- Criminal investigation underway into banking regulator data breach
- A criminal investigation is underway over the removal of tens of
thousands of taxpayers' personally identifiable information from the
Federal Deposit Insurance Corporation (FDIC), the agency’s internal
watchdog said Thursday.
- 6 Shocking Intellectual Property Breaches - Not all breaches
involve lost customer data. Sometimes the most damaging losses come
when intellectual property is pilfered.
- 89% of surveyed health care orgs breached in last two years;
cybercrime top cause - For the second consecutive year, Ponemon
Institute's annual study on the state of security and privacy in
health care found that cybercrime was the leading cause of data
breaches among hospitals and other medical providers.
- Lack of Trust in Internet Privacy and Security May Deter Economic
and Other Online Activities - Every day, billions of people around
the world use the Internet to share ideas, conduct financial
transactions, and keep in touch with family, friends, and
- Updated banking malware turns entire ATM into a skimmer -
Kaspersky Lab researchers discovered a new and improved version of
the ATM malware dubbed “Skimmer” which targets banks and turns
entire ATM machines into payment card skimmers.
- 77% of organisations unprepared for cyber-security incidents -
Roughly 77 percent of organisations are unprepared for
cyber-security incidents according to research by NTT Com in its
2016 Global Threat Intelligence Report.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Wendy’s: Breach Affected 5% of Restaurants - Wendy’s said today
that an investigation into a credit card breach at the nationwide
fast-food chain uncovered malicious software on point-of-sale
systems at fewer than 300 of the company’s 5,500 franchised stores.
- FBI suspects an inside job in $81M Bangladesh bank hack - Evidence
points to at least one suspect who is an employee of the bank,
people familiar with the matter said. “A handful” of others may have
helped hackers navigate the bank’s computer system, according to the
- Second bank hit with SWIFT-based hack, experts say patches failed
- The Society for Worldwide Interbank Financial Telecommunication
(SWIFT) revelation that another bank was victimized using the same
modus operandi as that in the Bangladesh bank hack has the security
industry believing the SWIFT system is flawed and possibly still
vulnerable to another attack.
- Not OK, data on 70K OKCupid users exposed - A database consisting
of the identities of nearly 70,000 users of dating website OKCupid
has been published on the internet.
- Japanese teen's DoS attack takes out 444 school websites - A
Japanese teenager was charged on May 11 for allegedly launching a
DoS attack against the Osaka Board of Education, which shut down 444
- Vietnamese bank thwarts hack made through SWIFT messaging system -
Vietnam's Tien Phong Bank came forward claiming to be the second
bank that was attacked with a fake message sent through The Society
for Worldwide Interbank Financial Telecommunication (SWIFT)
- Hacker doxes Nulled cybercrime forum, exposes data on 536,000 user
accounts - An unidentified hacker turned the tables on Nulled.io, a
popular online forum that facilitates cybercriminal activity, by
compromising its website and publicly dumping its sensitive user
data and communications.
- 117 million LinkedIn email credentials found for sale on the dark
web - The 2012 LinkedIn data breach may be the breach that just
keeps on giving with the news that 117 million customer email
credentials originating from that hack were found for sale on the
dark web prompting the professional social network to invalidate the
- Children's National Health System breached, data of 4K patients
compromised - More than 4,000 patients of Washington, D.C.-based
Children's National Health System (CNHS) received notices of a data
breach following a former vendor disclosing patient health
information on an FTP site viewable on the web.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fair Housing Act
A financial institution that advertises on-line credit products
that are subject to the Fair Housing Act must display the Equal
Housing Lender logotype and legend or other permissible disclosure
of its nondiscrimination policy if required by rules of the
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in person"
applications. Accordingly, information about these applicants' race
or national origin and sex must be collected. An institution that
accepts applications through electronic media without a video
component, for example, the Internet or facsimile, may treat the
applications as received by mail.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Token Systems (1 of 2)
Token systems typically authenticate the token and assume that the
user who was issued the token is the one requesting access. One
example is a token that generates dynamic passwords every X seconds.
