- Our cybersecurity testing meets
the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense.
To receive due diligence information, agreement and, cost saving fees,
please complete the information form at
https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.
- Government budget agency drafts contractor cybersecurity
guidelines - The Office of Management and Budget (OMB) proposed new
cybersecurity guidelines earlier this week to help government
agencies draft contracts with third-party groups.
- China to plant Internet police in top online firms - China is also
considering legislation that will give the government more control
over the Internet - China's control over the Internet is set to
expand. In a bid to better police local websites, the country's
security forces are establishing offices at the biggest online
companies in the country.
Tutor who helped students cheat by keylogging teachers gets 1 year
in prison - 29-year-old tutor was charged with 20 counts of computer
access and fraud. On Tuesday, a Southern California tutor pleaded
guilty to computer fraud and burglary for placing keylogging
software on teachers' computers to steal login credentials which he
used to change students' grades and look at upcoming testing
material. The sentenced was to one year in prison and five years on
Internet-Connected Gas Pumps Are a Lure for Hackers - If attackers
could cause a gas station’s tanks to overflow or prevent leak alarms
from sounding, it could have devastating consequences—particularly
if they struck multiple pumps in a region at once.
Technology firm loses nearly $47 million in digital transfer fraud -
Ubiquiti Networks, a wireless networking products provider, lost
nearly $47 million in cyber fraud involving phony transfer requests
earlier this year.
- Windows 10 shares user data with Microsoft, even after disabling
settings - While Microsoft offers users a free upgrade to its
Windows 10 operating system, its flashy new offerings come packaged
with something more sinister: settings that have privacy advocates
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
American Airlines, Sabre Said to Be Hit in China-Tied Hacks - A
group of China-linked hackers that has mowed through the databanks
of major American health insurers and stolen personnel records of
U.S. military and intelligence agencies has struck at the heart of
the nation’s air-travel system, say people familiar with
investigations of the attacks.
American Airlines denies hack, but reinforces security efforts -
American Airlines is redoubling its efforts to ensure its computer
systems are secure in light of an apparent security incident at its
one-time subsidiary Sabre.
Pentagon email hacked, Russia already blamed - Message system for
Joint Chiefs of Staff has been down for 11 days and counting - A
chunk of the US Department of Defense's email system has been down
for 11 days, following what appears to have been a successful
attempt to hack it.
Ransomware attack strikes Dayton, Ohio-area planning commission -
The Miami Valley Regional Planning Commission (MVRPC) just reported
that last month it was the victim of a ransomware attack that
impacted about 15,000 files.
China Read Emails of Top U.S. Officials - China's cyber spies have
accessed the private emails of "many" top Obama administration
officials, according to a senior U.S. intelligence official and a
top secret document obtained by NBC News, and have been doing so
since at least April 2010.
HHS hacked five times in three years - Hackers have breached at
least five divisions of the Department of Health & Human Services (HHS)
over the last three years.
Chiefs of Staff's email system back online after phishing hack - The
U.S. Joint Chiefs of Staff's unclassified email system was brought
back online Monday and the Department of Defense (DOD) confirmed
that the system had been swept of malicious software.
misplaces flash drive containing data on nearly 12,000 Katy ISD
employees - Katy Independent School District (ISD) in Texas is
notifying nearly 12,000 current and former employees that an
Internal Revenue Service (IRS) agent misplaced a portable flash
drive containing their personal information while conducting a
random audit under the direction of the IRS.
hack a Corvette's brakes via insurance black box - Researchers
exploit a Web-connected insurance monitor to hijack a car using text
messages. The list of ways to electronically hijack cars is growing
thanks to devices used to monitor drivers' roadway behavior.
SterlingBackcheck laptop stolen, contained data on about 100K
individuals - SterlingBackcheck, a New York-based background
screening services firm, is notifying about 100,000 individuals that
a password protected, unencrypted laptop containing their personal
information was stolen from an employee's vehicle.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Security and Confidentiality
The contract should address the service provider’s
responsibility for security and confidentiality of the institution’s
resources (e.g., information, hardware). The agreement should
prohibit the service provider and its agents from using or
disclosing the institution’s information, except as necessary to or
consistent with providing the contracted services, to protect
against unauthorized use (e.g., disclosure of information to
institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s
customers, the institution should notify the service provider to
assess the applicability of the privacy regulations. Institutions
should require the service provider to fully disclose breaches in
security resulting in unauthorized intrusions into the service
provider that may materially affect the institution or its
customers. The service provider should report to the institution
when material intrusions occur, the effect on the institution, and
corrective action to respond to the intrusion.
Consideration should be given to contract provisions addressing
control over operations such as:
Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and
the institution’s approval rights
regarding material changes to services, systems, controls, key
project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial
functions, such as payments
processing and any extensions of credit on behalf of the
• Insurance coverage to be maintained by the service provider.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to
further address the issues of authentication, non‑repudiation, data
privacy, and cryptographic key management. A certificate authority
(CA) is a trusted third party that verifies the identity of a party
to a transaction . To do this, the CA vouches for the identity of a
party by attaching the CA's digital signature to any messages,
public keys, etc., which are transmitted. Obviously, the CA must be
trusted by the parties involved, and identities must have been
proven to the CA beforehand. Digital certificates are messages that
are signed with the CA's private key. They identify the CA, the
represented party, and could even include the represented party's
The responsibilities of CAs and their position among emerging
technologies continue to develop. They are likely to play an
important role in key management by issuing, retaining, or
distributing public/private key pairs.
