- NIST Updates SP 800-171 to Help Defend Sensitive Information from
Cyberattack - An update to one of the National Institute of
Standards and Technology’s (NIST) information security documents
offers strategies to help protect sensitive information that is
stored in computers supporting critical government programs and high
- Ransomware attacks: Why and when it makes sense to pay the ransom
- Whether you pay ransomware actors or not really comes down to some
straightforward business calculations. Sometimes the ransom is worth
Need more evidence that IoT security is a big deal? Here's what NIST
has to say - If your organization isn’t thinking about internet of
things (IoT) security, it could soon face a rude awakening,
according to the influential agency that sets cybersecurity
standards for the federal government.
Hong Kong protesters fear gov’t use of facial recognition,
surveillance tech - Fear that the government will draw facial
recognition technology from its arsenal of digital surveillance
tools to identify protesters in Hong Kong has prompted some to take
evasive action to diminish or eliminate their digital footprints.
Ransomware Hits Georgia Courts As Municipal Attacks Spread -
Ransomware has no shortage of cautionary tales and wakeup calls from
the past decade. But for local governments, this past year has been
a particularly brutal reminder of the threat.
Women in Security - A new take on the old adage “you’re known by the
company you keep,” might aptly apply to women in security who’ve
found success, progress and opportunities in organizations that know
New York Legislature passes bill that toughens breach notification
standards - The New York State Legislature last month passed The
Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which
is intended to strengthen the state’s data security laws by more
explicitly defining when and how businesses must notify the public
and attorney general of a data breach incident.
Lake City, Fla. IT manager pays the price for ransomware attack -
The Lake City, Fla., city council fired the municipality’s IT
director just one week after that body voted to pay the
cybercriminals behind a ransomware attack that knocked they city
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cloud provider PCM hacked, customer info likely stolen for gift
card scam - Hackers accessed emails and file sharing systems of some
customers of cloud provider PCM Inc.
5M records exposed by misconfigured MedicareSupplement.com MongoDB -
A MedicareSupplment.com MongoDB containing more than five million
records was found open to the public containing a wide range of PII.
Village of Key Biscayne hit with a cyberattack - The small Florida
municipality of the Village of Key Biscayne has found itself with
the dubious honor of joining Baltimore, Atlanta and several other
Sunshine State cities by being victimized with by a cyberattack.
Data management firm exposed client info on open Amazon S3 buckets:
researchers - Data from Netflix, TD Bank, Ford and other companies
was left exposed for an unknown period of time on publicly
configured cloud storage buckets operated by data integration and
management company Attunity, according to the research team that
discovered the error.
Medtronic recalls insulin pumps due to potential of hacker sabotage
- Medical device manufacturer Medtronic plc took the unusual step of
issuing a recall for several of its insulin pump products due to
serious hacking concerns that were detailed in a pair of security
alerts from the Food and Drug Administration (FDA) and ICS-CERT.
Baltimore approves $10M for ransomware relief, expects $18M in
damages - Baltimore officials approved using $10 million in excess
revenue to cover ongoing expenses related to a ransomware attack
that immobilized several of the cities computer systems in early
Exposed Orvibo database leaks two billion records - More than 2
billion user logs containing information on Chinese home solutions
company Orvibo’s customers were leaked after a database was left
U.S. Virgin Islands hit with ransomware and BEC attack - The U.S.
Virgin Islands Police department was hit with a ransomware attack in
April that targeted servers housing internal affairs records and
citizen complaints while the territory’s water department was
separately hit with a business email compromise (BEC).
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight
- Principle 12: Banks
should take appropriate measures to ensure adherence to customer
privacy requirements applicable to the jurisdictions to which the
bank is providing e-banking products and services.
Maintaining a customer's information privacy is a key
responsibility for a bank. Misuse or unauthorized disclosure of
confidential customer data exposes a bank to both legal and
reputation risk. To meet these challenges concerning the
preservation of privacy of customer information, banks should make
reasonable endeavors to ensure that:
1) The bank's customer privacy policies and standards take
account of and comply with all privacy regulations and laws
applicable to the jurisdictions to which it is providing e-banking
products and services.
2) Customers are made aware of the bank's privacy policies and
relevant privacy issues concerning use of e-banking products and
3) Customers may decline (opt out) from permitting the bank to
share with a third party for cross-marketing purposes any
information about the customer's personal needs, interests,
financial position or banking activity.
4) Customer data are not used for purposes beyond which they are
specifically allowed or for purposes beyond which customers have
5) The bank's standards for customer data use must be met when
third parties have access to customer data through outsourcing
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - APPLICATION
2 of 2)
Institution management should consider a number of issues
regarding application-access control. Many of these issues could
also apply to oversight of operating system access:
! Implementing a robust authentication method consistent with the
criticality and sensitivity of the application. Historically, the
majority of applications have relied solely on user IDs and
passwords, but increasingly applications are using other forms of
authentication. Multi-factor authentication, such as token and
PKI-based systems coupled with a robust enrollment process, can
reduce the potential for unauthorized access.
