Financial Regulators Release New Appendix for Retail Payment
Systems Booklet Appendix E: Mobile Financial Services - The Federal
Financial Institutions Examination Council members today issued a
revised Retail Payment Systems booklet, which is part of the FFIEC
Information Technology Examination Handbook. The update consists of
the addition of a new appendix, Appendix E: Mobile Financial
- Hack a car in Michigan, go to prison for life if new bill becomes
law - While some Canadian officials are worried about distracted
driving in the future, such as drivers being too busy having sex in
self-driving cars to be attentive to the vehicle’s “take over”
command, Michigan lawmakers are so worried about car hacking that
they’ve proposed making it punishable by life in prison.
Gibraltar kids win UK CyberCenturion blue team hacker comp - A team
of Gibraltar school kids have taken out the British CyberCenturion
hacking competition at Bletchley Park.
SWIFT warns customers of multiple cyber fraud cases - SWIFT, the
global financial network that banks use to transfer billions of
dollars every day, warned its customers on Monday that it was aware
of "a number of recent cyber incidents" where attackers had sent
fraudulent messages over its system.
German nuclear plant infected with computer viruses, operator says -
A nuclear power plant in Germany has been found to be infected with
computer viruses, but they appear not to have posed a threat to the
facility's operations because it is isolated from the Internet, the
station's operator said.
DHS seeks better private-public sharing of cyber threat information
- The Department of Homeland Security wants private-sector companies
to get under the agency’s information-sharing umbrella in order to
better manage and mitigate cyber risks to critical infrastructure.
Oversight leaders to probe Social Security defenses - The House
Oversight Committee is evaluating cybersecurity practices at the
Social Security Administration after a November audit found security
weakness to be a “significant deficiency” at the agency.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- BWL in limbo from cyberattack -Utility has had to shut down
systems, phone lines, but customer accounts remain secure - For the
second time in just more than three years, the Lansing Board of
Water & Light faces an emergency that limits its ability to serve
Pwnedlist vulnerability exposed 866M accounts - A Michigan school
district network engineer discovered a security vulnerability
affecting the pwnedlist.com service that exposed 866 million account
1,206 Solano Community College employees victimized in W-2 data
breach - Solano Community College in Fairfield, Calif., was hit with
a spearphishing attack led to the W-2 information for about 1,200
staffers being compromised.
Some U.S. Bancorp workers' W-2 info exposed in ADP data breach - At
least one major corporation that uses ADP as its payroll vendor had
some of its employees W-2 tax information compromised.
Tampa airport to conduct major IT security audit following apparent
breach - Authorities at Tampa International Airport have expedited
and expanded a sweeping assessment of its network security,
following the resignation of an IT consultant who was allegedly
found to have shared system passwords with unauthorized parties, the
Tampa Tribune has reported.
Gmail, Yahoo email credentials among millions found on the dark web
- Hold Security is reporting that one of its researchers discovered,
and then acquired, a mega-size load of 272 million stolen email
credentials from a hacker.
Anonymous 'Operation Icarus' launches DDoS attack against Bank of
Greece - Anonymous Tuesday launched a DDoS attack against the Bank
of Greece marking the start of what the group said will be a 30-day
campaign targeting central banks across the world.
Swiss defense department was victim of cyber attack - Following a
presentation on cyberespionage to his government's Federal
Intelligence Service, Swiss defense minister revealed that his
department – the Federal Department of Defence, Civil Protection and
Sports – came under cyber attack.
Brunswick Corp.'s 13,000 workers' W-2 data compromised - Brunswick
Corp. was victimized by a spearsphishing scam that netted the W-2
information for possibly all 13,000 current and former company
Californian accounting breached tax and PII info exposed - An
accounting and tax firm reported to the California Attorney General
that the company's computer system was accessed by an unauthorized
person resulting compromising its stored W-2 information.
Spearphishing attack nets $495K from investment firm - An employee
at a Troy, Mich., investment firm was tricked via a spearphishing
attack into transferring almost $500,000 to a Hong Kong bank.
Charles Schwab data breach exposed client investment data - Charles
Schwab informed some of its customers on May 4 that the company had
noticed unusual login activity on their account, possibly due to an
unauthorized person having obtained their account username and
Tribune Media's ProSportsDaily Forum site breached - Tribune Media's
ProSportsDaily notified the California Attorney General's Office
Wednesday of a data breach that compromised user information.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system designers
consult with the compliance officer during the development and
implementation stages in order to minimize compliance risk. The
compliance officer should ensure that the proper controls are
incorporated into the system so that all relevant compliance issues
are fully addressed. This level of involvement will help decrease
an institution's compliance risk and may prevent the need to delay
deployment or redesign programs that do not meet regulatory
The compliance officer should develop a compliance risk profile as
a component of the institution's online banking business and/or
technology plan. This profile will establish a framework from which
the compliance officer and technology staff can discuss specific
technical elements that should be incorporated into the system to
ensure that the online system meets regulatory requirements. For
example, the compliance officer may communicate with the technology
staff about whether compliance disclosures/notices on a web site
should be indicated or delivered by the use of "pointers" or
"hotlinks" to ensure that required disclosures are presented to the
consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Shared Secret Systems (Part 1 of 2)
Shared secret systems uniquely identify the user by matching
knowledge on the system to knowledge that only the system and user
are expected to share. Examples are passwords, pass phrases, or
current transaction knowledge. A password is one string of
characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string
of words or characters (e.g., "My car is a shepherd") that the
system may shorten to a smaller password by means of an algorithm.
