- Boards hold CEO most accountable when breaches occur - The
resignation of Target's chief executive officer (CEO) and chief
information officer (CIO) following the company's data breach in
2014 may mirror board members' attitudes about who is responsible
for cyber incidents, according to a survey released last Thursday by
Veracode and the New York Stock Exchange.
- IRS Breach Exposes 100,000 Taxpayers' Tax Returns, Other Data -
Online 'Get Transcript' service accessed from February to mid-May.
Tax returns of more than 100,000 U.S. taxpayers have been exposed in
a breach of the Internal Revenue Service's online "Get Transcript"
service, the IRS reported today.
- Insurer tells hospitals: You let hackers in, we're not bailing you
out - IT departments better pick up their game – like not leaving
anon FTP open to the world - When hackers swiped 32,500 patient
records from Cottage Healthcare System, it was sued by its own
customers for $4.1m – a bill that was settled by its insurers.
- A Closer Look at Claims of Hacking Commercial Aircraft - When
security researcher Chris Roberts was removed from a United fight
last month after tweeting a joke about hacking the plane’s inflight
entertainment system, the security community was aghast at the FBI’s
over-reaction and United’s decision to ban him from a subsequent
- After breach, credit bureaus, Maine AG reach settlement - After a
March breach in which 312 envelopes containing confidential credit
information about others was sent by Equifax to a woman in Maine,
three nationwide credit reporting agencies have agreed to a
settlement with the state which requires them to change their
business practices, including tightening security and responding
more quickly to consumers experiencing identity theft or fraud.
- Florida teacher suspended without pay for using cell phone jammer
in class - A Florida high school teacher was suspended without pay
for keeping a signal jammer in his class to prevent students from
using their cell phones.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Beauty confirms malware on POS systems - After confirming earlier
this month that an illegal intrusion into its payment card systems
had occurred, Texas-based international beauty supplies retailer
Sally Beauty announced on Thursday that malware was deployed on some
of its point-of-sale (POS) systems at varying times between March 6
and April 17.
blunder, Woolworths cancels $1M worth of gift cards - Australian
supermarket chain Woolworths canceled and re-issued more than $1.3
million (AU) worth of e-gift cards, following an email blunder that
revealed the details of thousands of customers and exposed codes for
nearly 8,000 shopping vouchers.
national pension fund breach affects 1.25M - A recent attack on
Japan's national pension system compromised the information -
including names, pension identification numbers, addresses and birth
dates - of more than 1.25 million people, according to a report in
the Wall Street Journal.
risk following theft of Heartland Payment Systems computers -
Heartland Payment Systems is notifying an undisclosed number of
individuals that password protected computers possibly containing
their personal information were among the items stolen from a
Heartland office in California.
confirms software brought down A400M transport plane -
Badly-configured software, that is, not badly-written software -
Airbus has confirmed the crash that stalled its A400M program was
caused by engine control software.
skimming at Virginia Credit Union ATMs - Virginia Credit Union is
notifying members that card skimming occurred at several of its ATMs
and roughly 2,000 debit cards have been determined to be vulnerable
to potential fraud.
Recovery Group client data improperly disclosed - Florida-based
Unity Recovery Group is notifying clients and/or potential clients
that their personal information was improperly disclosed to one or
more recovery and/or rehabilitation service providers that are
unaffiliated with Unity.
tactic allows cyber criminals to enter healthcare networks
undetected - This year has already been marked by data breaches at
multiple major healthcare organizations, including CareFirst
BlueCross BlueShield and Anthem.
Beacon payment card processing systems compromised - Hotel Beacon in
New York City is notifying an undisclosed number of individuals that
the security of its payment card processing systems was compromised
by a third-party intruder.
of Personnel Management suffers major breach - The Associated Press
reported on Thursday that the White House administration and other
government entities are investigating a massive data breach at the
U.S. Office of Personnel Management (OPM).
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
! A financial institution's Web page should never be accessed
from a link provided by a third party. It should only be accessed by
typing the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail
messages that request confidential information, such as account
numbers, passwords, or PINs. Financial institution customers should
be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
the top of the newsletter
FFIEC IT SECURITY
This concludes our coverage of
the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Part III. Risks Associated with Both Internal Wireless Networks and
Wireless Internet Devices
Evolution and Obsolescence
As the wireless technologies available today evolve, financial
institutions and their customers face the risk of current
investments becoming obsolete in a relatively short time. As
demonstrated by the weaknesses in WEP and earlier versions of WAP
and the changes in standards for wireless technologies, wireless
networking as a technology may change significantly before it is
considered mature. Financial institutions that invest heavily in
components that may become obsolete quickly may feel the cost of
adopting an immature technology.
