- Federal Reserve under attack by hacker spies - The Federal Reserve
has been under constant attack by hackers since at least 2011,
including four attempts it labels as "espionage."
- House panel worried about cyberattacks on the Federal Reserve -
Republicans on the House Technology Committee are investigating the
Federal Reserve’s security practices, citing “serious concerns”
about the central bank’s ability to protect confidential
- US court says cops don't need a warrant for cell location data -
The case reverses a decision from last year - which may push the
case into the hands of the Supreme Court. Police do not need a
warrant to determine a suspect's location based off cell-site
information, an appeals court has ruled.
- SWIFT may prohibit banks with weak security from using its system
- In the wake of a series of cyberheists against banks
internationally, SWIFT is considering changes in its process of
allowing open access of its messaging service to financial
- GAO - Management Report: Areas for Improvement in the Federal
Reserve Banks' Information Systems Controls. Report:
- 93 percent of phishing emails contained ransomware - As
cybercriminals pursue methods that yield the most effective
near-term gains, phishing emails and ransomware prove an
irresistible cocktail for cybercriminals, as a new report
- 80% of retailers take payment card details by phone in unsecure
ways - Over a third of people have heard friends, colleagues and
even strangers sharing their full credit and debit card details in
public while on the phone.
- Fed directs banks to check for cyberattacks, shore up security
after SWIFT hacks - The Federal Reserve Bank issued a notice Tuesday
telling banks to assess their cybersecurity postures and search for
clues that they'd been victims of cyberattacks by the same group
that pulled off an $81 million cyber heist from the Bangladesh
Central Bank account at the Fed.
- 75% of UK consumers won't do biz with a company that has been
hacked - New research discovered that 73 percent of consumers in the
UK admit that it has become normal or expected for businesses to be
hacked, yet only half feel they are taking enough responsibility for
their customer's information security. The survey evaluated
responses from 2,400 people across the UK, Germany and the US.
- Hackers impersonate CEOs and CFOs most often during phishing
attack - All it takes is one of three words and impersonating the
correct executive to pull off a successful Business Email Compromise
- Morgan Stanley to pay $1M for failing to protect 730,000 customer
accounts - Morgan Stanley agreed to pay a $1 million fine to settle
a proceeding launched by the Securities and Exchange Commission's
(SEC) that the financial services giant failed to set up adequate
precautions of customer data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Data of 40,000 Stamford Podiatry Group patients compromised -
Connecticut-based Stamford Podiatry Group is notifying patients that
medical and personal information was compromised in a recent
- Ransomware hits 10K Australians - At least 10,000 Australians have
been targeted in a ransomware campaign that lures recipients with an
email that appears to come from local energy company AGL.
- Credit Card Breach at CiCi’s Pizza - CiCi’s Pizza, an American
fast food business based in Coppell, Texas with more than 500 stores
in 35 states, appears to be the latest restaurant chain to struggle
with a credit card breach.
- HR vendor Empathia hit by potential breach - Human resources
third-party vendor Empathia announced a potential data breach
affecting its employee assistance program (EAP).
- NFL's Twitter account hacked, announces commissioner Goodell's
death - The NFL confirmed today that its Twitter account was hacked
today with a tweet being posted stating that league commissioner
Roger Goodell was dead.
- Phishing campaign steals bitcoins from Mt. Gox victims - As if
losing money in the Mt. Gox collapse wasn't bad enough, now many of
those victims are falling prey once again, this time to phishing
- A 'good neighbor' compromised State Farm customer data - State
Farm began alerting customers of a data security incident involving
a third-party vendor's misuse of customer personal and financial
- University of Calgary pays $15,000 ransom to recover data - Ten
days after a malware attack crippled the University of Calgary's
computer system school officials reported that it paid a $20,000 CDN,
or $15,7492 U.S.,ransom to regain access.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Public Key Infrastructure (Part 2 of 3)
The certificate authority (CA), which may be the financial
institution or its service provider, plays a key role by attesting
with a digital certificate that a particular public key and the
corresponding private key belongs to a specific user or system. It
is important when issuing a digital certificate that the
registration process for initially verifying the identity of users
is adequately controlled. The CA attests to the individual user's
identity by signing the digital certificate with its own private
key, known as the root key. Each time the user establishes a
communication link with the financial institution's systems, a
digital signature is transmitted with a digital certificate. These
electronic credentials enable the institution to determine that the
digital certificate is valid, identify the individual as a user, and
confirm that transactions entered into the institution's computer
system were performed by that user.
The user's private key exists electronically and is susceptible to
being copied over a network as easily as any other electronic file.
If it is lost or compromised, the user can no longer be assured that
messages will remain private or that fraudulent or erroneous
transactions would not be performed. User AUPs and training should
emphasize the importance of safeguarding a private key and promptly
reporting its compromise.
PKI minimizes many of the vulnerabilities associated with passwords
because it does not rely on shared secrets to authenticate
customers, its electronic credentials are difficult to compromise,
and user credentials cannot be stolen from a central server. The
primary drawback of a PKI authentication system is that it is more
complicated and costly to implement than user names and passwords.
Whether the financial institution acts as its own CA or relies on a
third party, the institution should ensure its certificate issuance
and revocation policies and other controls discussed below are
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.1 Step 1:
Identifying the Mission- or Business-Critical Function
Protecting the continuity of an organization's mission or business
is very difficult if it is not clearly identified. Managers need to
understand the organization from a point of view that usually
extends beyond the area they control. The definition of an
organization's critical mission or business functions is often
called a business plan.
Since the development of a business plan will be used to support
contingency planning, it is necessary not only to identify critical
missions and businesses, but also to set priorities for them. A
fully redundant capability for each function is prohibitively
expensive for most organizations. In the event of a disaster,
certain functions will not be performed. If appropriate priorities
have been set (and approved by senior management), it could mean the
difference in the organization's ability to survive a disaster.
11.2 Step 2: Identifying the Resources That Support Critical
After identifying critical missions and business functions, it is
necessary to identify the supporting resources, the time frames in
which each resource is used (e.g., is the resource needed constantly
or only at the end of the month?), and the effect on the mission or
business of the unavailability of the resource. In identifying
resources, a traditional problem has been that different managers
oversee different resources. They may not realize how resources
interact to support the organization's mission or business. Many of
these resources are not computer resources. Contingency planning
should address all the resources needed to perform a function,
regardless whether they directly relate to a computer.
The analysis of needed resources should be conducted by those who
understand how the function is performed and the dependencies of
various resources on other resources and other critical
relationships. This will allow an organization to assign priorities
to resources since not all elements of all resources are crucial to
the critical functions.