- Our cybersecurity testing meets
the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense.
To receive due diligence information, agreement and, cost saving fees,
please complete the information form at
https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.
- On August 6, 2015 Stephen W. Warren was named Chief Information
Officer (CIO) at the Office of the Comptroller of the Currency
(OCC). As CIO, Mr. Warren will lead all OCC information technology
(IT) programs, supporting the agency's mission of ensuring the
safety and soundness of national banks as well as fair and equal
access to financial services for all Americans.
- China announces plans to install police units at internet
companies - The Chinese government plans to embed cybersecurity
police units into major Chinese internet companies, according to a
Wall Street Journal report.
- TV5Monde in chaos as data breach costs roll into the millions -
French broadcaster TV5Monde is still without Internet and other key
IT functions three months after a nation-state hacker took control
of its TV channels and hijacked social media accounts. Meanwhile,
the data breach costs are mounting up.
- Women in IT Security: Women of influence - We enlisted a team of
moderators to ask a number of prominent IT security professionals
about the challenges they faced as a woman entering the field, the
prejudices they deal with every day and the skills they use to
navigate within their business.
- Secret NSA map shows Chinese cyberespionage targets in U.S. - A
secret National Security Agency (NSA) map shows the location of
“Victims of Chinese Cyber Espionage" attacks launched by China
against the U.S. over a five-year period, according to NBC News.
- Phishing campaign strikes U.K. and U.S. companies - A phishing
campaign of millions of messages has been aimed at organisations in
the UK and US. Discovered by Proofpoint, the campaign employs bait
via an authentic voice message containing an LNK attachment—an
unusual method of delivering malware.
- Interpol is training police to fight crime on the Darknet - Police
officers from around a dozen countries have just completed a
five-day course on Tor hidden services, illegal marketplaces and
cryptocurrencies to help them investigate crimes on the Darknet.
- Sysadmin jailed for a decade after slurping US military docs -
American gov contractor goes rogue? We've heard this before - A US
Air Force contractor has been sentenced to 10 years in prison and
three years of supervised release for stealing classified documents,
in addition to conspiracy to commit naturalisation fraud.
- Survey exposes consumer fears about car hacking - In the wake of
two high-profile car hacking reports, a new Kelley Blue Book survey
suggests consumers are increasingly concerned about automotive
cybersecurity, and those concerns could influence new purchases.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Reported attack on United Airlines
shows everyone has valuable data to protect - All information has
potential value to hackers. The latest example: A reported breach of
network security at United Airlines that swept up flight manifests.
Yes, just lists of people on an airplane.
- PagerDuty requires password change for all customers following
breach - Alarm aggregation and dispatching service PagerDuty
detected an unauthorized intrusion by an attacker who gained access
to customer information, and the company is now requiring that all
customers change their passwords.
- Oklahoma restaurant hit with POS breach, possibly from outside
country - A Mexican restaurant in Durant, Okla., experienced a
point-of-sale (POS) breach that may have originated from outside the
- US authority warns hospitals over use of hackable drug pump - The
US Food and Drug Administration is now "strongly encouraging"
hospitals not to use a leading brand of drug pump over hacking
- Hacker steals Bitdefender customer log-in credentials, attempts
blackmail - The hacker exploited a vulnerability in an outdated
software component to extract information from a single server.
- Russian hackers accessed Pentagon's unclassified email system -
Russian hackers allegedly accessed the Pentagon's Joint Staff
unclassified email system, which led the agency to take the service
offline for nearly two weeks.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Some considerations for contracting with service providers are
discussed below. This listing is not all-inclusive and the
institution may need to evaluate other considerations based on its
unique circumstances. The level of detail and relative importance of
contract provisions varies with the scope and risks of the services
Scope of Service
The contract should clearly describe the rights and responsibilities
of parties to the contract.
• Timeframes and activities for
implementation and assignment of responsibility.
Implementation provisions should take into consideration other
existing systems or interrelated systems to be developed by
different service providers (e.g., an Internet banking system
being integrated with existing core applications or systems
• Services to be performed by the service provider including
duties such as software support and maintenance, training of
employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services
performed under the contract.
• Guidelines for adding new or different services and for
Institutions should generally include performance standards defining
minimum service level requirements and remedies for failure to meet
standards in the contract. For example, common service level metrics
include percent system uptime, deadlines for completing batch
processing, or number of processing errors. Industry standards for
service levels may provide a reference point. The institution should
periodically review overall performance standards to ensure
consistency with its goals and objectives.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Digital signatures authenticate the identity of a sender, through
the private, cryptographic key. In addition, every digital
signature is different because it is derived from the content of the
message itself. T he combination of identity authentication and
singularly unique signatures results in a transmission that cannot
Digital signatures can be applied to any data transmission,
including e-mail. To generate a digital signature, the original,
unencrypted message is run through a mathematical algorithm that
generates what is known as a message digest (a unique, character
representation of the data). This process is known as the "hash."
The message digest is then encrypted with a private key, and sent
along with the message. The recipient receives both the message and
the encrypted message digest. The recipient decrypts the message
digest, and then runs the message through the hash function again.
If the resulting message digest matches the one sent with the
message, the message has not been altered and data integrity is
verified. Because the message digest was encrypted with a private
key, the sender can be identified and bound to the specific
message. The digital signature cannot be reused, because it is
unique to the message. In the above example, data privacy and
confidentiality could also be achieved by encrypting the message
itself. The strength and security of a digital signature system is
determined by its implementation, and the management of the
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
The risk assessment
concurred with the general approach taken by HGA, but identified
several vulnerabilities. It reiterated previous concerns about the
lack of assurance associated with the server's access controls and
pointed out that these play a critical role in HGA's approach. The
assessment noted that the e-mail utility allows a user to include a
copy of any otherwise accessible file in an outgoing mail message.
If an attacker dialed in to the server and succeeded in logging in
as an HGA employee, the attacker could use the mail utility to
export copies of all the files accessible to that employee. In fact,
copies could be mailed to any host on the Internet.
The assessment also
noted that the WAN service provider may rely on microwave stations
or satellites as relay points, thereby exposing HGA's information to
eavesdropping. Similarly, any information, including passwords and
mail messages, transmitted during a dial-in session is subject to
Recommendations for Mitigating the Identified Vulnerabilities
The discussions in the
following subsections were chosen to illustrate a broad sampling
of handbook topics. Risk management and security program management
themes are integral throughout, with particular emphasis given to
the selection of risk-driven safeguards.