Controlling the Impact of Obsolescence
Wireless internal networks are subject to the same types of
evolution that encompass the computing environment in general. Key
questions to ask a vendor before purchasing a wireless internal
network solution include:
1) What is the upgrade path to the next class of network?
2) Do the devices support firmware (Flash) upgrades for
security patches and upgrades?
3) How does the vendor distribute security information and
The financial institution should also consider the evolving
standards of the wireless community. Before entering into an
expensive implementation, the institution should research when the
next major advances in wireless are likely to be released. Bank
management can then make an informed decision on whether the
implementation should be based on currently available technology or
a future implementation based on newer technology.
The potential obsolescence of wireless customer access can be
controlled in other ways. As the financial institution designs
applications that are to be delivered through wireless devices, they
should design the application so that the business logic is not tied
to a particular wireless technology. This can be accomplished by
placing the majority of the business logic on back-end or mid-tier
servers that are independent of the wireless application server. The
wireless application server then becomes a connection point between
the customer and the transactions performed. As the institution
decides to upgrade or replace the application server, the business
logic can remain relatively undisturbed.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Protection Against Payroll Fraud and Errors: Time and Attendance
Application (2 of 2)
The frequency of data
entry errors is reduced by having Time and Attendance clerks enter
each time sheet into the time and attendance application twice. If
the two copies are identical, both are considered error free, and
the record is accepted for subsequent review and approval by a
supervisor. If the copies are not identical, the discrepancies are
displayed, and for each discrepancy, the clerk determines which copy
is correct. The clerk then incorporates the corrections into one of
the copies, which is then accepted for further processing. If the
clerk makes the same data-entry error twice, then the two copies
will match, and one will be accepted as correct, even though it is
erroneous. To reduce this risk, the time and attendance application
could be configured to require that the two copies be entered by
In addition, each
department has one or more Time and Attendance Supervisors who are
authorized to review these reports for accuracy and to approve them
by running another server program that is part of the time and
attendance application. The data are then subjected to a collection
of "sanity checks" to detect entries whose values are outside
expected ranges. Potential anomalies are displayed to the supervisor
prior to allowing approval; if errors are identified, the data are
returned to a clerk for additional examination and corrections.
When a supervisor
approves the time and attendance data, this application logs into
the interagency mainframe via the WAN and transfers the data to a
payroll database on the mainframe. The mainframe later prints
paychecks or, using a pool of modems that can send data over phone
lines, it may transfer the funds electronically into
employee-designated bank accounts. Withheld taxes and contributions
are also transferred electronically in this manner.
The Director of
Personnel is responsible for ensuring that forms describing
significant payroll-related personnel actions are provided to the
Payroll Office at least one week before the payroll processing date
for the first affected pay period. These actions include hiring,
terminations, transfers, leaves of absences and returns from such,
and pay raises.
The Manager of the
Payroll Office is responsible for establishing and maintaining
controls adequate to ensure that the amounts of pay, leave, and
other benefits reported on pay stubs and recorded in permanent
records and those distributed electronically are accurate and
consistent with time and attendance data and with other information
provided by the Personnel Department. In particular, paychecks must
never be provided to anyone who is not a bona fide, active-status
employee of HGA. Moreover, the pay of any employee who terminates
employment, who transfers, or who goes on leave without pay must be
suspended as of the effective date of such action; that is, extra
paychecks or excess pay must not be dispersed.
Accidental Corruption or Loss of Payroll Data
The same mechanisms
used to protect against fraudulent modification are used to protect
against accidental corruption of time and attendance data -- namely,
the access-control features of the server and mainframe operating
Operations Group) nightly backups of the server's disks protect
against loss of time and attendance data. To a limited extent, HGA
also relies on mainframe administrative personnel to back up time
and attendance data stored on the mainframe, even though HGA has no
direct control over these individuals. As additional protection
against loss of data at the mainframe, HGA retains copies of all
time and attendance data on line on the server for at least one
year, at which time the data are archived and kept for three years.
The server's access controls for the on-line files are automatically
set to read-only access by the time and attendance application at
the time of submission to the mainframe. The integrity of time and
attendance data will be protected by digital signatures as they are
communications protocols also protect against loss of data during
transmission from the server to the mainframe (e.g., error
checking). In addition, the mainframe payroll application includes a
program that is automatically run 24 hours before paychecks and pay
stubs are printed. This program produces a report identifying
agencies from whom time and attendance data for the current pay
period were expected but not received. Payroll department staff are
responsible for reviewing the reports and immediately notifying
agencies that need to submit or resubmit time and attendance data.
If time and attendance input or other related information is not
available on a timely basis, pay, leave, and other benefits are
temporarily calculated based on information estimated from prior pay