- Report finds millions of firewall ports left open unnecessarily -
A survey of all the ports on the internet is designed to provide
decision-makers with the statistical information they need to make
informed decisions on engineering the internet - and reveals many,
many are open to hackers.
U.S. Cyber Command struggles to retain top cybersecurity talent - At
U.S. Cyber Command, the top brass has made recruiting top talent a
leading priority, but those efforts have been slowed by challenges
in attracting and retaining the next generation of cyber warriors.
U.S. warns banks on cyber threat after Bangladesh heist - U.S.
regulators on Tuesday told banks to review cyber-security
protections against fraudulent money transfers in the wake of
revelations that a hacking group used such messages to steal $81
million from the Bangladesh central bank.
New device can allegedly clone 15 contactless bank cards a second -
The device, named the Contactless Infusion X5, can read any bank
card from 8cm away and will read 1024 bytes per second, equivalent
to 15 bank cards per second.
66% of IT pros think their companies' cyberincident response plans
are ineffective - Companies are failing to develop, update and
execute successful incident response plans in the event of a
- Monitoring of Medical Device Security to Be Scrutinized - OIG Also
Criticizes Washington State Health Insurance Exchange's Security
Measures - A federal watchdog agency has updated its priorities for
security-related reviews of Department of Health and Human Services'
agencies and programs this year.
- Panel Reaches Preliminary Agreement on Airliner Cybersecurity
Standards - Proposals include cockpit alerts in event that critical
safety systems are hacked - A panel of government and
aviation-industry experts has reached a preliminary agreement on
proposed cybersecurity standards for airliners, including the
concept of cockpit alerts in the event that critical safety systems
are hacked, according to people familiar with the matter.
- FBI "facing" questions over its facial recognition database - The
U.S. Government Accountability Office has a few questions it would
like the Federal Bureau of Investigation (FBI) to answer about its
facial recognition database that contains 411 million photos.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- University pays $20,000 to ransomware hackers - The University of
Calgary transferred 20,000 Canadian dollars-worth of bitcoins
($15,780; £10,840) after it was unable to unwind damage caused by a
type of attack known as ransomware.
There’s the Beef: Wendy’s Breach Numbers About to Get Much Meatier -
When news broke last month that the credit card breach at fast food
chain Wendy’s impacted fewer than 300 out of the company’s 5,800
locations, the response from many readers was, “Where’s the Breach?”
Today, Wendy’s said the number of stores impacted by the breach is
“significantly higher” and that the intrusion may not yet be
Louisiana grapples with hurricanes, gators, now a hacker who posted
data of 290K citizens on dark web - Looks like hurricanes, gators
and massive flooding aren't the only woes that Louisianans must
grapple with – now a hacker has put drivers' license and other
personal information on 290,000 of the bayou state's citizens for
sale on the dark web.
- South Korea thwarted massive cyberattack by North targeting
140,000 government and private systems - North Korea-based hackers
breached more than 140,000 computers of South Korean government
agencies and firms, and allegedly planted malicious software in the
- Russian hackers access Trump files in DNC hack - In the height of
a heated presidential election year, where the rhetoric about the
GOP and Democratic presumptive nominees has reached a fevered pitch,
Russian government hackers apparently broke into the Democratic
National Committee (DNC) computer system and accessed the party's
entire database on Republican candidate Donald Trump.
- Lone hacker reportedly takes credit for DNC intrusions, releases
opposition files on Trump - A lone hacker claimed responsibility
Wednesday for breaking into the Democratic National Committee (DNC)
computer systems last summer and allegedly released the contents of
the DNC's opposition research files on Republican presidential
candidate Donald Trump.
- Air Force loses 12 years of fraud, abuse investigation records -
The U.S. Air Force lost 12 years of records containing fraud and
abuse investigations from its inspector general and legislative
liaison offices as a result of a database crash last month.
- Access to 70,000 hacked servers sold on hacker marketplace;
industry reacts - Researchers discovered a hacker marketplace on the
Dark Web selling access to more than 70,000 hacked computer servers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Expedited Funds Availability Act (Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Public Key Infrastructure (Part 3 of 3)
When utilizing PKI policies and controls, financial institutions
need to consider the following:
! Defining within the certificate issuance policy the methods of
initial verification that are appropriate for different types of
certificate applicants and the controls for issuing digital
certificates and key pairs;
! Selecting an appropriate certificate validity period to minimize
transactional and reputation risk exposure - expiration provides an
opportunity to evaluate the continuing adequacy of key lengths and
encryption algorithms, which can be changed as needed before issuing
a new certificate;
! Ensuring that the digital certificate is valid by such means as
checking a certificate revocation list before accepting transactions
accompanied by a certificate;
! Defining the circumstances for authorizing a certificate's
revocation, such as the compromise of a user's private key or the
closure of user accounts;
! Updating the database of revoked certificates frequently, ideally
in real - time mode;
! Employing stringent measures to protect the root key including
limited physical access to CA facilities, tamper - resistant
security modules, dual control over private keys and the process of
signing certificates, as well as the storage of original and back -
up keys on computers that do not connect with outside networks;
! Requiring regular independent audits to ensure controls are in
place, public and private key lengths remain appropriate,
cryptographic modules conform to industry standards, and procedures
are followed to safeguard the CA system;
! Recording in a secure audit log all significant events performed
by the CA system, including the use of the root key, where each
entry is time/date stamped and signed;
! Regularly reviewing exception reports and system activity by the
CA's employees to detect malfunctions and unauthorized activities;
! Ensuring the institution's certificates and authentication
systems comply with widely accepted PKI standards to retain the
flexibility to participate in ventures that require the acceptance
of the financial institution's certificates by other CAs.
The encryption components of PKI are addressed more fully under
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.3 Step 3:
Anticipating Potential Contingencies or Disasters
Although it is impossible to think of all the things that can go
wrong, the next step is to identify a likely range of problems. The
development of scenarios will help an organization develop a plan to
address the wide range of things that can go wrong.
Scenarios should include small and large contingencies. While some
general classes of contingency scenarios are obvious, imagination
and creativity, as well as research, can point to other possible,
but less obvious, contingencies. The contingency scenarios should
address each of the resources described above. The following are
examples of some of the types of questions that contingency
scenarios may address:
Human Resources: Can people get to work? Are key personnel
willing to cross a picket line? Are there critical skills and
knowledge possessed by one person? Can people easily get to an
Processing Capability: Are the computers harmed? What
happens if some of the computers are inoperable, but not all?
Automated Applications and Data: Has data integrity been
affected? Is an application sabotaged? Can an application run on a
different processing platform?
Computer-Based Services: Can the computers communicate? To
where? Can people communicate? Are information services down? For
Infrastructure: Do people have a place to sit? Do they have
equipment to do their jobs? Can they occupy the building?
Documents/Paper: Can needed records be found? Are they
Examples of Some Less Obvious Contingencies
1. A computer center in the basement of a building had a minor
problem with rats. Exterminators killed the rats, but the bodies
were not retrieved because they were hidden under the raised
flooring and in the pipe conduits. Employees could only enter the
data center with gas masks because of the decomposing rats.
2. After the World Trade Center explosion when people reentered the
building, they turned on their computer systems to check for
problems. Dust and smoke damaged many systems when they were turned
on. If the systems had been cleaned first, there would not have been