- Our cybersecurity testing meets
the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense.
To receive due diligence information, agreement and, cost saving fees,
please complete the information form at
https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.
- Nearly all Americans support and want retaliation for cyberattacks
- The vast majority of Americans are calling for retaliation in the
wake of cyberattacks that compromise sensitive government data.
Car Hacking Shifts Into High Gear - Researchers now have proven you
can hack a car remotely, and at Black Hat USA will share most -- but
not all -- of the details on how they did it. If a car's brakes
suddenly fail and send it careening uncontrollably into a ditch, how
do you know whether it was a mechanical failure or the work of a
On Tuesday morning, Senators Ed Markey and Richard Blumenthal plan
to introduce new legislation that’s designed to require cars sold in
the U.S. to meet certain standards of protection against digital
attacks and privacy.
All smartwatches are vulnerable to attack, finds study - The report
is seen as a good indicator of the current security posture of
smartwatch devices given the similarity of issues raised, such as
insufficient authentication, weak encryption and other privacy
Security experts and regular users vastly different in preferred
safety practices - Even with an excess of advice on online best
security practices, experts in the field and regular users implement
different strategies to cope with cyber threats, and not all
adequately keep devices protected.
- Power Grid Is America’s Biggest Weakness, New Security Report
Confirms - Power grid down disaster scenarios are not just fodder
for movie plots - they pose a pressing concerns for government and
security experts as well.
- Pakistan bans BlackBerry Enterprise Server - Telcos told to switch
off BES-as-a-service in December - Pakistan has reportedly ordered
the nation's carriers to cease offering services that route email
through BlackBerry Enterprise Server (BES), a product that among
other things encrypts email.
- NYU conference encourages women to pursue cybersecurity -
Cybersecurity's the “it” tech field of the moment, there's no doubt
about that, with multiple major breaches in just the past couple
years and a newfound emphasis on security in both the private and
- Privacy advocacy group sends 6.1 million faxes to Senate to
protest CISA - Privacy advocacy group Fight For the Future's
campaign “Operation: #FaxBigBrother” has thus far generated 6.1
million faxes sent to members of the Senate to protest the
Cybersecurity Information Sharing Act (CISA).
- GAO - Facial Recognition Technology: Commercial Uses, Privacy
Issues, and Applicable Federal Law -
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
US Census Bureau IT systems hacked, data leaked by Anonymous -
Another OPM scandal, this is not - Anonymous hackers have swiped
databases from servers used by the US Census Bureau, and dumped
their contents online. The bureau, as you might imagine, collects
information on the American population every 10 years – although the
leaked data does not include citizens' census records.
hit with DDoS attack from man who hates NYC - NYMag.com was hit with
a distributed-denial-of-service (DDoS) attack that lasted about 12
hours and was executed by a man with a vendetta against all things
New York, according to Quartz.
Parenthood investigates breach amid claims its systems were accessed
- Planned Parenthood is investigating possible unauthorized access
to its systems following reports that attackers released website
databases on Sunday night that included employee names and email
affects 3,000 clients enrolled in Georgia state program -
Approximately 3,000 clients of the Community Care Services Program
in Georgia are being notified that the Division of Aging Services
inadvertently emailed their personal data to a contracted provider
that was not authorized to view the information.
5,300 Healthfirst members caught up in fraud scheme - New York-based
Healthfirst is notifying about 5,300 current and former members that
their personal information may have been compromised in a criminal
Massachusetts General Hospital patients notified of data incident -
Massachusetts General Hospital (MGH) is notifying 648 patients that
an employee inadvertently sent an email containing their personal
information to the wrong email address.
reportedly hacked by same group that breached Anthem, OPM -
previously unannounced breach at United Airlines could be the work
of Chinese hackers who allegedly pilfered information from insurance
company Anthem and the Office of Personnel Management (OPM), and are
aiming at amassing data on millions of American government officials
and private citizens.
issues fix for OnStar hack, but service still vulnerable - Just last
week Chrysler recalled 1.4 million vehicles after hackers revealed a
software bug. Now, a new hack exposes a vulnerability in GM vehicles
equipped with OnStar. GM issued a quick fix, however, hacker Samy
Kamkar has confirmed the problem still exists.
chaos as data breach costs roll into the millions - French
broadcaster TV5Monde is still without Internet and other key IT
functions three months after a nation-state hacker took control of
its TV channels and hijacked social media accounts. Meanwhile, the
data breach costs are mounting up.
