- Financial services sector most attacked in 2016 - IBM's X-Force
Research Team has found that cybercriminals follow Willie Sutton's
old-school, analog advice on why to rob banks because “that is where
the money is.”
USAF Launches 'Hack the Air Force' - Bug bounty contest expands
Defense Department outreach to the global hacker community to find
unknown vulnerabilities in DoD networks.
IoT, Automation, Autonomy, and Megacities in 2025 - This paper
extrapolates from present trends to describe plausible future crises
playing out in multiple global cities within 10 years.
Security fears keep UK consumers from adopting new payment methods -
A survey conducted by new data global law firm Paul Hastings reveals
fears British consumers have when using new payment methods.
A Holistic Security Architecture May Just Help Avoid Future
Liability - Digitization is invading all aspects of business,
government and daily living. As a result, we are facing myriad new
possibilities and new demands.
NSA to end controversial warrantless surveillance practice - The
National Security Agency (NSA) has put an end to a part of its
warrantless surveillance –the so-called “about” data collection—of
non-U.S. persons who are outside the U.S. under Section 702 of the
Foreign Intelligence Surveillance Act (FISA), which is due to expire
by year's end, the New York Times reported.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Malware shuts down Virginia State Police email - The Virginia
State Police network Wednesday was hit with a malware attack which
shut down the department's email services.
Chipotle may have banished E coli, but now it has a new infection -
The last quarter has been a trying one for Mexican fast-food chain
Chipotle. People are returning to its restaurants after the great
2015 E coli outbreak, but now customers are being struck by a
different kind of virus.
Massive Google Docs phishing attack targeted credentials,
permissions - A fast moving, but widespread phishing attack
targeting Google Gmail and Docs users hit yesterday affecting an
unknown number of victims with the likely goal of stealing login
credentials and millions of additional email addresses that could be
used for a future phishing campaign.
Gannett phishing attack compromised 18,000 accounts - Gannett
Company was hit with a phishing attack that may have compromised the
accounts of as many as 18,000 current and former employees.
Data breach rattles Sabre: Intrusion into hotel reservations system
revealed - Sabre Corporation, a major technology solution provider
serving airline and hotel companies, has disclosed a breach of its
Hospitality Solutions SynXis Central Reservations system that may
have exposed consumers' payment card data and personally
USB drives containing IBM tool found infected with malicious code -
IBM issued a support advisory last week warning users that some USB
flash drives containing the company's Storwize initialization tool
include a file infected with malicious code.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Audit Trail Practices for E-Banking Systems
1. Sufficient logs should be maintained for all e-banking
transactions to help establish a clear audit trail and assist in
2. E-banking systems should be designed and installed to capture
and maintain forensic evidence in a manner that maintains control
over the evidence, and prevents tampering and the collection of
3. In instances where processing systems and related audit trails
are the responsibility of a third-party service provider:
a) The bank should ensure that it has access to relevant audit
trails maintained by the service provider.
b) Audit trails maintained by the service provider meet the
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND
Financial institutions should protect the confidentiality of
information about their customers and organization. A breach in
confidentiality could disclose competitive information, increase
fraud risk, damage the institution's reputation, violate customer
privacy and associated rights, and violate regulatory requirements.
Confidentiality agreements put all parties on notice that the
financial institution owns its information, expects strict
confidentiality, and prohibits information sharing outside of that
required for legitimate business needs. Management should obtain
signed confidentiality agreements before granting new employees and
contractors access to information technology systems.
Job descriptions, employment agreements, and policy awareness
acknowledgements increase accountability for security. Management
can communicate general and specific security roles and
responsibilities for all employees within their job descriptions.
Management should expect all employees, officers, and contractors to
comply with security and acceptable use policies and protect the
institution's assets, including information. The job descriptions
for security personnel should describe the systems and processes
they will protect and the control processes for which they are
responsible. Management can take similar steps to ensure contractors
and consultants understand their security responsibilities as well.
Financial institutions need to educate users regarding their
security roles and responsibilities. Training should support
security awareness and should strengthen compliance with the
security policy. Ultimately, the behavior and priorities of senior
management heavily influence the level of employee awareness and
policy compliance, so training and the commitment to security should
start with senior management. Training materials would typically
review the acceptable - use policy and include issues like desktop
security, log - on requirements, password administration guidelines,
etc. Training should also address social engineering, and the
policies and procedures that protect against social engineering
attacks. Many institutions integrate a signed security awareness
agreement along with periodic training and refresher courses.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.2.5 Termination -
10.2.5.2 Unfriendly Termination
Unfriendly termination involves the removal of an employee under
involuntary or adverse conditions. This may include termination for
cause, RIF, involuntary transfer, resignation for "personality
conflicts," and situations with pending grievances. The tension in
such terminations may multiply and complicate security issues.
Additionally, all of the issues involved in friendly terminations
are still present, but addressing them may be considerably more
The greatest threat from unfriendly terminations is likely to come
from those personnel who are capable of changing code or modifying
the system or applications. For example, systems personnel are
ideally positioned to wreak considerable havoc on systems
operations. Without appropriate safeguards, personnel with such
access can place logic bombs (e.g., a hidden program to erase a
disk) in code that will not even execute until after the employee's
departure. Backup copies can be destroyed. There are even examples
where code has been "held hostage." But other employees, such as
general users, can also cause damage. Errors can be input
purposefully, documentation can be misfiled, and other "random"
errors can be made. Correcting these situations can be extremely
Given the potential for adverse consequences, security specialists
routinely recommend that system access be terminated as quickly as
possible in such situations. If employees are to be fired, system
access should be removed at the same time (or just before) the
employees are notified of their dismissal. When an employee notifies
an organization of a resignation and it can be reasonably expected
that it is on unfriendly terms, system access should be immediately
terminated. During the "notice" period, it may be necessary to
assign the individual to a restricted area and function. This may be
particularly true for employees capable of changing programs or
modifying the system or applications. In other cases, physical
removal from their offices (and, of course, logical removal, when
logical access controls exist) may suffice.