- NIST Asks for Input on Building Secure Software - The draft
framework is intended to both instruct developers on building safe
tech and help IT buyers, like the government, know which companies
they can trust.
Securing multi-cloud environments: assurance through consistency -
Meeting the security and compliance needs across different cloud
service providers (CSP), and an organizationís own data center,
remains a thorny challenge.
Lake City recovering from ransomware attack - Lake City, Fla. has
started to recover from a June 10 ransomware attack that knocked out
its email and online payment systems.
Medical cybersecurity execs may have priorities misplaced, study - A
recent study sought out how the healthcare industry is dealing with
the increasing number of cyberattacks targeting patient data found
those charged with securing the data may have their priorities
Information on Airline IT Outages - Airline information technology
systems help keep people moving. An IT outage, however, can lead to
delayed flights, long lines, lost baggage, and more. We looked into
how often airline IT outages occur, their effects, and what causes
SEC security alert warns about misconfigured NAS, DBs, and cloud
storage servers - A security risk alert sent out by the US
Securities and Exchange Commission warns companies, especially
broker-dealers and investment firms, about the dangers of storing
customer information on network storage solutions -- such as NAS
devices, database servers, and cloud storage accounts.
Federal agencies still using insecure knowledge-based verification
for online services - A performance audit of six U.S. government
agencies found that four of them are still using knowledge-based
questions to verify the identities of individuals applying for
federal benefits or services, even though this practice is
considered outdated and insecure, especially in light of the 2017
Equifax breach impacted the online ID verification process at many
US govt agencies - Impacted agencies include the Centers for
Medicare and Medicaid Services (CMS), the Social Security
Administration (SSA), the US Postal Service (USPS), and the
Department of Veterans Affairs (VA).
Data breach forces AMCAís parent firm to file Chapter 11 bankruptcy
- The medical bill collection firm Retrieval-Masters Creditors
Bureau Inc. has filed for Chapter 11 bankruptcy protection citing
the fallout from a massive data breach that exposed the information
of millions of patients.
ACLU tells Ga. Supreme Court Fourth Amendment should apply to
personal data stored by cars - Fourth Amendment protections should
apply to personal data in a carís Event Data Recorder, the American
Civil Liberties Union (ACLU) will argue before the Georgia Supreme
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Spirit AeroSystems confirms ASCO Industries cyberattack - Reports
that Belgian aerospace manufacturer ASCO Industries has shuttered
several factories due to a ransomware attack on June 7 is certainly
news, but what is causing even more raised eyebrows is the companyís
almost complete silence on the issue.
Evite hit with data breach - Online invitation company Evite
announced it was affected by a data breach involving the
unauthorized access of customer information.
Exposed database reveals personal information of 1.6 million job
seekers - An unsecured database of personal information, including
phone numbers, salary expectations and openness to new job
opportunities, of about 1.6 million job seekers from around the
world has been discovered online, according to research published
EatStreet data breach affecting diners, restaurants and delivery
firms - The online food ordering and delivery service EatStreet
informed its customers and partners that it suffered a data breach
exposing a variety of personal data including payment card
A. Duie Pyle knocked offline by ransomware, goes extra mile to keep
customers informed - The Pennsylvania trucking firm A. Duie Pyle was
hit with a ransomware attack over the weekend and even though the
majority of its online communications capabilities were knocked
offline, the company made sure to post updates for customers on its
Ransomware attack on software company ResiDex may have exposed data
on assisted-living residents, workers - Personal information
belonging to residents and employees of multiple assisted living
facilities were potentially exposed in an April 2019 cyberattack
that infected third-party software company Tenx Systems, LLC with
645,000 Oregonians affected in previously disclosed Dept. of Human
Services breach - Oregonís Department of Human Services (DHS) is in
the process of mailing notifications to roughly 645,000 of its
reportedly 1.6 million clients, following a data breach incident
last January that resulted from a phishing scam.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight
- Principle 10:
Banks should take appropriate measures to preserve the
confidentiality of key e-banking information. Measures taken to
preserve confidentiality should be commensurate with the sensitivity
of the information being transmitted and/or stored in databases.
Confidentiality is the assurance that key information remains
private to the bank and is not viewed or used by those unauthorized
to do so. Misuse or unauthorized disclosure of data exposes a bank
to both reputation and legal risk. The advent of e-banking presents
additional security challenges for banks because it increases the
exposure that information transmitted over the public network or
stored in databases may be accessible by unauthorized or
inappropriate parties or used in ways the customer providing the
information did not intend. Additionally, increased use of service
providers may expose key bank data to other parties.
To meet these challenges concerning the preservation of
confidentiality of key e-banking information, banks need to ensure
1) All confidential bank data and records are only accessible by
duly authorized and authenticated individuals, agents or systems.
2) All confidential bank data are maintained in a secure manner
and protected from unauthorized viewing or modification during
transmission over public, private or internal networks.
3) The bank's standards and controls for data use and protection
must be met when third parties have access to the data through
4) All access to restricted data is logged and appropriate
efforts are made to ensure that access logs are resistant to
the top of the newsletter
FFIEC IT SECURITY -
continue our series on the FFIEC interagency Information Security
SECURITY CONTROLS -
IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)
Additional operating system access controls include the following
! Ensure system administrators and security professionals have
adequate expertise to securely configure and manage the operating
! Ensure effective authentication methods are used to restrict
system access to both users and applications.
! Activate and utilize operating system security and logging
capabilities and supplement with additional security software where
supported by the risk assessment process.
! Restrict operating system access to specific terminals in
physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals
residing outside physically secure locations.
! Restrict and log access to system utilities, especially those
with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions,
where feasible, and at a minimum require strong authentication and
encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating
systems and grant only the minimum level of access required to
perform routine responsibilities.
! Segregate operating system access, where possible, to limit full
or root - level access to the system.
! Monitor operating system access by user, terminal, date, and
time of access.
! Update operating systems with security patches and using
appropriate change control mechanisms.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
HGA's systems also are
exposed to several other threats that, for reasons of space, cannot
be fully enumerated here. Examples of threats and HGA's assessment
of their probabilities and impacts include those listed in the table
HGA has numerous
policies and procedures for protecting its assets against the above
threats. These are articulated in HGA's Computer Security Manual,
which implements and synthesizes the requirements of many federal
directives, such as Appendix III to OMB Circular A-130, the Computer
Security Act of 1987, and the Privacy Act. The manual also includes
policies for automated financial systems, such as those based on OMB
Circulars A-123 and A-127, as well as the Federal Manager's
Financial Integrity Act.
Several examples of
those policies follow, as they apply generally to the use of
administration of HGA's computer system and specifically to security
issues related to time and attendance, payroll, and continuity of
Examples of Threats to HGA Systems
Accidental Loss/Release of Disclosure-Sensitive Information
Accidental Destruction of Information
of Information due to Virus Contamination
of System Resources
Unauthorized Access to Telecommunications Resources *
operates a PBX system, which may be vulnerable to (1) hacker
disruptions of PBX availability and, consequently, agency
operations, (2) unauthorized access to outgoing phone lines
for long-distance services, (3) unauthorized access to
stored voice-mail messages, and (4) surreptitious access to
otherwise private conversations/data transmissions.