Parenthood websites downed in DDoS attack - Planned Parenthood
websites have gone down and are, according to the main page,
Hospital backup data tapes go missing, thousands affected -
Massachusetts-based McLean Hospital is notifying about 12,600
individuals that their personal information was on four unencrypted
backup data tapes – related to the Harvard Brain Tissue Resource
Center (HBTRC) – that have gone missing.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider
Operations and Controls
• Determine adequacy of the
service provider’s standards, policies and procedures relating
to internal controls, facilities management (e.g., access
requirements, sharing of facilities, etc.), security (e.g.,
systems, data, equipment, etc.), privacy protections,
maintenance of records, business resumption contingency
planning, systems development and maintenance, and employee
• Determine if the service provider provides sufficient security
precautions, including, when appropriate, firewalls, encryption,
and customer identity authentication, to protect institution
resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine
whether the audit scope, internal controls, and security
safeguards are adequate.
• Evaluate whether the institution will have complete and timely
access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that
are relevant to the services they are providing. (e.g.,
Regulation E, privacy and other consumer protection regulations,
Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance
coverage including fidelity, fire, liability, data losses from
errors and omissions, and protection of documents in transit.
• Analyze the service provider’s
most recent audited financial statements and annual report as
well as other indicators (e.g., publicly traded bond ratings),
• Consider factors such as how long the service provider has
been in business and the service provider’s market share for a
given service and how it has fluctuated.
• Consider the significance of the institution’s proposed
contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s
level of investment in technology consistent with supporting the
institution’s activities? Does the service provider have the
financial resources to invest in and support the required
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Symmetric and Asymmetric Key Systems
There are two types of cryptographic key systems, symmetric and
asymmetric. With a symmetric key system (also known as secret key
or private key systems), all parties have the same key. The keys
can be used to encrypt and decrypt messages, and must be kept secret
or the security is compromised. For the parties to get the same
key, there has to be a way to securely distribute the key to each
party. While this can be done, the security controls necessary make
this system impractical for widespread and commercial use on an open
network like the Internet. Asymmetric key systems can solve this
In an asymmetric key system (also known as a public key system),
two keys are used. One key is kept secret, and therefore is referred
to as the "private key." The other key is made widely available to
anyone who wants it, and is referred to as the "public key." The
private and public keys are mathematically related so that
information encrypted with the private key can only be decrypted by
the corresponding public key. Similarly, information encrypted with
the public key can only be decrypted by the corresponding private
key. The private key, regardless of the key system utilized, is
typically specific to a party or computer system. Therefore, the
sender of a message can be authenticated as the private key holder
by anyone decrypting the message with a public key. Importantly, it
is mathematically impossible for the holder of any public key to use
it to figure out what the private key is. The keys can be stored
either on a computer or on a physically separate medium such as a
Regardless of the key system utilized, physical controls must exist
to protect the confidentiality and access to the key(s). In
addition, the key itself must be strong enough for the intended
application. The appropriate encryption key may vary depending on
how sensitive the transmitted or stored data is, with stronger keys
utilized for highly confidential or sensitive data. Stronger
encryption may also be necessary to protect data that is in an open
environment, such as on a Web server, for long time periods.
Because the strength of the key is determined by its length, the
longer the key, the harder it is for high-speed computers to break
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Vulnerabilities Related to Information Disclosure/Brokerage
HGA takes a
conservative approach toward protecting information about its
employees. Since information brokerage is more likely to be a threat
to large collections of data, HGA risk assessment focused primarily,
but not exclusively, on protecting the mainframe.
The risk assessment
concluded that significant, avoidable information brokering
vulnerabilities were present--particularly due to HGA's lack of
compliance with its own policies and procedures. Time and attendance
documents were typically not stored securely after hours, and few
PCs containing time and attendance information were routinely
locked. Worse yet, few were routinely powered down, and many were
left logged into the LAN server overnight. These practices make it
easy for an HGA employee wandering the halls after hours to browse
or copy time and attendance information on another employee's desk,
PC hard disk, or LAN server directories.
The risk assessment
pointed out that information sent to or retrieved from the server is
subject to eavesdropping by other PCs on the LAN. The LAN hardware
transmits information by broadcasting it to all connection points on
the LAN cable. Moreover, information sent to or retrieved from the
server is transmitted in the clear--that is, without encryption.
Given the widespread availability of LAN "sniffer" programs, LAN
eavesdropping is trivial for a prospective information broker and,
hence, is likely to occur.
Last, the assessment
noted that HGA's employee master database is stored on the
mainframe, where it might be a target for information brokering by
employees of the agency that owns the mainframe. It might also be a
target for information brokering, fraudulent modification, or other
illicit acts by any outsider who penetrates the mainframe via
another host on the WAN.