- Our cybersecurity testing meets
the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense.
To receive due diligence information, agreement and, cost saving fees,
please complete the information form at
https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.
Former Georgia-Pacific sysadmin charged with damaging protected
computers - Following his indictment last week by a federal grand
jury, a Louisiana man was arrested on Wednesday to face charges of
intentionally damaging protected computers belonging to his former
Hackers had access to security clearance data for a year - Hackers
who breached a database containing highly personal information on
government employees with security clearances had access to the
system for about a year before being discovered, The Washington Post
reported on Friday.
OPM Breach Notification Frustrates Hacked Feds - Some victims of the
massive hack of federal personnel records expressed fear their
privacy might be violated by fraud protection services the
government has outsourced to private companies.
Pentagon seeks to hold its IT users more accountable for cyber
missteps - The Defense Department has no shortage of regulations
designed to encourage and enforce good cybersecurity behavior on its
Only 27 percent of flaws found in gov't applications fixed - After
breaking down application security trends by industry, a security
firm found that the government sector ranked lowest in remediating
Nearly all Japanese pension system files kept unprotected pre-breach
- An investigation into the compromising of Japan's national pension
system found that 99 percent of the accessed files were without any
sort of password protection.
FBI updates Most Wanted cyber felons list, offers US$4.2m bounties -
Zeus creator has $3m on his head, may be boating on the Black Sea -
The mastermind of the Zeus trojan; a car scamming screwball; an
identity thief; a malvertiser, and a keylogger monger: nail these
five net crims to the wall and the FBI will pay you US$4.2 million.
GAO - Information Security: Cyber Threats and Data Breaches
Illustrate Need for Stronger Controls across Federal Agencies -
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Harvard University announces network intrusion, possible data
exposure - Harvard University announced that on June 19 an intrusion
was discovered on the Faculty of Arts and Sciences (FAS) and Central
Administration information technology networks, and that Harvard
login credentials may have been exposed.
Skimmer on Santander Bank ATM vestibule door leads to fraud -
Following the May 4 discovery of suspicious ATM withdrawals that
occurred the day prior, Santander Bank determined that a magnetic
stripe skimming device had been placed on the ATM vestibule door at
its Woburn, Mass., branch on 19 Pleasant St.
FireKeepers confirms breach, says about 85,000 cards and other info
are at risk - Following a May announcement that it was replacing
point-of-sale (POS) devices while investigating a potential breach,
Michigan-based FireKeepers Casino Hotel confirmed Friday that
unauthorized access was gained to its computer systems and personal
information – as well as payment card data – may have been
Hacking Team hacked; leaked documents confirm sale of software to
Sudan and Ethiopia - An unknown number of hackers accessed and
posted at least 400 GB of the “offensive technology” manufacturer
Hacking Team's internal documents, emails, slideshow presentations,
and more, on Sunday evening.
- Orlando Health employee improperly accesses patient medical
records - Orlando Health announced that a former nursing assistant
accessed about 3,200 patient medical records outside of their normal
- NYSE says trading halted due to 'technical issue,' not breach -
Trading on the New York Stock Exchange (NYSE) came to a halt
- Computer glitch grounds all United Airlines flights - A glitch in
the computer software that manages United Airlines's automated
operations brought the airline's flights to a screeching halt -
temporarily - Wednesday morning.
- Foreign hackers briefly commandeer German missile systems - A
German missile system was reportedly hacked and taken over by
unknown foreign attackers who executed “unexplained commands.”
- Detroit Zoo, eight others across the county experience POS breach
- The Detroit Zoo along with eight other zoos across the country
announced that Service Systems Associates (SSA), a third party
vendor that handles retail and concession payments, experienced a
point-of-sale (POS) breach that affected customers between March 23
and June 25 of this year.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 4 of 4)
Service Provider Oversight
Institutions should implement an oversight program to monitor each
service provider’s controls, condition, and performance.
