- Banks fail to innovate, blaming info security fears, report -
Senior executives at retail banks are motivated to begin offerings
available, but are held back by cyber security concerns, according
to a new study.
- SEC warns cybersecurity is biggest threat to financial system -
The chair of the US Securities and Exchange Commission (SEC), Mary
Jo White, has warned that the biggest risk the financial system
faces is cybersecurity.
- Federal Acquisition Regulation; Basic Safeguarding of Contractor
Information Systems - DoD, GSA, and NASA are issuing a final rule
amending the Federal Acquisition Regulation (FAR) to add a new
subpart and contract clause for the basic safeguarding of contractor
information systems that process, store or transmit Federal contract
- Computer science teachers need cybersecurity education says CSTA
industry group - The Computer Science Teachers Association (CTSA) is
working on a cybersecurity certification program for computer
science educators, so they can better teach students -
- Russian students come out on top at international programming
finals - A trio of students from St Petersburg State University in
Russia have been dubbed world champions in the 40th annual ACM
International Collegiate Programming Contest (ICPC) finals.
- After trio of hacks, SWIFT addresses information sharing concerns
- On the heels of published reports of a cyberattack last year in
which hackers stole $9 million from an Ecuadorean bank, the Society
for Worldwide Interbank Financial Telecommunication (SWIFT) has
issued a statement to its customers stating that the financial
messaging system is taking steps to create more information sharing
practices among its customers.
- Japan to Create Cyber-Defense Government Agency to Protect SCADA
Infrastructures - Japanese officials are considering creating a new
government agency that will be tasked with protecting critical
infrastructure against cyber-attacks.
- Information Technology: Federal Agencies Need to Address Aging
Legacy Systems. GAO-16-468, May 25
- US GAO finds nukes are controlled by computer from 1970's - The
United States Government Accountability Office has released a report
showing the dire state of the US Government's IT infrastructure.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Spoofing scam goes for the steal, scores Milwaukee Bucks' W-2
forms - Basketball fans have heard of the “Hack-a-Shaq” strategy.
But yesterday, the NBA's Milwaukee Bucks franchise publicly
acknowledged that the entire team was hacked - by a cybercriminal,
- Japan ATM scam using fraudulent cards nets $12.7m - Cash worth
1.4bn yen ($13m; £8.8m) has been taken from cash machines in Japan
using credit cards created with data stolen from a South African
- Hackers steal $2M in Bitcoin and other digital currency -
Cybercriminals made off with the equivalent of $2 million in Bitcoin
and Ethere, a Bitcoin rival, from the Hong Kong-based digital
exchange and trading platform Gatecoin.
- Malware detected on network of Swiss defense contractor -
Researchers at Switzerland's CERT (Computer Emergency Readiness
Team) found malware on the network of Ruag, a Switzerland-based
defense contractor which supplies the nation's military.
- Russian bank app changes password when users attempt removal -
Researchers discovered a Russian fake banking application that can
evade detection by changing a device's password if the victim tries
to remove the app.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Financial institutions advertising or selling non-deposit
investment products on-line should ensure that consumers are
informed of the risks associated with non-deposit investment
products as discussed in the "Interagency Statement on Retail Sales
of Non Deposit Investment Products." On-line systems should comply
with this Interagency Statement, minimizing the possibility of
customer confusion and preventing any inaccurate or misleading
impression about the nature of the non-deposit investment product or
its lack of FDIC insurance.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Token Systems (2 of 2)
Weaknesses in token systems relate to theft of the token, ease in
guessing any password generating algorithm within the token, ease of
successfully forging any authentication credential that unlocks the
token, and reverse engineering, or cloning, of the token. Each of
these weaknesses can be addressed through additional control
mechanisms. Token theft generally is protected against by policies
that require prompt reporting and cancellation of the token's
ability to allow access to the system. Additionally, the impact of
token theft is reduced when the token is used in multi - factor
authentication; for instance, the password from the token is paired
with a password known only by the user and the system. This pairing
reduces the risk posed by token loss, while increasing the strength
of the authentication mechanism. Forged credentials are protected
against by the same methods that protect credentials in non - token
systems. Protection against reverse engineering requires physical
and logical security in token design. For instance, token designers
can increase the difficulty of opening a token without causing
irreparable damage, or obtaining information from the token either
by passive scanning or active input/output.
Token systems can also incorporate public key infrastructure, and
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT
6.6 Central and System-Level Program Interactions
A system-level program that is not integrated into the
organizational program may have difficulty influencing significant
areas affecting security. The system-level computer security program
implements the policies, guidance, and regulations of the central
computer security program. The system-level office also learns from
the information disseminated by the central program and uses the
experience and expertise of the entire organization. The
system-level computer security program further distributes
information to systems management as appropriate.
Communications, however, should not be just one way. System-level
computer security programs inform the central office about their
needs, problems, incidents, and solutions. Analyzing this
information allows the central computer security program to
represent the various systems to the organization's management and
to external agencies and advocate programs and policies beneficial
to the security of all the systems.
The general purpose of the computer security program, to improve
security, causes it to overlap with other organizational operations
as well as the other security controls discussed in the handbook.
The central or system computer security program will address most
controls at the policy, procedural, or operational level.
Policy. Policy is issued to establish the computer security
program. The central computer security program(s) normally produces
policy (and supporting procedures and guidelines) concerning general
and organizational security issues and often issue-specific policy.
However, the system-level computer security program normally
produces policy for that system. Chapter 5 provides additional
Life Cycle Management. The process of securing a system over
its life cycle is the role of the system-level computer security
program. Chapter 8 addresses these issues.
Independent Audit. The independent audit function should
complement a central computer security program's compliance
6.8 Cost Considerations
This chapter discussed how an organization wide computer security
program can manage security resources, including financial
resources, more effectively. The cost considerations for a
system-level computer security program are more closely aligned with
the overall cost savings in having security.
The most significant direct cost of a computer security program is
personnel. In addition, many programs make frequent and effective
use of consultants and contractors. A program also needs funds for
training and for travel, oversight, information collection and
dissemination, and meetings with personnel at other levels of
computer security management.