- US court agrees with feds: Warrants aren’t needed for cell-site
location data - Data placed suspects near a string of Radio Shack
and T-Mobile store robberies. Another federal appeals court is
siding with the Obama administration's position that court warrants
are not required to track a suspect's cell-site location.
- New GozNym banking malware steals millions in just days - A new
banking trojan named GozNym is actively hitting U.S. and Canadian
banks and has already taken about $4 million from two dozen North
- The anatomy of an spearphishing scam, or how to steal $100M with a
fake email - A lawsuit filed on April 14 by U.S. Attorney for the
Southern District of New York Preet Bharra gives an insider's view
on how frighteningly easy it is for a company to be duped out of a
huge sum of money. In this case almost $100 million.
- MIT develops new cybersecurity AI platform - Researchers at the
Massachusetts Institute of Technology (MIT) have published a paper
on a new artificial intelligence platform called AI2 that uses human
input combined with machine learning to reduce false positives and
increase its ability to predict cyberattacks.
- Hacker behind Hacking Team breach publishes how-to guide - The
hacker who claimed responsibility for breaching Hacking Team last
year published an explainer guide detailing his process in executing
- Most orgs couldn't quickly detect breach, study - A recent survey
found that only 21 percent of 209 respondents from a research panel
said they were able to “almost immediately” detect a breach while 34
percent said they could detect a breach within a day.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cyberattack brings down Newark Police Dept. systems - A
cyberattack on the Newark Police Department brought down systems
used to track and analyze crime data and to dispatch officers.
Hacker taps congressman's cellphone, investigation called for -
Showing a U.S. Congressman that his mobile phone is not entirely
secure may be the best way to encourage the government to take quick
action on a cyber security issue.
Educational network Janet hit with DDoS attacks - A wave of DDoS
attacks were launched against the education network Janet yesterday
Stolen laptop puts data of CVS customers in Alabama at risk - The
personal information of an undisclosed number of CVS customers at a
branch in Calera, Ala., is at risk after a laptop was stolen from
one of its vendors.
Australia's prime minister confirms Australian Bureau of Meteorology
attack - Although China last year vehemently denied a cyberattack on
the Australian Bureau of Meteorology and government officials
maintained a stony silence, Australian Prime Minister Malcolm
Turnbull confirmed that the bureau was indeed a target of attack.
18,000 possibly affected by Archdiocese of Denver data breach - A
database maintained by a third-party vendor for The Archdiocese of
Denver containing the personal identifiable information of 18,000
former and current employees and their dependents was accessed by an
unauthorized person in October 2015, several of the victims have
already reported having their information used for fraudulent
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written
authorization for preauthorized transfers from a consumer's account
includes an electronic authorization that is not signed, but
similarly authenticated by the consumer, such as through the use of
a security code. According to the Official Staff Commentary (OSC,)
an example of a consumer's authorization that is not in the form of
a signed writing but is, instead, "similarly authenticated," is a
consumer's authorization via a home banking system. To satisfy the
regulatory requirements, the institution must have some means to
identify the consumer (such as a security code) and make a paper
copy of the authorization available (automatically or upon
request). The text of the electronic authorization must be
displayed on a computer screen or other visual display that enables
the consumer to read the communication from the institution. Only
the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (5 of 5)
The access rights process also constrains user activities through
an acceptable - use policy (AUP). Users who can access internal
systems typically are required to agree to an AUP before using a
system. An AUP details the permitted system uses and user activities
and the consequences of noncompliance. AUPs can be created for all
categories of system users, from internal programmers to customers.
An AUP is a key control for user awareness and administrative
policing of system activities. Examples of AUP elements for internal
network and stand - alone users include:
! The specific access devices that can be used to access the
! Hardware and software changes the user can make to their access
! The purpose and scope of network activity;
! Network services that can be used, and those that cannot be used;
! Information that is allowable and not allowable for transmission
using each allowable service;
! Bans on attempting to break into accounts, crack passwords, or
! Responsibilities for secure operation; and
! Consequences of noncompliance.
Depending on the risk associated with the access, authorized
internal users should generally receive a copy of the policy and
appropriate training, and signify their understanding and agreement
with the policy before management grants access to the system.
Customers may be provided with a Web site disclosure as their AUP.
Based on the nature of the Web site, the financial institution may
require customers to demonstrate knowledge of and agreement to abide
by the terms of the AUP. That evidence can be paper based or
Authorized users may seek to extend their activities beyond what is
allowed in the AUP, and unauthorized users may seek to gain access
to the system and move within the system. Network security controls
provide the protection necessary to guard against those threats.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
Economic Coordination of Information
A central computer security program helps to coordinate and manage
effective use of security-related resources throughout the
organization. The most important of these resources are normally
information and financial resources.
Sound and timely information is necessary for managers to
accomplish their tasks effectively. However, most organizations have
trouble collecting information from myriad sources and effectively
processing and distributing it within the organization. This section
discusses some of the sources and efficient uses of computer
Within the federal government, many organizations such as the
Office of Management and Budget, the General Services
Administration, the National Institute of Standards and Technology,
and the National Telecommunications and Information Administration,
provide information on computer, telecommunications, or information
resources. This information includes security-related policy,
regulations, standards, and guidance. A portion of the information
is channeled through the senior designated official for each
agency. Agencies are expected to have mechanisms in place to
distribute the information the senior designated official receives.
Computer security-related information is also available from
private and federal professional societies and groups. These groups
will often provide the information as a public service, although
some private groups charge a fee for it. However, even for
information that is free or inexpensive, the costs associated with
personnel gathering the information can be high.
Internal security-related information, such as which procedures
were effective, virus infections, security problems, and solutions,
need to be shared within an organization. Often this information is
specific to the operating environment and culture of the
A computer security program administered at the organization level
can provide a way to collect the internal security-related
information and distribute it as needed throughout the organization.
Sometimes an organization can also share this information with
Another use of an effective conduit of information is to increase
the central computer security program's ability to influence
external and internal policy decisions. If the central computer
security program office can represent the entire organization, then
its advice is more likely to be heeded by upper management and
external organizations. However, to be effective, there should be
excellent communication between the system-level computer security
programs and the organization level. For example, if an organization
were considering consolidating its mainframes into one site (or
considering distributing the processing currently done at one site),
personnel at the central program could provide initial opinions
about the security implications. However, to speak authoritatively,
central program personnel would have to actually know the security
impacts of the proposed change -- information that would have to be
obtained from the system-level computer security program.
An organization's components may develop specialized expertise,
which can be shared among components. For example, one operating
unit may primarily use UNIX and have developed skills in UNIX
security. A second operating unit (with only one UNIX machine), may
concentrate on MVS security and rely on the first unit's knowledge
and skills for its UNIX machine.
Besides being able to help an organization use information more
cost effectively, a computer security program can also help an
organization better spend its scarce security dollars. Organizations
can develop expertise and then share it, reducing the need to
contract out repeatedly for similar services. The central computer
security program can help facilitate information sharing.
Personnel at the central computer security program level can also
develop their own areas of expertise. For example, they could
sharpen their skills could in contingency planning and risk analysis
to help the entire organization perform these vital security
Some Principal Security Program Interactions
Besides allowing an organization to share expertise and, therefore,
save money, a central computer security program can use its position
to consolidate requirements so the organization can negotiate
discounts based on volume purchasing of security hardware and
software. It also facilitates such activities as strategic planning
and organization-wide incident handling and security trend analysis.