FDIC, NCUA, and the OCC do not have a requirement
that financial institutions change third-party vendors on a periodic
Any such decision would be up to the bank's management.
- What's a Good Cybersecurity Budget & How Do I Get It? - Fighting
for a departmental budget is never easy — and when your team is
responsible for the company's cybersecurity, it feels all the more
Chip to be embedded in employees can't be hacked, co. says - A
company looking to embed chips in the hands of employees so they can
use snack kiosks, log into computers and gain entry into company
facilities says it will use encryption to protect data and that GPS
data won't be collected.
Diagnosing employee phishing weaknesses key to improving email
security - Administering a phishing test and training without
knowing an employee's weakness is not only ineffective and
expensive, but unlikely to teach workers how to avoid a phishing
Election tech hacked within hours at DEF CON Voting Village - In
response to growing fears that future U.S. elections could be
altered by nation-state hackers, DEF CON 25 this year hosted its
first-ever Voting Village, where attendees were invited to tinker
with election technology and exploit their vulnerabilities.
Two Swedish officials resign over data breach fallout - Two senior
Swedish government officials have resigned in response to a data
breach stemming from the country's Transport Agency.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- IRS fails to resolve dozens of information security deficiencies,
GAO says - The IRS's ability to protect sensitive financial and
taxpayer data is limited by its failure to resolve numerous
information security deficiencies identified by the Government
Accountability Office (GAO).
Hack on Italy's largest bank affects 400,000 customers - Data about
loan accounts belonging to 400,000 customers of Italy's largest bank
has been put at risk by two security breaches.
Virgin America data breach hits employees and contractors - An
unauthorized third party managed to gained access to certain Virgin
America information systems containing employee and contractor data.
Anthem reports 18,500 members involved in new data breach - Anthem
Health Insurance is once again reporting a data breach, this time
18,500 members had their records emailed to the private email
address of a staffer at a third-party vendor.
HBO hacked: Game of Thrones, Ballers, Room 104 content involved -
Updated! HBO has been targeted by hackers who have reportedly
uploaded to the web upcoming episodes of Ballers, Room 104 along
with some written material allegedly from next week's Game of
Thrones with a promise to release more shortly.
Hackers steal Copyfish app from developer's Google Play account -
The Chrome version the app Copyfish was compromised to push out ads
and spam after an employee for its publisher A9t9 fell for a
phishing scam and gave access to the company's Play Store developers
account to an unauthorized individual.
Ransomware Attack on Merck Caused Widespread Disruption to
Operations - Pharmaceutical giant's global manufacturing, research
and sales operations have still not be full restored since the June
Hackers post info stolen from Mandiant analyst, threaten similar
attacks - After leaking data stolen from an analyst working for
Mandiant, a hacking group or individual going by the name "31337" is
threatening to victimize other cybersecurity experts in similar
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (11 of 12)
Last week's best
practices focused on the more common criteria that have been noted
in actual IRPs, but some banks have developed other effective
incident response practices. Examples of these additional practices
are listed below. Organizations may want to review these practices
and determine if any would add value to their IRPs given their
Additional IRP Best Practices
1) Test the incident response plan (via walkthrough or tabletop
exercises) to assess thoroughness.
2) Implement notices on login screens for customer information
systems to establish a basis for disciplinary or legal action.
3) Develop an incident grading system that quantifies the severity
of the incident, helps determine if the incident response plan needs
to be activated, and specifies the extent of notification
4) Provide periodic staff awareness training on recognizing
potential indicators of unauthorized activity and reporting the
incident through proper channels. Some institutions have established
phone numbers and e-mail distribution lists for reporting possible
5) Inform users about the status of any compromised system they may
6) Establish a list of possible consultants, in case the bank does
not have the expertise to handle or investigate the specific
incident (especially regarding technical compromises).
7) Establish evidence-gathering and handling procedures aimed at
preserving evidence of the incident and aiding in prosecution
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Operational anomalies may be evidence of a broad number of issues,
one of which is potential intrusion. Anomalies that act as
intrusion-warning indicators fall into two categories, those
apparent in system processing, and those apparent outside the
System processing anomalies are evident in system logs and system
behavior. Good identification involves pre-establishing which system
processing data streams will be monitored for anomalies, defining
which anomalies constitute an indicator of an intrusion, and the
frequency of the monitoring. For example, remote access logs can be
reviewed daily for access during unusual times. Other logs can be
reviewed on other regular cycles for other unusual behaviors. System
behavior covers a broad range of issues, from CPU utilization to
network traffic protocols, quantity and destinations. One example of
a processing anomaly is CPU utilization approaching 100% when the
scheduled jobs typically require much less. Anomalous behavior,
however, may not signal an intrusion.
Outside the system, detection is typically based on system output,
such as unusual Automated Clearing House transactions or bill
payment transactions. Those unusual transactions may be flagged as a
part of ordinary transaction reviews, or customers and other system
users may report them. Customers and other users should be advised
as to where and how to report anomalies. The anomalous output,
however, may not signal an intrusion.
Central reporting and analysis of all IDS output, honeypot
monitoring, and anomalous system behavior assists in the intrusion
identification process. Any intrusion reporting should use
out-of-band communications mechanisms to protect the alert from
being intercepted or compromised by an intruder.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Since all controls help to prevent contingencies, there is an
interdependency with all of the controls in the handbook.
Risk Management provides a tool for analyzing the security
costs and benefits of various contingency planning options. In
addition, a risk management effort can be used to help identify
critical resources needed to support the organization and the likely
threat to those resources. It is not necessary, however, to perform
a risk assessment prior to contingency planning, since the
identification of critical resources can be performed during the
contingency planning process itself.
Physical and Environmental Controls help prevent
contingencies. Although many of the other controls, such as logical
access controls, also prevent contingencies, the major threats that
a contingency plan addresses are physical and environmental threats,
such as fires, loss of power, plumbing breaks, or natural disasters.
Incident Handling can be viewed as a subset of contingency
planning. It is the emergency response capability for various
technical threats. Incident handling can also help an organization
prevent future incidents.
Support and Operations in most organizations includes the
periodic backing up of files. It also includes the prevention and
recovery from more common contingencies, such as a disk failure or
corrupted data files.
Policy is needed to create and document the organization's
approach to contingency planning. The policy should explicitly
11.8 Cost Considerations
The cost of developing and implementing contingency planning
strategies can be significant, especially if the strategy includes
contracts for backup services or duplicate equipment. There are too
many options to discuss cost considerations for each type.
One contingency cost that is often overlooked is the cost of
testing a plan. Testing provides many benefits and should be
performed, although some of the less expensive methods (such as a
review) may be sufficient for less critical resources.