Current transaction knowledge could be the account balance on the
last statement mailed to the user/customer. The strength of shared
secret systems is related to the lack of disclosure of and about the
secret, the difficulty in guessing or discovering the secret, and
the length of time that the secret exists before it is changed.
A strong shared secret system only involves the user and the system
in the generation of the shared secret. In the case of passwords and
pass phrases, the user should select them without any assistance
from any other user, such as the help desk. One exception is in the
creation of new accounts, where a temporary shared secret could be
given to the user for the first login, after which the system
prompts the user to create a different password. Controls should
prevent any user from re - using shared secrets that may have been
compromised or were recently used by them.
Passwords are the most common authentication mechanism. Passwords
are generally made difficult to guess when they are composed from a
large character set, contain a large number of characters, and are
frequently changed. However, since hard - to - guess passwords may
be difficult to remember, users may take actions that weaken
security, such as writing the passwords down. Any password system
must balance the password strength with the user's ability to
maintain the password as a shared secret. When the balancing
produces a password that is not sufficiently strong for the
application, a different authentication mechanism should be
considered. Pass phrases are one alternative to consider. Due to
their length, pass phrases are generally more resistant to attack
than passwords. The length, character set, and time before enforced
change are important controls for pass phrases as well as passwords.
Shared secret strength is typically assured through the use of
automated tools that enforce the password selection policy.
Authentication systems should force changes to shared secrets on a
schedule commensurate with risk.
Passwords can also be dynamic. Dynamic passwords typically use
seeds, or starting points, and algorithms to calculate a new -
shared secret for each access. Because each password is used for
only one access, dynamic passwords can provide significantly more
authentication strength than static passwords. In most cases,
dynamic passwords are implemented through tokens. A token is a
physical device, such as an ATM card, smart card, or other device
that contains information used in the authentication process.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
6.3 Elements of an
Effective Central Computer Security Program
For a central computer security program to be effective, it should
be an established part of organization management. If system
managers and applications owners do not need to consistently
interact with the security program, then it can become an empty
token of upper management's "commitment to security."
Stable Program Management Function. A well-established
program will have a program manager recognized within the
organization as the central computer security program manager. In
addition, the program will be staffed with able personnel, and links
will be established between the program management function and
computer security personnel in other parts of the organization. A
computer security program is a complex function that needs a stable
base from which to direct the management of such security resources
as information and money. The benefits of an oversight function
cannot be achieved if the computer security program is not
recognized within an organization as having expertise and authority.
Stable Resource Base. A well-established program will have a
stable resource base in terms of personnel, funds, and other
support. Without a stable resource base, it is impossible to plan
and execute programs and projects effectively.
Existence of Policy. Policy provides the foundation for the
central computer security program and is the means for documenting
and promulgating important decisions about computer security. A
central computer security program should also publish standards,
regulations, and guidelines that implement and expand on policy.
Published Mission and Functions Statement. A published
mission statement grounds the central computer security program into
the unique operating environment of the organization. The statement
clearly establishes the function of the computer security program
and defines responsibilities for both the computer security program
and other related programs and entities. Without such a statement,
it is impossible to develop criteria for evaluating the
effectiveness of the program.
Long-Term Computer Security Strategy. A well-established
program explores and develops long-term strategies to incorporate
computer security into the next generation of information
technology. Since the computer and telecommunications field moves
rapidly, it is essential to plan for future operating environments.
Compliance Program. A central computer security program
needs to address compliance with national policies and requirements,
as well as organization-specific requirements. National requirements
include those prescribed under the Computer Security Act of 1987,
OMB Circular A-130, the FIRMR, and Federal Information Processing
Intraorganizational Liaison. Many offices within an
organization can affect computer security. The Information Resources
Management organization and physical security office are two obvious
examples. However, computer security often overlaps with other
offices, such as safety, reliability and quality assurance, internal
control, or the Office of the Inspector General. An effective
program should have established relationships with these groups in
order to integrate computer security into the organization's
management. The relationships should encompass more than just the
sharing of information; the offices should influence each other.
Liaison with External Groups. There are many sources of
computer security information, such as NIST's Computer Security
Program Managers' Forum, computer security clearinghouse, and the
Forum of Incident Response and Security Teams (FIRST). An
established program will be knowledgeable of and will take advantage
of external sources of information. It will also be a provider of