- Alleged JPMorgan hack leaders arrested - The FBI promised to be
nearing the official filing of charges against the perpetrators of
the JPMorgan Chase data breach, and on Tuesday, they made good on
- United hackers given million free flight miles - US airline United
has rewarded two hackers who spotted security holes in its website
with a million free flight miles each.
- Israel, US commit to beef up cybersecurity cooperation - US
Homeland Security deputy visits Jewish state to bolster ties in
high-tech research and development - The US deputy secretary of
Homeland Security and the top Israeli official handling
cybersecurity have cosigned a statement committing to US-Israel
cooperation in the area.
- Zero-day in Fiat Chrysler feature allows remote control of
vehicles - Fiat Chrysler owners should update their vehicles'
software after a pair of security researchers were able to exploit a
zero-day vulnerability to remotely control the vehicle's the engine,
transmission, wheels and brakes among other systems.
- Black Hat 2015 attendees most concerned about targeted attacks -
In a survey of 460 management and staff security professionals
attending the upcoming Black Hat 2015 conference, 57 percent
indicated that sophisticated attacks targeted directly at the
organization is their greatest concern.
- Free security tools help detect Hacking Team malware - Sensitive
information exposed in the Hacking Team leaks – more than 400 GB
worth of zero-day vulnerabilities, other threats and more – has
spurred Rook Security and Facebook to each release free security
Following a pair of massive data breaches, The Office of Personnel
Management (OPM) rewrote its privacy regulations to allow
legislators and outside entities to look through its databases for
signs of data breaches.
- FTC alleges LifeLock violated 2010 settlement by lying about
security measures - The Federal Trade Commission (FTC) is
investigating LifeLock a second time for allegedly making false
claims about its identity protection services and failing to
implement the required steps to protect its customers' data.
- Japan to train thousands on cyber-security ahead of 2020 Olympics
- According to local newspaper Nikkei, Japan's Ministry of Internal
Affairs and Communications has put forward a set of cyber-security
proposals in relations to the Games, and intends to request around
20 billion yen (£103 million) in government funding over the four
years, starting from fiscal 2016.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Ohio inmate caught with prison administrative login credentials - An
Ohio inmate was caught on Friday with administrative login
credentials for the computer system at Lebanon Correctional
- UCLA Health attacked, data on up to 4.5 million individuals at risk
- UCLA Health announced on Friday that attackers accessed parts of
its network containing personal and medical information on as many
as 4.5 million individuals.
- CVS investigating possible payment card breach, shuts down photo
website - CVS has shut down its CVSPhoto.com website as it
investigates a potential payment card breach.
- Hackers of cheaters' site Ashley Madison threaten to expose user
profiles - Hackers who broke into the site are reportedly
threatening to post stolen user information every day the "discreet"
affair network remains online. Extramarital dating site Ashley
Madison has been hacked, with millions of users' information
potentially at risk of exposure.
- UK data retention scheme ruled
unlawful - The UK High Court has ruled that Britain's DRIPA data
retention scheme is "inconsistent" with European law. The government
warns losing access to metadata could cost lives. Britain's Data
Retention and Investigative Powers Act has been ruled unlawful by
the UK's High Court of Justice, after the digital surveillance
scheme was deemed "inconsistent with European Union Law."
- Alfa Insurance: data on 86K
individuals inadvertently made accessible to internet - Alfa
Specialty Insurance Corporation and Alfa Vision Insurance
Corporation are notifying around 86,000 individuals that their
personal information was inadvertently made accessible to the
- Personal data on laptop stolen from
attorney with California law firm - A California-based law firm is
notifying an undisclosed number of individuals that a personal
laptop computer owned by an attorney from the firm was stolen, and
their personal information may have been compromised.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Technical and
• Assess the service provider’s
experience and ability to provide the necessary services and
supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement
the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or
partners that would be used to support the outsourced
• Evaluate the experience of the service provider in providing
services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and
work are necessary.
• Evaluate the service provider’s ability to respond to service
• Contact references and user groups to learn about the service
provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned
to support the institution.
• Perform on-site visits, where necessary, to better understand
how the service provider operates and supports its services.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Encryption, or cryptography, is a method of converting information
to an unintelligible code. The process can then be reversed,
returning the information to an understandable form. The information
is encrypted (encoded) and decrypted (decoded) by what are commonly
referred to as "cryptographic keys." These "keys" are actually
values, used by a mathematical algorithm to transform the data. The
effectiveness of encryption technology is determined by the strength
of the algorithm, the length of the key, and the appropriateness of
the encryption system selected.
Because encryption renders information unreadable to any party
without the ability to decrypt it, the information remains private
and confidential, whether being transmitted or stored on a system.
Unauthorized parties will see nothing but an unorganized assembly of
characters. Furthermore, encryption technology can provide
assurance of data integrity as some algorithms offer protection
against forgery and tampering. The ability of the technology to
protect the information requires that the encryption and decryption
keys be properly managed by authorized parties.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Vulnerabilities Related to Payroll Errors
HGA's management has
established procedures for ensuring the timely submission and
interagency coordination of paperwork associated with personnel
status changes. However, an unacceptably large number of troublesome
payroll errors during the past several years has been traced to the
late submission of personnel paperwork. The risk assessment
documented the adequacy of HGA's safeguards, but criticized the
managers for not providing sufficient incentives for compliance.
Related to Continuity of Operations
The risk assessment
commended HGA for many aspects of COG's contingency plan, but
pointed out that many COG personnel were completely unaware of the
responsibilities the plan assigned to them. The assessment also
noted that although HGA's policies require annual testing of
contingency plans, the capability to resume HGA's
computer-processing activities at another cooperating agency has
never been verified and may turn out to be illusory.
The risk assessment
reviewed a number of the application-oriented contingency plans
developed by HGA's divisions (including plans related to time and
attendance). Most of the plans were cursory and attempted to
delegate nearly all contingency planning responsibility to COG. The
assessment criticized several of these plans for failing to address
potential disruptions caused by lack of access to (1) computer
resources not managed by COG and (2) nonsystem resources, such as
buildings, phones, and other facilities. In particular, the
contingency plan encompassing the time and attendance application
was criticized for not addressing disruptions caused by WAN and
The risk assessment
found HGA's virus-prevention policy and procedures to be sound, but
noted that there was little evidence that they were being followed.
In particular, no COG personnel interviewed had ever run a virus
scanner on a PC on a routine basis, though several had run them
during publicized virus scares. The assessment cited this as a
significant risk item.
Accidental Corruption and Loss
The risk assessment
concluded that HGA's safeguards against accidental corruption and
loss of time and attendance data were adequate, but that safeguards
for some other kinds of data were not. The assessment included an
informal audit of a dozen randomly chosen PCs and PC users in the
agency. It concluded that many PC users store significant data on
their PC's hard disks, but do not back them up. Based on anecdotes,
the assessment's authors stated that there appear to have been many
past incidents of loss of information stored on PC hard disks and
predicted that such losses would continue.