- Our cybersecurity testing meets
the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense.
To receive due diligence information, agreement and, cost saving fees,
please complete the information form at
https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.
- Feds' cyber security woes can't all be blamed on legacy systems -
Creaky systems that can't use the latest encryption are merely one
item in a cyber security mess that took decades to create. The
legacy computer systems at the Office of Personnel Management were
too old and creaky to use encryption or sufficiently protect data.
That argument surfaced in a House Oversight and Government Reform
Committee hearing, but there are plenty of other security issues to
take the blame.
- Canadian police arrest nine men in 'romance fraud' scheme -
Canadian police arrested nine suspects earlier this week in
connection to a romance fraud ring that cost victims $1.5 million.
- Secret Service agent pleads guilty for pocketing $820K from Silk
Road - A former Secret Service agent agreed Wednesday to plead
guilty to stealing $820,000 worth of Bitcoin during the Silk Road
- Three NM teens indicted for cyberattack on baby formula website -
Three New Mexico teens were indicted after instigating a cyber
attack against the Enfamil baby formula website from their school
computer. They're facing felony charges of computer abuse and
conspiracy, according to the Albuquerque Journal.
- Hackers had access to security clearance data for a year - The
U.S. government still isn't saying how much data it fears was stolen
- Hackers who breached a database containing highly personal
information on government employees with security clearances had
access to the system for about a year before being discovered, The
Washington Post reported on Friday.
- Rewards worth £30,000 offered in search for cyber stars of the
future - The SANS Institute has launched an open Cyber Aptitude
Assessment competition that will offer high ranking applicants
access to cyber 'boot camp' training worth £30,000.
- Pentagon seeks to hold its IT users more accountable for cyber
missteps - The Defense Department has no shortage of regulations
designed to encourage and enforce good cybersecurity behavior on its
own networks. But DoD’s chief information officer said as of now,
there are too few consequences for users who run afoul of those
rules. That’s about to change.
- Privacy advocates applaud Supreme Court ruling on hotel registry
searches - The Supreme Court has deemed a Los Angeles ordinance,
which legalizes warrantless police demands to inspect hotel and
motel guest registries, unconstitutional – a decision which could
influence law enforcement protocol in other cities subjecting
noncompliant hoteliers to arrest of penalty.
- Michigan State Audit finds several department systems vulnerable -
Michigan's Department of Technology, Management and Budget (DTMB)
failed to establish effective security management and access
controls for several departments leaving systems used to process
child welfare information, food assistance programs, and cash
management as well as others used in administering state benefits
vulnerable to unauthorized access, according to a report released by
the state's Office of the Auditor General.
- GAO -
Cybersecurity: Recent Data Breaches Illustrate Need for
Strong Controls across Federal Agencies.
Security incidents in finance sector 300 percent more frequent
than other industries - Organizations in the financial services
sector encounter security incidents about 300 percent more
frequently than those in other industries.
OPM breach possibly compromises more than 32 million current
and former employees' PII - Office of Personnel Management (OPM)
Director Katherine Archuleta isn't talking, or at least she's not
providing concrete figures for the second, and possibly historically
large, data breach at her agency.
US government log-ins, passwords easy to find on the open Web,
researcher says - A CIA-backed technology company says it's spotted
credentials connected with the departments of Defense, Justice,
Treasury and Energy, as well as the CIA itself.
61 percent of critical infrastructure execs confident systems
could detect attack in less than a day - Nearly all critical
infrastructure industry executives recognize that their
organizations are targets for cybercriminals, and almost half think
their systems could detect a cyber attack on a critical system
within 24 hours.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber
Espionage - The St. Louis Cardinals' alleged breach of the Astros'
proprietary database raises concern over the possibility of US
companies hacking their rivals for intel.
Cyberattack knocks Canadian government websites offline - Public
Safety Minister Steven Blaney says no personal information was
compromised during the attack claimed by Anonymous in retaliation
for Bill C-51. The federal government’s networks were hit with a
large-scale cyberattack on Wednesday, shutting down websites and
internal networks for hours.
Banking trojan besieges Bundestag … for the second time - Swatbanker
malware appearance seems politically motivated - Online banking
trojan Swatbanker has been brought into play in a second round of
attacks against the German Bundestag, reports security software firm
FBI investigating series of fiber cuts in San Francisco Bay Area -
The FBI is looking into a series of deliberate cuts of fiber optic
cables in the San Francisco Bay Area.
- UC Irvine Medical Center announces breach affecting 4,859 patients
- University of California (UC) Irvine Medical Center is notifying
nearly 5,000 patients that an employee accessed their records
without a job-related purpose between June 2011 and March.
- Hack grounds handful of Polish airline's flights - The Polish
airline LOT had to ground several planes, temporarily stranding
1,400 passengers at Chopin airport in Warsaw after the airline's
ground computers were attacked by hackers.
- Thousands of Montefiore patients notified of breach, eight
suspects indicted - A former employee with New York-based Montefiore
Medical Center was indicted along with seven others on Friday for
their alleged roles in an operation to steal patient data and use
the information to purchase thousands of dollars in goods at
retailers and department stores throughout Manhattan.
- Polish airline LOT was grounded after 'IT attack' took hold - An
unspecified IT attack has left 1,400 passengers of Polish flag
carrier LOT Polish Airlines stuck in Warsaw, after the company
discovered it was unable to file flight plans for its departing
- All Airlines Have the Security Hole That Grounded Polish Planes -
More than 10 airplanes were grounded on Sunday after hackers
apparently got into computer systems responsible for issuing flight
plans to pilots of Poland’s state-owned LOT airline.
