- US military data reportedly left on unsecured Amazon server -
Defense contractor Booz Allen Hamilton is linked to an account that
contained login credentials for other data repositories.
Innovation versus cybersecurity: Survival hangs in the balance -
Reaction was swift and vociferous last year when note-taking app
to read users' content in order to test and support new
machine-learning and automation capabilities.
Carnegie Mellon releases ransomware best practices - Carnegie
Mellon's Software Engineering Institute released a set of Best
Practices for ransomware prevention and response.
China's controversial cybersecurity law goes into effect - China's
new cybersecurity law went into effect on June 1, subjecting
companies to stringent data privacy and protection guidelines, even
as key questions linger around how it will be enforced, how easily
businesses will be able to comply, and how much compliance will
Supreme Court will take up first cellphone data location case - The
Supreme Court will hear its first case on cell phone location data
involving the government got months of phone location records of a
robbery suspect from cellphone companies without a warrant showing
Federal task force: Here's how to fix healthcare cybersecurity - A
federal task force released its long-awaited cybersecurity
recommendations report Friday evening.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- OneLogin breached, passwords possibly compromised - The password
management firm OneLogin reported an unauthorized person gained
access to its U.S. data base possibly compromising all the stored
records and bringing to the forefront the fact that such login
credential repositories are prime targets for hackers.
OneLogin hacker swiped AWS keys, can decrypt stolen data - OneLogin
is reporting its recent data breach was made possible when a hacker
obtained access to a set of Amazon Web Service keys through a
Hackers post plastic surgery clinic's patient files after blackmail
campaign - Hackers on Tuesday publicly posted more than 25,000 files
and private images stolen from a Lithuanian plastic surgery clinic,
including nude and "before-and-after" photos, after attempting to
financially extort the medical facility and its clients, according
to multiple reports.
Kmart hit with second POS breach in three years - Kmart experienced
a point of sale data breach that has affected an undisclosed number
of stores and customers, its second breach in three years.
Data incident at Stephenville Medical & Surgical Clinic in Texas -
When an administrator at Stephenville Medical & Surgical Clinic, in
Stephenville, Texas, received a request for a blank medical record
release form on May 19, the unnamed employee in the Medical Records
Department sent instead a spreadsheet containing data on former
patients, according to an article in the Stephenville
Phishing scam compromises data on 25,000 individuals at University
of Alaska - A phishing scam in December 2016 resulted in a data
breach at the University of Alaska, affecting around 25,000
students, staff and faculty members, according to a report on
Wednesday by local Anchorage NBC affiliate KTUU.
NSA contractor Reality Winner accused of leaking NSA documents on
election hack - A National Security Agency contractor has been
accused of leaking classified information pertaining to possible
Russian interference in the 2016 election and transmitting it to a
Subaru WRX STI hacked, eight vulnerabilities spotted - Independent
researcher Aaron Guzman spotted eight software vulnerabilities in
2017 Subaru WRX STI which could allow unauthorized users to unlock
doors, honk horns, gain vehicle location history and other issues
stemming from the car's Starlink account.
Up to 'old' tricks: Hackers compromise Stanford University 'Biology
of Aging" website for months - A Stanford University website was
reportedly compromised for four months without detection, allowing
hackers to abuse it to host malicious web shells, phishing kits and
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (3of 12)
of an Incident Response Program
Although the specific content of an IRP will differ among financial
institutions, each IRP should revolve around the minimum procedural
requirements prescribed by the Federal bank regulatory agencies.
Beyond this fundamental content, however, strong financial
institution management teams also incorporate industry best
practices to further refine and enhance their IRP. In general, the
overall comprehensiveness of an IRP should be commensurate with an
institution's administrative, technical, and organizational
The minimum required procedures addressed in the April 2005
interpretive guidance can be categorized into two broad areas:
"reaction" and "notification." In general, reaction procedures are
the initial actions taken once a compromise has been identified.
Notification procedures are relatively straightforward and involve
communicating the details or events of the incident to interested
parties; however, they may also involve some reporting
requirements. Below lists the minimum required procedures of an IRP
as discussed in the April 2005 interpretive guidance.
Develop reaction procedures for:
1) assessing security incidents that have occurred;
2) identifying the customer information and information systems
that have been accessed or misused; and
3)containing and controlling the security incident.
Establish notification procedures for:
1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious
Activity Reports [SARs], if necessary); and
3) affected customers.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SERVICE PROVIDER OVERSIGHT
Many financial institutions outsource some aspect of their
operations. Although outsourcing arrangements often provide a cost -
effective means to support the institution's technology needs, the
ultimate responsibility and risk rests with the institution.
Financial institutions are required under Section 501(b) of the GLBA
to ensure service providers have implemented adequate security
controls to safeguard customer information. Supporting interagency
guidelines require institutions to:
! Exercise appropriate due diligence in selecting service
! Require service providers by contract to implement appropriate
security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining
those controls when indicated by the institution's risk assessment.
Financial institutions should implement these same precautions in
all TSP relationships based on the level of access to systems or
data for safety and soundness reasons, in addition to the privacy
Financial institutions should determine the following security
considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and
! Nondisclosure agreements covering the institution's systems and
! Ability to conduct audit coverage of security controls or
provisions for reports of security testing from independent third
! Clear understanding of the provider's security incidence
response policy and assurance that the provider will communicate
security incidents promptly to the institution when its systems or
data were potentially compromised.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.1 Step 1:
Identifying the Mission- or Business-Critical Function
Protecting the continuity of an organization's mission or business
is very difficult if it is not clearly identified. Managers need to
understand the organization from a point of view that usually
extends beyond the area they control. The definition of an
organization's critical mission or business functions is often
called a business plan.
Since the development of a business plan will be used to support
contingency planning, it is necessary not only to identify critical
missions and businesses, but also to set priorities for them. A
fully redundant capability for each function is prohibitively
expensive for most organizations. In the event of a disaster,
certain functions will not be performed. If appropriate priorities
have been set (and approved by senior management), it could mean the
difference in the organization's ability to survive a disaster.
11.2 Step 2: Identifying the Resources That Support Critical
After identifying critical missions and business functions, it is
necessary to identify the supporting resources, the time frames in
which each resource is used (e.g., is the resource needed constantly
or only at the end of the month?), and the effect on the mission or
business of the unavailability of the resource. In identifying
resources, a traditional problem has been that different managers
oversee different resources. They may not realize how resources
interact to support the organization's mission or business. Many of
these resources are not computer resources. Contingency planning
should address all the resources needed to perform a function,
regardless whether they directly relate to a computer.
The analysis of needed resources should be conducted by those who
understand how the function is performed and the dependencies of
various resources on other resources and other critical
relationships. This will allow an organization to assign priorities
to resources since not all elements of all resources are crucial to
the critical functions.