- Workers like to circumvent corporate cybersecurity policies, study
- Researchers found that 95 percent of enterprises surveyed had
employees who actively circumventing corporate security protocols.
Cultivating a cybersecurity-first corporate culture - After Sept.
11, New York City's Metropolitan Transportation Authority came up
with a tagline intended to make citizens aware that each person is
on the front line when it comes to defending the metropolis against
another terror attack.
SWIFT on security: Fresh anti-bank-fraud defenses now live -
Inter-bank data comms biz SWIFT says it has introduced mechanisms to
better protect money transfers from tampering.
Professional hackers from the NSA, U.S. Cyber Command and foreign
militaries are launching a barrage of simulated cyberattacks this
week as part of a training exercise to help teach students at the
service academies for the Navy, Army, Coast Guard, U.S. Merchant
Marine and Canadian Royal Military how to better defend sensitive
What it takes to be a security consultant - The move to security
consultant can be rewarding and challenging (in a good way), but be
prepared to market and sell yourself and your services.
Over three quarters of UK public unaware Snooper's Charter was
passed - As per the recent Investigatory Powers Act otherwise known
as the “Snooper's Charter”, UK intelligence agencies were given the
green light to access personal data from browsing histories.
Sysadmin 'trashed old bosses' Oracle database with ticking logic
bomb' - Always ensure the office laptop gets returned - A systems
administrator is being sued by his ex-employer, which has accused
the IT bod of planting a ticking time-bomb on company's servers to
wipe crucial data.
GAO - Financial Technology: Information on Subsectors and Regulatory
New York men plead guilty to ATM theft scheme using skimmers and
hidden cameras - What Happened? Three New York-area men have
separately pleaded guilty in federal court to one count of
conspiracy to commit bank fraud, in relation to the theft of at
least $428,581 in funds from various New Jersey banking locations.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hacked Dallas sirens get extra encryption to fend off future
attacks - The hack may have been a simple ‘replay attack’ of siren
activation test signal.
1.5 million records lost in March health care industry data breaches
- A sharp spike in the number of health care data breaches was
recorded in March with 39 incidents taking place compromising more
than 1.5 million patient record.
FDA warns Abbott on cybersecurity woes with St. Jude heart devices -
The Federal Drug Administration (FDA) Thursday warned Abbott
Laboratories of cybersecurity and other issues relating to heart
devices made by St. Jude Medical, which Abbott acquired earlier this
U.K. Foreign Office targeted by Callisto Group hackers - Attackers
targeted the U.K.'s Foreign Office with a spear-phishing campaign
believed to have begun in April 2016.
W-2 data breach at Westminster College - A breach of employee
information in January at Westminster College in Missouri did not
affect student academic records or financial aid information,
officials stated this past Saturday, according to a report in the
Columbia Daily Tribune.
Hacker served Shoney's POS malware for three months - Best American
Hospitality Corp. reported that 37 of the Shoney's restaurants it
manages and operates were hit with point-of-sale (POS) malware
starting in late December and lasting through early March.
Update to RingGo app leaves thousands of UK drivers' data exposed -
An update to car parking payment app "RingGo" has led to the
exposure of the personal details of thousands of UK drivers.
2015 Neiman Marcus data breach more damaging than first reported -
Neiman Marcus is not having a good month as far as public relations
Details on 1.7M Snapchat users allegedly posted in India - Snapchat
CEO Evan Spiegel might want to tone down his comments while
discussing the target demographic for his app.
Australian businesses hit with email scam - An elaborate email scam
is unfolding in Australia that is infecting computers with malware,
according to a post on the MailGuard blog.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking
Systems and Services
(Part 3 of 3)
4. Banks should ensure that periodic independent internal and/or
external audits are conducted of outsourced operations to at least
the same scope required if such operations were conducted in-house.
a) For outsourced relationships involving critical or
technologically complex e-banking services/applications, banks may
need to arrange for other periodic reviews to be performed by
independent third parties with sufficient technical expertise.
5. Banks should develop appropriate contingency plans for
outsourced e-banking activities.
a) Banks need to develop and periodically test their contingency
plans for all critical e-banking systems and services that have been
outsourced to third parties.
b) Contingency plans should address credible worst-case scenarios
for providing continuity of e-banking services in the event of a
disruption affecting outsourced operations.
c) Banks should have an identified team that is responsible for
managing recovery and assessing the financial impact of a disruption
in outsourced e-banking services.
6. Banks that provide e-banking services to third parties should
ensure that their operations, responsibilities, and liabilities are
sufficiently clear so that serviced institutions can adequately
carry out their own effective due diligence reviews and ongoing
oversight of the relationship.
a) Banks have a responsibility to provide serviced institutions
with information necessary to identify, control and monitor any
risks associated with the e-banking service arrangement.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Software support should incorporate a process to update and
patch operating system and application software for new
vulnerabilities. Frequently, security vulnerabilities are discovered
in operating systems and other software after deployment. Vendors
often issue software patches to correct those vulnerabilities.
Financial institutions should have an effective monitoring process
to identify new vulnerabilities in their hardware and software.
Monitoring involves such actions as the receipt and analysis of
vendor and governmental alerts and security mailing lists. Once
identified, secure installation of those patches requires a process
for obtaining, testing, and installing the patch.
Patches make direct changes to the software and configuration of
each system to which they are applied. They may degrade system
performance. Also, patches may introduce new vulnerabilities, or
reintroduce old vulnerabilities. The following considerations can
help ensure patches do not compromise the security of systems:
! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as
comparisons of cryptographic hashes to ensure the patch obtained is
the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the
patch (1) is compatible with other software used on systems to which
the patch will be applied, (2) does not alter the system's security
posture in unexpected ways, such as altering log settings, and (3)
corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and
update the cryptographic checksums of key files as well as that
system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.2.3 Detecting Unauthorized/Illegal Activities
Several mechanisms are used besides auditing81 and analysis of
audit trails to detect unauthorized and illegal acts. For example,
fraudulent activities may require the regular physical presence of
the perpetrator(s). In such cases, the fraud may be detected during
the employee's absence. Mandatory vacations for critical systems and
applications personnel can help detect such activity (however, this
is not a guarantee, for example, if problems are saved for the
employees to handle upon their return). It is useful to avoid
creating an excessive dependence upon any single individual, since
the system will have to function during periods of absence.
Particularly within the government, periodic rescreening of
personnel is used to identify possible indications of illegal
activity (e.g., living a lifestyle in excess of known income level).
10.2.4 Temporary Assignments and In-house Transfers
One significant aspect of managing a system involves keeping user
access authorizations up to date. Access authorizations are
typically changed under two types of circumstances: (1) change in
job role, either temporarily (e.g., while covering for an employee
on sick leave) or permanently (e.g., after an in-house transfer) and
(2) termination discussed in the following section.
Users often are required to perform duties outside their normal
scope during the absence of others. This requires additional access
authorizations. Although necessary, such extra access authorizations
should be granted sparingly and monitored carefully, consistent with
the need to maintain separation of duties for internal control
purposes. Also, they should be removed promptly when no longer
Permanent changes are usually necessary when employees change
positions within an organization. In this case, the process of
granting account authorizations (described in Section 10.2.1) will
occur again. At this time, however, is it also important that access
authorizations of the prior position be removed. Many instances of
"authorization creep" have occurred with employees continuing to
maintain access rights for previously held positions within an
organization. This practice is inconsistent with the principle of