- Targeted attacks rise, cyber attackers spreading through networks,
report says - Lateral movement and reconnaissance detections
observed in a report show a sharp upturn in targeted attacks that
have penetrated the perimeter.
- Dungarees website attacked, payment cards potentially compromised
- Missouri-based work wear and accessories retailer Dungarees is
notifying an undisclosed number of customers that its website was
attacked, and credit and debit card information may have been
- Hershey Park investigates potential payment card breach -
Pennsylvania-based Hershey Park is investigating a potential payment
- COA Network breached, all customer data treated as potentially
compromised - COA Network, Inc. – a New Jersey company that provides
virtual telephone systems and content management systems – detected
a pattern of irregular activity affecting its computer systems, and
is treating all customer information as being potentially
- Indiana town judge says attackers gained access to classified
court records - Attackers gained access to Clarksville Town Court
classified records on June 23, potentially compromising information
such as names, addresses, dates of birth, and Social Security
numbers, James Guilfoyle, Clarksville Town Court judge, said in a
statement emailed to SCMagazine.com on Thursday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced
Technology Services ( Part 2 of 4)
The board of directors and senior management are responsible for
understanding the risks associated with outsourcing arrangements for
technology services and ensuring that effective risk management
practices are in place. As part of this responsibility, the board
and management should assess how the outsourcing arrangement will
support the institution’s objectives and strategic plans and how the
service provider’s relationship will be managed. Without an
effective risk assessment phase, outsourcing technology services may
be inconsistent with the institution’s strategic plans, too costly,
or introduce unforeseen risks.
Outsourcing of information and transaction processing and settlement
activities involves risks that are similar to the risks that arise
when these functions are performed internally. Risks include threats
to security, availability and integrity of systems and resources,
confidentiality of information, and regulatory compliance. In
addition, the nature of the service provided, such as bill payment,
funds transfer, or emerging electronic services, may result in
entities performing transactions on behalf of the institution, such
as collection or disbursement of funds, that can increase the levels
of credit, liquidity, transaction, and reputation risks.
Management should consider additional risk management controls when
services involve the use of the Internet. The broad geographic
reach, ease of access, and anonymity of the Internet require close
attention to maintaining secure systems, intrusion detection and
reporting systems, and customer authentication, verification, and
authorization. Institutions should also understand that the
potential risks introduced are a function of a system’s structure,
design and controls and not necessarily the volume of activity.
An outsourcing risk assessment should consider the following:
• Strategic goals, objectives, and business needs of the
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service
• Contingency plans, including availability of alternative
service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate
consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines
affected and technologies used.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Potentially, the open architecture of the Internet can allow those
with specific knowledge and tools to alter or modify data during a
transmission. Data integrity could also be compromised within the
data storage system itself, both intentionally and unintentionally,
if proper access controls are not maintained. Steps must be taken to
ensure that all data is maintained in its original or intended
Essential in electronic commerce is the need to verify that a
particular communication, transaction, or access request is
legitimate. To illustrate, computer systems on the Internet are
identified by an Internet protocol (IP) address, much like a
telephone is identified by a phone number. Through a variety of
techniques, generally known as "IP spoofing" (i.e., impersonating),
one computer can actually claim to be another. Likewise, user
identity can be misrepresented as well. In fact, it is relatively
simple to send email which appears to have come from someone else,
or even send it anonymously. Therefore, authentication controls are
necessary to establish the identities of all parties to a
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Protection Against Disclosure or Brokerage of Information
against information disclosure is based on a need-to-know policy and
on personnel hiring and screening practices. The need-to-know policy
states that time and attendance information should be made
accessible only to HGA employees and contractors whose assigned
professional responsibilities require it. Such information must be
protected against access from all other individuals, including other
HGA employees. Appropriate hiring and screening practices can lessen
the risk that an untrustworthy individual will be assigned such
The need-to-know policy
is supported by a collection of physical, procedural, and automated
safeguards, including the following:
- · Time and attendance paper
documents are must be stored securely when not in use,
particularly during evenings and on weekends. Approved
storage containers include locked file cabinets and desk
drawers---to which only the owner has the keys. While
storage in a container is preferable, it is also permissible
to leave time and attendance documents on top of a desk or
other exposed surface in a locked office (with the
realization that the guard force has keys to the office).
(This is a judgment left to local discretion.) Similar rules
apply to disclosure-sensitive information stored on floppy
disks and other removable magnetic media.
- Every HGA PC is equipped
with a key lock that, when locked, disables the PC. When
information is stored on a PC's local hard disk, the user to
whom that PC was assigned is expected to (1) lock the PC at
the conclusion of each workday and (2) lock the office in
which the PC is located.
- The LAN server operating
system's access controls provide extensive features for
controlling access to files. These include group-oriented
controls that allow teams of users to be assigned to named
groups by the System Administrator. Group members are then
allowed access to sensitive files not accessible to
nonmembers. Each user can be assigned to several groups
according to need to know. (The reliable functioning of
these controls is assumed, perhaps incorrectly, by HGA.)
- All PC users undergo
security awareness training when first provided accounts on
the LAN server. Among other things, the training stresses
the necessity of protecting passwords. It also instructs
users to log off the server before going home at night or
before leaving the PC unattended for periods exceeding an