- FBI creates new senior-level data scientist position, calls for
applicants - The FBI is looking for candidates to fill its brand-new
position of senior-level data scientist, a role that requires
specialization in big-data analytics and whose responsibilities
include serving as a top advisor and consultant to senior FBI
management, including Cyber Division executives.
- Auto Industry ISAC Releases Best Practices For Connected Vehicle
Cybersecurity - Goal is to provide car manufactures with guidelines
for protecting modern vehicles against emerging cyber threats - The
Automotive Information Sharing and Analysis Center (Auto-ISAC) has
released a set of cybersecurity best practices for connected
- Utilities look back to the future for hands-on cyberdefense - The
aftermath of the cyberattack in Ukraine on Dec. 23, 2015, produced
two unexpected lessons that U.S. grid operators have started to take
- Cyber workforce goes beyond 'coders at the keyboard' - The White
House's top cyber official hopes to see more than just your typical
cybersecurity experts hired in the next year.
- 69% of email attacks with malicious attachments in Q2 contained
Locky - The first five months of 2016 were dominated by malicious
email campaigns, the quick emergence of new ransomware variants, one
of the largest botnets in the world went dark, and the Angler
exploit kit (EK) went silent - all leading to a strangely quiet
- Former Citibank employee sentenced for shutting down 90% of firm's
network - A former Citibank employee was sentenced to 21 months in
prison after wiping routers and shutting down 90 percent of the
firm's network access across North America.
- O2 customers' details sold on darkweb - The details of O2
customers have been found being sold on the dark web.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- The Library of Congress computer systems have returned to normal
after facing a four-day long cyber attack. Library Director of
Communications Gayle Osterberg would not comment about the origin of
the attack, but praised the IT department's efforts to keep the
agency afloat. The attack began Sunday and caused intermittent
outages of service for websites and agencies under the Library’s
umbrella, including the U.S. Copyright Office.
- Cici’s Pizza: Card Breach at 130+ Locations - Cici’s Pizza, a
Coppell, Texas-based fast-casual restaurant chain, today
acknowledged a credit card breach at more than 135 locations.
- 2.3 million 'Warframe,' 'Clash of Kings' accounts compromised -
More than 2.3 million user records were compromised as two separate
gaming companies announced they suffered data breaches.
- TSA master key hackers expose dangers of physical and digital key
escrow policies - The hackers responsible for reproducing seven
master keys used by the Transportation Safety Administration (TSA)
to open locks commonly placed on luggage have now been able to
duplicate an eighth key.
- Fake Tinder sites lure users to give up financial info - In the
UK, 41 percent of online daters have been spammed or scammed when
using online dating services.
- Possible breach at GunMag Warehouse - A third-party provider is
being blamed for a possible breach into customer transactions at
- 'KeySniffer' attack allows wireless keyboard eavesdropping -
Bastille researchers spotted a “KeySniffer” vulnerability affecting
wireless keyboards from at least eight manufacturers, that could
allow an attacker to eavesdrop and record a victim's keystrokes from
hundreds of feet away.
- Kimpton Hotels investigates potential payment card breach -
Boutique hotel chain, Kimpton Hotels is investigating a potential
payment card breach at several of its locations across the U.S.
- Athens Orthopedic Clinic reports patient data breach - The Athens
Orthopedic Clinic (AOC) in Georgia is notifying patients of a data
breach that compromised the personal information of current and
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
When assessing information security products, management should be
aware that many products offer a combination of risk assessment
features, and can cover single or multiple operating systems.
