- What it will take for today's CISOs to become tomorrow's COOs and
CEOs - The next generation security leaders need to understand how
the business works at all levels, but if they can do this, they may
become invaluable partners in business.
Trump signs cybersecurity executive order - After letting it
languish somewhere in the recesses of a beleaguered White House for
more than three months, Donald Trump today signed a Cybersecurity
Executive Order, Strengthening the Cybersecurity of Federal Networks
and Critical Infrastructure, meant to bring efficiency, clarity and
additional protections to government IT systems.
U.S. Cyber Command is not “optimized” today to combat information
operations orchestrated by foreign powers, NSA Director and U.S.
Cyber Command head Adm. Michael Rogers said during a Senate Armed
Services Committee hearing Tuesday.
Dude hit with $300K bill for faking his hours, hacking boss's
website - When your fake invoice strategy is black numbers on a
black background, you're gonna fail.
PATCH Act introduced to improve federal cybersecurity and
transparency - In the wake of the high-profile WanaCryptor
ransomware attack, a bipartisan group of elected officials from both
Congressional Houses have introduced the Protecting our Ability To
Counter Hacking (PATCH) Act to improve cybersecurity and
transparency at the federal level.
Unraveling mobile banking malware, Check Point - Banking malware
targeting mobile users requires little tech know-how to develop and
operate, so it stands as a insistent battle for security
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 7,000 affected in Bronx Lebanon Hospital Data Breach - Bronx
Lebanon Hospital Center in New York City was breached exposing the
medical records of thousands.
NSA tools behind worldwide WanaCryptOr ransomware attack - A
ransomware attack leveraging alleged NSA hacking tools that began
hitting the U.K. National Health System earlier today, has spread
globally, impacting FedEx and Spanish telecom Telefonica, and
locking up tens of thousands of computers in 74 countries.
Millions of identities stolen from education platform Edmodo - The
account details of millions of subscribers to the education platform
Edmodo have not only been stolen but witnessed to be for sale on the
dark web, according to a post on Motherboard.
Brooks Brothers site hit with year-long data breach - Men's fashion
retailer Brooks Brothers is alerting customers who made purchases at
some of its locations of a potential breach.
Data of 1.9M Bell Canada customers compromised - Bell Canada on
Monday announced that an unknown attacker had gained access to
DocuSign's stolen emails lead to phishing attacks - Threat actors
are using stolen DocuSign customer emails in a phishing campaign to
spread malicious Word Documents.
Bank of France customers targeted in phishing campaign -
Cyber-criminals are attempting to steal credentials from French
companies and consumers, yet the campaign is falsely attributed to
the Bank of France.
3,500 affected in Coney Island hospital data breach - A data breach
at NYC Health + Hospitals/Coney Island hospital may have compromised
the information of nearly 3,500 patients.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Capacity, Business Continuity and Contingency Planning Practices for
1. All e-banking services and applications, including those
provided by third-party service providers, should be identified and
assessed for criticality.
2. A risk assessment for each critical e-banking service and
application, including the potential implications of any business
disruption on the bank's credit, market, liquidity, legal,
operational and reputation risk should be conducted.
3. Performance criteria for each critical e-banking service and
application should be established, and service levels should be
monitored against such criteria. Appropriate measures should be
taken to ensure that e-banking systems can handle high and low
transaction volume and that systems performance and capacity is
consistent with the bank's expectations for future growth in
4. Consideration should be given to developing processing
alternatives for managing demand when e-banking systems appear to be
reaching defined capacity checkpoints.
5. E-banking business continuity plans should be formulated to
address any reliance on third-party service providers and any other
external dependencies required achieving recovery.
6. E-banking contingency plans should set out a process for
restoring or replacing e-banking processing capabilities,
reconstructing supporting transaction information, and include
measures to be taken to resume availability of critical e-banking
systems and applications in the event of a business disruption.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
ELECTRONIC AND PAPER - BASED MEDIA HANDLING
Financial institutions need appropriate disposal procedures for
both electronic and paper based media. Policies should prohibit
employees from discarding sensitive media along with regular garbage
to avoid accidental disclosure. Many institutions shred paper -
based media on site and others use collection and disposal services
to ensure the media is rendered unreadable and unreconstructable
before disposal. Institutions that contract with third parties
should use care in selecting vendors to ensure adequate employee
background checks, controls, and experience.
Computer - based media presents unique disposal problems. Residual
data frequently remains on media after erasure. Since that data can
be recovered, additional disposal techniques should be applied to
sensitive data. Physical destruction of the media, for instance by
subjecting a compact disk to microwaves, can make the data
unrecoverable. Additionally, data can sometimes be destroyed after
overwriting. Overwriting may be preferred when the media will be re
- used. Institutions should base their disposal policies on the
sensitivity of the information contained on the media and, through
policies, procedures, and training, ensure that the actions taken to
securely dispose of computer-based media adequately protect the data
from the risks of reconstruction. Where practical, management should
log the disposal of sensitive media, especially computer - based
Financial institutions should maintain the security of media while
in transit or when shared with third parties. Policies should
! Restrictions on the carriers used and procedures to verify the
identity of couriers,
! Requirements for appropriate packaging to protect the media from
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving
! Use of nondisclosure agreements between couriers and third
Financial institutions should address the security of their back -
up tapes at all times, including when the tapes are in transit from
the data center to off - site storage.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
User issues are tied to topics throughout this handbook.
Training and Awareness is a critical part of addressing the
user issues of computer security.
Identification and Authentication and Access Controls in a
computer system can only prevent people from doing what the computer
is instructed they are not allowed to do, as stipulated by Policy.
The recognition by computer security experts that much more harm
comes from people doing what they are allowed to do, but should not
do, points to the importance of considering user issues in the
computer security picture, and the importance of Auditing.
Policy, particularly its compliance component, is closely
linked to personnel issues. A deterrent effect arises among users
when they are aware that their misconduct, intentional or
unintentional, will be detected.
These controls also depend on manager's (1) selecting the right
type and level of access for their employees and (2) informing
system managers of which employees need accounts and what type and
level of access they require, and (3) promptly informing system
managers of changes to access requirements. Otherwise, accounts and
accesses can be granted to or maintained for people who should not