! Maintaining consistent processes for assigning new user access,
changing existing user access, and promptly removing access to
! Communicating and enforcing the responsibilities of programmers
(including TSPs and vendors), security administrators, and business
line owners for maintaining effective application-access control.
Business line managers are responsible for the security and privacy
of the information within their units. They are in the best position
to judge the legitimate access needs of their area and should be
held accountable for doing so. However, they require support in the
form of adequate security capabilities provided by the programmers
or vendor and adequate direction and support from security
! Monitoring existing access rights to applications to help ensure
that users have the minimum access required for the current business
need. Typically, business application owners must assume
responsibility for determining the access rights assigned to their
staff within the bounds of the AUP. Regardless of the process for
assigning access, business application owners should periodically
review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some
applications or for the more sensitive functions within an
application. The nature of some applications requires limiting the
location and number of workstations with access. These restrictions
can support the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by
utilizing software that supports group profiles. Some financial
institutions manage access rights individually and it often leads to
inappropriate access levels. By grouping employees with similar
a common access profile (e.g., tellers, loan operations, etc.),
business application owners and security administrators can better
assign and oversee access rights. For example, a teller performing a
two-week rotation as a proof operator does not need year-round
access to perform both jobs. With group profiles, security
administrators can quickly reassign the employee from a teller
profile to a proof operator profile. Note that group profiles are
used only to manage access rights; accountability for system use is
maintained through individuals being assigned their own unique
identifiers and authenticators.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Protection Against Payroll Fraud and Errors: Time and Attendance
Application (1 of 2)
The time and attendance
application plays a major role in protecting against payroll fraud
and errors. Since the time and attendance application is a component
of a larger automated payroll process, many of its functional and
security requirements have been derived from both governmentwide and
HGA-specific policies related to payroll and leave. For example, HGA
must protect personal information in accordance with the Privacy
Act. Depending on the specific type of information, it should
normally be viewable only by the individual concerned, the
individual's supervisors, and personnel and payroll department
employees. Such information should also be timely and accurate.
Each week, employees
must sign and submit a time sheet that identifies the number of
hours they have worked and the amount of leave they have taken. The
Time and Attendance Clerk enters the data for a given group of
employees and runs an application on the LAN server to verify the
data's validity and to ensure that only authorized users with access
to the Time and Attendance Clerk's functions can enter time and
attendance data. The application performs these security checks by
using the LAN server's access control and identification and
authentication (I&A) mechanisms. The application compares the data
with a limited database of employee information to detect incorrect
employee identifiers, implausible numbers of hours worked, and so
forth. After correcting any detected errors, the clerk runs another
application that formats the time and attendance data into a report,
flagging exception/out-of-bound conditions (e.g., negative leave
are responsible for reviewing the correctness of the time sheets of
the employees under their supervision and indicating their approval
by initialing the time sheets. If they detect significant
irregularities and indications of fraud in such data, they must
report their findings to the Payroll Office before submitting the
time sheets for processing. In keeping with the principle of
separation of duty, all data on time sheets and corrections on the
sheets that may affect pay, leave, retirement, or other benefits of
an individual must be reviewed for validity by at least two
authorized individuals (other than the affected individual).
Only users with access
to Time and Attendance Supervisor functions may approve and submit
time and attendance data -- or subsequent corrections thereof -- to
the mainframe. Supervisors may not approve their own time and
Only the System
Administrator has been granted access to assign a special access
control privilege to server programs. As a result, the server's
operating system is designed to prevent a bogus time and attendance
application created by any other user from communicating with the
WAN and, hence, with the mainframe.
The time and attendance
application is supposed to be configured so that the clerk and
supervisor functions can only be carried out from specific PCs
attached to the LAN and only during normal working hours.
Administrators are not authorized to exercise functions of the time
and attendance application apart from those concerned with
configuring the accounts, passwords, and access permissions for
clerks and supervisors. Administrators are expressly prohibited by
policy from entering, modifying, or submitting time and attendance
data via the time and attendance application or other mechanisms.
unauthorized execution of the time and attendance application
depends on I&A and access controls. While the time and attendance
application is accessible from any PC, unlike most programs run by
PC users, it does not execute directly on the PC's processor.
Instead, it executes on the server, while the PC behaves as a
terminal, relaying the user's keystrokes to the server and
displaying text and graphics sent from the server. The reason for
this approach is that common PC systems do not provide I&A and
access controls and, therefore, cannot protect against unauthorized
time and attendance program execution. Any individual who has
access to the PC could run any program stored there.
approach is for the time and attendance program to perform I&A and
access control on its own by requesting and validating a password
before beginning each time and attendance session. This approach,
however, can be defeated easily by a moderately skilled programming
attack, and was judged inadequate by HGA during the application's
early design phase.
Recall that the server
is a more powerful computer equipped with a multiuser operating
system that includes password-based I&A and access controls.
Designing the time and attendance application program so that it
executes on the server under the control of the server's operating
system provides a more effective safeguard against unauthorized
execution than executing it on the user's PC.