Several organizations provide independent assessments and
certifications of the adequacy of computer security products (e.g.,
firewalls). While the underlying product may be certified, banks
should realize that the manner in which the products are configured
and ultimately used is an integral part of the products'
effectiveness. If relying on the certification, banks should
understand the certification process used by the organization
certifying the security product. Other examples of items to consider
in the risk assessment process include:
1) Identifying mission-critical information systems, and
determining the effectiveness of current information security
programs. For example, a vulnerability might involve critical
systems that are not reasonably isolated from the Internet and
external access via modem. Having up-to-date inventory listings of
hardware and software, as well as system topologies, is important in
2) Assessing the importance and sensitivity of information and the
likelihood of outside break-ins (e.g., by hackers) and insider
misuse of information. For example, if a large depositor list were
made public, that disclosure could expose the bank to reputational
risk and the potential loss of deposits. Further, the institution
could be harmed if human resource data (e.g., salaries and personnel
files) were made public. The assessment should identify systems that
allow the transfer of funds, other assets, or sensitive
data/confidential information, and review the appropriateness of
access controls and other security policy settings.
3) Assessing the risks posed by electronic connections with
business partners. The other entity may have poor access controls
that could potentially lead to an indirect compromise of the bank's
system. Another example involves vendors that may be allowed to
access the bank's system without proper security safeguards, such as
firewalls. This could result in open access to critical information
that the vendor may have "no need to know."
4) Determining legal implications and contingent liability concerns
associated with any of the above. For example, if hackers
successfully access a bank's system and use it to subsequently
attack others, the bank may be liable for damages incurred by the
party that is attacked.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Network security requires effective implementation of several
control mechanisms to adequately secure access to systems and data.
Financial institutions must evaluate and appropriately implement
those controls relative to the complexity of their network. Many
institutions have increasingly complex and dynamic networks stemming
from the growth of distributed computing.
Security personnel and network administrators have related but
distinct responsibilities for ensuring secure network access across
a diverse deployment of interconnecting network servers, file
servers, routers, gateways, and local and remote client
workstations. Security personnel typically lead or assist in the
development of policies, standards, and procedures, and monitor
compliance. They also lead or assist in incident-response efforts.
Network administrators implement the policies, standards, and
procedures in their day-to-day operational role.
Internally, networks can host or provide centralized access to
mission-critical applications and information, making secure access
an organizational priority. Externally, networks integrate
institution and third-party applications that grant customers and
insiders access to their financial information and Web-based
services. Financial institutions that fail to restrict access
properly expose themselves to increased transaction, reputation, and
compliance risk from threats including the theft of customer
information, data alteration, system misuse, or denial-of-service
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
Applications and Data
Normally, the primary contingency strategy for applications and
data is regular backup and secure offsite storage. Important
decisions to be addressed include how often the backup is performed,
how often it is stored off-site, and how it is transported (to
storage, to an alternate processing site, or to support the
resumption of normal operations).
The need for computer security does not go away when an
organization is processing in a contingency mode. In some cases, the
need may increase due to sharing processing facilities,
concentrating resources in fewer sites, or using additional
contractors and consultants. Security should be an important
consideration when selecting contingency strategies.
11.4.4 Computer-Based Services
Service providers may offer contingency services. Voice
communications carriers often can reroute calls (transparently to
the user) to a new location. Data communications carriers can also
reroute traffic. Hot sites are usually capable of receiving data and
voice communications. If one service provider is down, it may be
possible to use another. However, the type of communications carrier
lost, either local or long distance, is important. Local voice
service may be carried on cellular. Local data communications,
especially for large volumes, is normally more difficult. In
addition, resuming normal operations may require another rerouting
of communications services.
11.4.5 Physical Infrastructure
Hot sites and cold sites may also offer office space in addition to
processing capability support. Other types of contractual
arrangements can be made for office space, security services,
furniture, and more in the event of a contingency. If the
contingency plan calls for moving offsite, procedures need to be
developed to ensure a smooth transition back to the primary
operating facility or to a new facility. Protection of the physical
infrastructure is normally an important part of the emergency
response plan, such as use of fire extinguishers or protecting
equipment from water damage.
11.4.6 Documents and Papers
The primary contingency strategy is usually backup onto magnetic,
optical, microfiche, paper, or other medium and offsite storage.
Paper documents are generally harder to backup than electronic ones.
A supply of forms and other needed papers can be stored offsite.