and economy of security throughout the
! the ability to provide centralized enforcement and oversight.
Both of these benefits are in keeping with the purpose of the
Paperwork Reduction Act, as implemented in OMB Circular A-130.
The Paperwork Reduction Act establishes a broad mandate for
agencies to perform their information management activities in an
efficient, effective, and economical manner...Agencies shall assure
an adequate level of security for all agency automated information
systems, whether maintained in-house or commercially.