Federal Reserve Board announces
termination of enforcement action with Jack Henry & Associates, Inc.
- 34 Percent of C-Level Executives Are Never Updated on Security
Incidents - According to the results of a recent survey of 597 U.S.
IT and IT security professionals, 34 percent of respondents said
C-level executives are never updated on security incidents, 36
percent said they're only updated on a need-to-know basis, 23 said
they're only updated annually, and just 7 percent said they're
updated weekly or monthly.
- Widespread neglect puts NASA’s networks in jeopardy - The most
heralded federal agency is in serious risk of a major cyber attack
and no one seems to care.
- DHS, DISA cyber chiefs: Network monitoring is still 'a challenge'
- Sprawling organizations and layered networks pose hurdles to
agencies attempting to be proactive about cybersecurity, federal
officials told the Security Through Innovation Summit.
- DHS gives cyber hunters a better type of license - It took the
Homeland Security Department three days to own the computer networks
of three agencies.
- Retailers believe breach detection is sufficient, but gap yawns
wide - Retailers believe they can detect a data breach in a week or
less, while another report showed it takes them on average 197 days
to spot advanced threats.
- 73% of global brands and organisations hit with DDoS attack in
2015 - With the bombardment of DDoS attacks fairly consistent
worldwide throughout 2015, it's no longer a matter of if or when
attacks might happen, but how often and how for long.
- Mining company's data is more valuable than gold - Hackers posted
employee data and private documents belonging to Goldcorp, a
publicly listed gold-mining company, on a paste site.
- Ransomware rampant, but chinks found in its armor - To say that a
day does not pass without a ransomware attack being perpetrated upon
an organization somewhere the United States is no hyperbolic
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Records of 93.4M Mexican voter discovered in public database -
Researcher claimed to have discovered 93.4 million Mexican voter
registration records for the entire country representing all the
voters in Mexico in a publicly accessible and unprotected database
which has since been taken down.
- Hacked filipino voter records made public - Filipino voting
records which were breached earlier this month have now been made
public and searchable.
- Was Spotify breached? Account info shows up on Pastebin - Spotify
may have experienced a security breach, security pros, said after it
was reported that a list of customer account credentials was
discovered on Pastebin.
- Bangladesh banking hack due to SWIFT vulnerability - A report from
the Society for Worldwide Interbank Financial Telecommunication
(SWIFT) indicated the group was aware that malware was targeting its
system when $81 million was stolen from a Bangladesh bank in March.
- Possible 1.4GB data breach at Qatar National Bank - The Qatar
National Bank is investigating a possible massive data breach with
more than 15,000 files, or 1.4GB of data, being compromised.
- Over 7M Minecraft mobile credentials exposed after Lifeboat data
breach - A division of Hydreon Corporation, Lifeboat runs servers
for Minecraft Pocket Edition—the smartphone version of the immensely
popular video game Minecraft.
- SWIFT confirms additional cyberattacks on its messaging system -
The Society for Worldwide Interbank Financial Telecommunication
(SWIFT) has issued a warning to its customers that its financial
messaging system has undergone repeated attacks similar to those
that lead to $81 million from a Bangladesh bank.
- LuckyPet data breach compromises online payment info -
Seattle-based pet store LuckyPet notified the California State
Attorney General's office of a data breach that compromised online
- Malware in nuclear power plant prompts plant shutdown - Malware
discovered at a nuclear power plant in Germany raised concerns
public concerns and prompted the German electric utilities company
RWE AG to shut down the power plant as a precaution.
- Cyberattack knocks Lansing utility offline - The Lansing, Mich.,
Board of Water & Light (BWL) expects to be fully back online today
after suffering a cyberattack earlier this week that knocked the
utility's internal computer systems offline.
- Ohio firearms dealer website breach compromises customer names,
state ID data - An Ohio-based firearms dealer, notified California's
Attorney General that the company experienced a data breach that
compromised its customers' name and state identification
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Reserve Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Action Summary - Financial institutions should use effective
authentication methods appropriate to the level of risk. Steps
Selecting authentication mechanisms based on the risk associated
with the particular application or services;
2) Considering whether multi - factor authentication is
appropriate for each application, taking into account that
multifactor authentication is increasingly necessary for many forms
of electronic banking and electronic payment activities; and
3) Encrypting the transmission and storage of authenticators
(e.g., passwords, PINs, digital certificates, and biometric
Authentication is the verification of identity by a system based on
the presentation of unique credentials to that system. The unique
credentials are in the form of something the user knows, something
the user has, or something the user is. Those forms exist as shared
secrets, tokens, or biometrics. More than one form can be used in
any authentication process. Authentication that relies on more than
one form is called multi - factor authentication and is generally
stronger than any single authentication method. Authentication
contributes to the confidentiality of data and the accountability of
actions performed on the system by verifying the unique identity of
the system user.
Authentication is not identification as that term is used in the USA
PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide
assurance that the initial identification of a system user is
proper. Authentication only provides assurance that the user of the
system is the same user that was initially identified. Procedures
for the initial identification of a system user are beyond the scope
of this booklet.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
Enforcement and Oversight
Besides helping an organization improve the economy and efficiency
of its computer security program, a centralized program can include
an independent evaluation or enforcement function to ensure that
organizational subunits are cost-effectively securing resources and
following applicable policy. While the Office of the Inspector
General (OIG) and external organizations, such as the General
Accounting Office (GAO), also perform a valuable evaluation role,
they operate outside the regular management channels.
There are several reasons for having an oversight function within
the regular management channel. First, computer security is an
important component in the management of organizational resources.
This is a responsibility that cannot be transferred or abandoned.
Second, maintaining an internal oversight function allows an
organization to find and correct problems without the potential
embarrassment of an IG or GAO audit or investigation. Third, the
organization may find different problems from those that an outside
organization may find. The organization understands its assets,
threats, systems, and procedures better than an external
organization; additionally, people may have a tendency to be more
candid with insiders.