When prompted for a password, the user enters the password generated
by the token. The token's password - generating system is identical
and synchronized to that in the system, allowing the system to
recognize the password as valid. The strength of this system of
authentication rests in the frequent changing of the password and
the inability of an attacker to guess the seed and password at any
point in time.
Another example of a token system uses a challenge/response
mechanism. In this case, the user identifies him/herself to the
system, and the system returns a code to enter into the password -
generating token. The token and the system use identical logic and
initial starting points to separately calculate a new password. The
user enters that password into the system. If the system's
calculated password matches that entered by the user, the user is
authenticated. The strengths of this system are the frequency of
password change and the difficulty in guessing the challenge, seed,
Other token methods involve multi - factor authentication, or the
use of more than one authentication method. For instance, an ATM
card is a token. The magnetic strip on the back of the card contains
a code that is recognized in the authentication process. However,
the user is not authenticated until he or she also provides a PIN,
or shared secret. This method is two - factor, using both something
the user has and something the user knows. Two - factor
authentication is generally stronger than single - factor
authentication. This method can allow the institution to
authenticate the user as well as the token.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
6.5 Elements of Effective System-Level Programs
Like the central computer security program, many factors influence
how successful a system-level computer security program is. Many of
these are similar to the central program. This section addresses
some additional considerations.
Security Plans. The Computer Security Act mandates that
agencies develop computer security and privacy plans for sensitive
systems. These plans ensure that each federal and federal interest
system has appropriate and cost-effective security. System-level
security personnel should be in a position to develop and implement
security plans. Chapter 8 discusses the plans in more detail.
System-Specific Security Policy. Many computer security
policy issues need to be addressed on a system-specific basis. The
issues can vary for each system, although access control and the
designation of personnel with security responsibility are likely to
be needed for all systems. A cohesive and comprehensive set of
security policies can be developed by using a process that derives
security rules from security goals, as discussed in Chapter 5.
Life Cycle Management. As discussed in Chapter 8, security must be
managed throughout a system's life cycle. This specifically includes
ensuring that changes to the system are made with attention to
security and that accreditation is accomplished.
Integration With System Operations. The system-level
computer security program should consist of people who understand
the system, its mission, its technology, and its operating
environment. Effective security management usually needs to be
integrated into the management of the system. Effective integration
will ensure that system managers and application owners consider
security in the planning and operation of the system. The system
security manager/officer should be able to participate in the
selection and implementation of appropriate technical controls and
security procedures and should understand system vulnerabilities.
Also, the system-level computer security program should be capable
of responding to security problems in a timely manner.
For large systems, such as a mainframe data center, the security
program will often include a manager and several staff positions in
such areas as access control, user administration, and contingency
and disaster planning. For small systems, such as an officewide
local-area-network (LAN), the LAN administrator may have adjunct
Separation From Operations. A natural tension often exists
between computer security and operational elements. In many
instances, operational components -- which tend to be far larger and
therefore more influential -- seek to resolve this tension by
embedding the computer security program in computer operations. The
typical result of this organizational strategy is a computer
security program that lacks independence, has minimal authority,
receives little management attention, and has few resources. As
early as 1978, GAO identified this organizational mode as one of the
principal basic weaknesses in federal agency computer security
programs. System-level programs face this problem most often.
This conflict between the need to be a part of system management
and the need for independence has several solutions. The basis of
many of the solutions is a link between the computer security
program and upper management, often through the central computer
security program. A key requirement of this setup is the existence
of a reporting structure that does not include system management.
Another possibility is for the computer security program to be
completely independent of system management and to report directly
to higher management. There are many hybrids and permutations, such
as co-location of computer security and systems management staff but
separate reporting (and supervisory) structures. Figure 6.4 presents
one example of placement of the computer security program within a
typical Federal agency.