Responsibility for the administration of the service provider
relationship should be assigned to personnel with appropriate
expertise to monitor and manage the relationship. The number of
personnel, functional responsibilities, and the amount of time
devoted to oversight activities will depend, in part, on the scope
and complexity of the services outsourced. Institutions should
document the administration of the service provider relationship.
Documenting the process is important for contract negotiations,
termination issues, and contingency planning.
The board of directors and management are responsible for ensuring
adequate risk mitigation practices are in place for effective
oversight and management of outsourcing relationships. Financial
institutions should incorporate an outsourcing risk management
process that includes a risk assessment to identify the
institution’s needs and requirements; proper due diligence to
identify and select a provider; written contracts that clearly
outline duties, obligations and responsibilities of the parties
involved; and ongoing oversight of outsourcing technology services.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls
primary concern in controlling system access is the safeguarding of
user IDs and passwords. The Internet presents numerous issues to
consider in this regard. Passwords can be obtained through deceptive
"spoofing" techniques such as redirecting users to false Web sites
where passwords or user names are entered, or creating shadow copies
of Web sites where attackers can monitor all activities of a user.
Many "spoofing" techniques are hard to identify and guard against,
especially for an average user, making authentication processes an
important defense mechanism.
The unauthorized or unsuspected acquisition of data such as
passwords, user IDs, e-mail addresses, phone numbers, names, and
addresses, can facilitate an attempt at unauthorized access to a
system or application. If passwords and user IDs are a derivative of
someone's personal information, malicious parties could use the
information in software programs specifically designed to generate
possible passwords. Default files on a computer, sometimes called
"cache" files, can automatically retain images of such data received
or sent over the Internet, making them a potential target for a
Security Flaws and Bugs / Active Content Languages
in software and hardware design also represent an area of concern.
Security problems are often identified after the release of a new
product, and solutions to correct security flaws commonly contain
flaws themselves. Such vulnerabilities are usually widely
publicized, and the identification of new bugs is constant. These
bugs and flaws are often serious enough to compromise system
integrity. Security flaws and exploitation guidelines are also
frequently available on hacker Web sites. Furthermore, software
marketed to the general public may not contain sufficient security
controls for financial institution applications.
Newly developed languages and technologies present similar security
concerns, especially when dealing with network software or active
content languages which allow computer programs to be attached to
Web pages (e.g., Java, ActiveX). Security flaws identified in Web
browsers (i.e., application software used to navigate the Internet)
have included bugs which, theoretically, may allow the installation
of programs on a Web server, which could then be used to back into
the bank's system. Even if new technologies are regarded as secure,
they must be managed properly. For example, if controls over active
content languages are inadequate, potentially hostile and malicious
programs could be automatically downloaded from the Internet and
executed on a system.
Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or
networks that are connected to the Internet, because they may be
downloaded directly. Aside from causing destruction or damage to
data, these programs could open a communication link with an
external network, allowing unauthorized system access, or even
initiating the transmission of data.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Protection Against Risks from Non-HGA Computer Systems
HGA relies on systems
and components that it cannot control directly because they are
owned by other organizations. HGA has developed a policy to avoid
undue risk in such situations. The policy states that system
components controlled and operated by organizations other than HGA
may not be used to process, store, or transmit HGA information
without obtaining explicit permission from the application owner and
the COG Manager. Permission to use such system components may not be
granted without written commitment from the controlling organization
that HGA's information will be safeguarded commensurate with its
value, as designated by HGA. This policy is somewhat mitigated by
the fact that HGA has developed an issue-specific policy on the use
of the Internet, which allows for its use for e-mail with outside
organizations and access to other resources (but not for
transmission of HGA's proprietary data).
Vulnerabilities Reported by the Risk Assessment Team
The risk assessment
team found that many of the risks to which HGA is exposed stem from
(1) the failure of individuals to comply with established policies
and procedures or (2) the use of automated mechanisms whose
assurance is questionable because of the ways they have been
developed, tested, implemented, used, or maintained. The team also
identified specific vulnerabilities in HGA's policies and procedures
for protecting against payroll fraud and errors, interruption of
operations, disclosure and brokering of confidential information,
and unauthorized access to data by outsiders.