The implementation and use of encryption technologies, digital
signatures, certificate authorities, and digital certificates can
vary. The technologies and methods can be used individually, or in
combination with one another. Some techniques may merely encrypt
data in transit from one location to another. While this keeps the
data confidential during transmission, it offers little in regard to
authentication and non-repudiation. Other techniques may utilize
digital signatures, but still require the encrypted submission of
sensitive information, like credit card numbers. Although protected
during transmission, additional measures would need to be taken to
ensure the sensitive information remains protected once received and
The protection afforded by the above security measures will be
governed by the capabilities of the technologies, the
appropriateness of the technologies for the intended use, and the
administration of the technologies utilized. Care should be taken
to ensure the techniques utilized are sufficient to meet the
required needs of the institution. All of the technical and
implementation differences should be explored when determining the
most appropriate package.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Mitigating Payroll Fraud Vulnerabilities
To remove the
vulnerabilities related to payroll fraud, the risk assessment team
recommended the use of stronger authentication mechanisms based on
smart tokens to generate one-time passwords that cannot be used by
an interloper for subsequent sessions. Such mechanisms would make it
very difficult for outsiders (e.g., from the Internet) who penetrate
systems on the WAN to use them to attack the mainframe. The authors
noted, however, that the mainframe serves many different agencies,
and HGA has no authority over the way the mainframe is configured
and operated. Thus, the costs and procedural difficulties of
implementing such controls would be substantial. The assessment team
also recommended improving the server's administrative procedures
and the speed with which security-related bug fixes distributed by
the vendor are installed on the server.
After input from COG
security specialists and application owners, HGA's managers accepted
most of the risk assessment team's recommendations. They decided
that since the residual risks from the falsification of time sheets
were acceptably low, no changes in procedures were necessary.
However, they judged the risks of payroll fraud due to the
interceptability of LAN server passwords to be unacceptably high,
and thus directed COG to investigate the costs and procedures
associated with using one-time passwords for Time and Attendance
Clerks and supervisor sessions on the server. Other users performing
less sensitive tasks on the LAN would continue to use password-based
While the immaturity of
the LAN server's access controls was judged a significant source of
risk, COG was only able to identify one other PC LAN product that
would be significantly better in this respect. Unfortunately, this
product was considerably less friendly to users and application
developers, and incompatible with other applications used by HGA.
The negative impact of changing PC LAN products was judged too high
for the potential incremental gain in security benefits.
Consequently, HGA decided to accept the risks accompanying use of
the current product, but directed COG to improve its monitoring of
the server's access control configuration and its responsiveness to
vendor security reports and bug fixes.
HGA concurred that
risks of fraud due to unauthorized modification of time and
attendance data at or in transit to the mainframe should not be
accepted unless no practical solutions could be identified. After
discussions with the mainframe's owning agency, HGA concluded that
the owning agency was unlikely to adopt the advanced authentication
techniques advocated in the risk assessment. COG, however, proposed
an alternative approach that did not require a major resource
commitment on the part of the mainframe owner.
approach would employ digital signatures based on public key
cryptographic techniques to detect unauthorized modification of time
and attendance data. The data would be digitally signed by
the supervisor using a private key prior to transmission to the
mainframe. When the payroll application program was run on the
mainframe, it would use the corresponding public key to validate the
correspondence between the time and attendance data and the
signature. Any modification of the data during transmission over the
WAN or while in temporary storage at the mainframe would result in a
mismatch between the signature and the data. If the payroll
application detected a mismatch, it would reject the data; HGA
personnel would then be notified and asked to review, sign, and send
the data again. If the data and signature matched, the payroll
application would process the time and attendance data normally.
HGA's decision to use
advanced authentication for time and attendance Clerks and
Supervisors can be combined with digital signatures by using smart
tokens. Smart tokens are programmable devices, so they can be loaded
with private keys and instructions for computing digital signatures
without burdening the user. When supervisors approve a batch of time
and attendance data, the time and attendance application on the
server would instruct the supervisor to insert their token in the
token reader/writer device attached to the supervisors' PC. The
application would then send a special "hash" (summary) of the time
and attendance data to the token via the PC. The token would
generate a digital signature using its embedded secret key, and then
transfer the signature back to the server, again via the PC. The
time and attendance application running on the server would append
the signature to the data before sending the data to the mainframe
and, ultimately, the payroll application.
Although this approach
did not address the broader problems posed by the mainframe's I&A
vulnerabilities, it does provide a reliable means of detecting time
and attendance data tampering. In addition, it protects against
bogus time and attendance submissions from systems connected to the
WAN because individuals who lack a time and attendance supervisor's
smart token will be unable to generate valid signatures. (Note,
however, that the use of digital signatures does require increased
administration, particularly in the area of key management.) In
summary, digital signatures mitigate risks from a number of
different kinds of threats.
concluded that digitally signing time and attendance data was a
practical, cost-effective way of mitigating risks, and directed COG
to pursue its implementation. (They also noted that it would be
useful as the agency moved to use of digital signatures in other
applications.) This is an example of developing and providing a
solution in an environment over which no single entity has overall
Payroll Error Vulnerabilities
After reviewing the
risk assessment, HGA's management concluded that the agency's
current safeguards against payroll errors and against accidental
corruption and loss of time and attendance data were adequate.
However, the managers also concurred with the risk assessment's
conclusions about the necessity for establishing incentives for
complying (and penalties for not complying) with these safeguards.
They thus tasked the Director of Personnel to ensure greater
compliance with paperwork-handling procedures and to provide
quarterly compliance audit reports. They noted that the digital
signature mechanism HGA plans to use for fraud protection can also
provide protection against payroll errors due to accidental