- 100% of breached PCI certified companies failed PCI compliance
audit - PCI DSS compliance doesn't guarantee security, but half of
PCI certified companies aren't compliant which does indicate
vulnerability to cyber-attack. "It's not a project, it's a programme
- something you need to maintain."
Judge says Yahoo must meet users in court after breaches - In a blow
to new parent Verizon Communications, Inc., Yahoo will have to face
the music in court for a series of data breaches that affected more
than one billion users, a district judge in California ruled
Navy admiral says no evidence of cyberattack in ship collisions - An
investigation into the separate recent collisions between two Navy
warships from the Seventh Fleet and commercial vessels has so far
shown no evidence of cyberattacks, according to Admiral John
Richardson, chief of naval operations.
China's cybersecurity law grants government 'unprecedented' control
over foreign tech - Relinquish your IP or lose one of the world's
largest markets - China's new cybersecurity law will enable its
government to discover potential security vulnerabilities of any
company doing business in the country, threat intelligence firm
Recorded Future warns.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- WikiLeks homepage defaced as it dumps more CIA hacking tools - The
Central Intelligence Agency can take some small comfort that as
WikiLeaks was preparing for its latest dump of the spy agency's
Vault hacking tools, a group of hackers was busy defacing WikiLeaks'
Kaiser Permanente members notified of Riverside area breach - Kaiser
Permanente is notifying members in Riverside and the surrounding
area that their information was compromised is a recent data breach.
Instagram API hacked to access verified accounts of Selena Gomez,
others - Just two days after Selena Gomez's Instagram account was
hacked to post leaked nude photos of Justin Bieber, the social media
company confirmed it was hit by a cyberattack targeting several high
Silver Cross Hospital vendor exposes information on 9,000 patients -
Almost 9,000 patients of Silver Cross hospital, outside of Chicago,
possibly had their data exposed due to an error made by a
19,000 Medical Oncology Hematology Consultants, PA records exposed
in ransomware attack - More than 19,000 patient records were exposed
during a ransomware attack on Medical Oncology Hematology
Consultants, PA that took place in June.
Some U.K. pharma firms decline to report data breaches, survey - A
survey of more than 400 U.K. IT professionals in the U.K.
pharmaceutical business found many do not report data breaches, in
many cases because they do not know how.
Leaky S3 bucket sloshes deets of thousands with US security
clearance - Bunch of resumés citing secret government work exposed -
Thousands of files containing the personal information of US
citizens with classified security clearance have been exposed by an
unsecured Amazon server.
Data breach exposes about 4 million Time Warner customer records -
Time Warner Cable, now known as Spectrum, became the latest company
to realize exactly how vulnerable its data is when a third-party
vendor entrusted with its safety made an error exposing millions of
MLB: Red Sox used Apple watches to steal, transmit pitching signs -
Major League Baseball investigators have found that the Boston Red
Sox used Apple watches to steal hand signals from competitors'
catchers and pass them on to their own players, according to a
report in the New York Times.
Nearly 29M records stolen in breach of Latin American social network
Taringa! - Almost 29 million user accounts registered with Taringa!,
a social network for Latin American and Spanish-speaking users that
draws comparisons to Facebook and Reddit, was stolen last month in a
major data breach.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 4 of 5)
PROCEDURES TO ADDRESS SPOOFING - Spoofing
To respond to spoofing incidents effectively, bank management
should establish structured and consistent procedures. These
procedures should be designed to close fraudulent Web sites, obtain
identifying information from the spoofed Web site to protect
customers, and preserve evidence that may be helpful in connection
with any subsequent law enforcement investigations.
Banks can take the following steps to disable a spoofed Web site
and recover customer information. Some of these steps will require
the assistance of legal counsel.
* Communicate promptly, including through written communications,
with the Internet service provider (ISP) responsible for hosting the
fraudulent Web site and demand that the suspect Web site be
* Contact the domain name registrars promptly, for any domain
name involved in the scheme, and demand the disablement of the
* Obtain a subpoena from the clerk of a U.S. District Court
directing the ISP to identify the owners of the spoofed Web site and
to recover customer information in accordance with the Digital
Millennium Copyright Act;
* Work with law enforcement; and
* Use other existing mechanisms to report suspected spoofing
The following are other actions and types of legal documents that
banks can use to respond to a spoofing incident:
* Banks can write letters to domain name registrars demanding
that the incorrect use of their names or trademarks cease
* If these demand letters are not effective, companies with
registered Internet names can use the Uniform Domain Name Dispute
Resolution Process (UDRP) to resolve disputes in which they suspect
that their names or trademarks have been illegally infringed upon.
This process allows banks to take action against domain name
registrars to stop a spoofing incident. However, banks must bear in
mind that the UDRP can be relatively time-consuming. For more
details on this process see
* Additional remedies may be available under the federal Anti-Cybersquatting
Consumer Protection Act (ACCPA) allowing thebank to initiate
immediate action in federal district court under section 43(d) of
the Lanham Act, 15 USC 1125(d). Specifically, the ACCPA can provide
for rapid injunctive relief without the need to demonstrate a
similarity or likelihood of confusion between the goods or services
of the parties.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INSURANCE (Part 1 of 2)
Insurance coverage is rapidly evolving to meet the growing number
of security-related threats. Coverage varies by insurance company,
but currently available insurance products may include coverage for
the following risks:
! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or
disclosure of data,
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of
financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public
relations consultants, security and computer forensic consultants,
programmers, replacement systems, etc.
Financial institutions can attempt to insure against these risks
through existing blanket bond insurance coverage added on to address
specific threats. It is important that financial institutions
understand the extent of coverage and the requirements governing the
reimbursement of claims. For example, financial institutions should
understand the extent of coverage available in the event of security
breaches at a third - party service provider. In such a case, the
institution may want to consider contractual requirements that
require service providers to maintain adequate insurance to cover
When considering supplemental insurance coverage for security
incidents, the institution should assess the specific threats in
light of the impact these incidents will have on its financial,
operational, and reputation risk profiles. Obviously, when a
financial institution contracts for additional coverage, it should
ensure that it is aware of and prepared to comply with any required
security controls both at inception of the coverage and over the
term of the policy.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 12 - COMPUTER
SECURITY INCIDENT HANDLING
12.2.1 Defining the Constituency to Be Served
The constituency includes computer users and program managers. Like
any other customer-vendor relationship, the constituency will tend
to take advantage of the capability if the services rendered are
The constituency is not always the entire organization. For
example, an organization may use several types of computers and
networks but may decide that its incident handling capability is
cost-justified only for its personal computer users. In doing so,
the organization may have determined that computer viruses pose a
much larger risk than other malicious technical threats on other
platforms. Or, a large organization composed of several sites may
decide that current computer security efforts at some sites do not
require an incident handling capability, whereas other sites do
(perhaps because of the criticality of processing).
The focus of a computer security incident handling capability may
be external as well as internal. An incident that affects an
organization may also affect its trading partners, contractors, or
clients. In addition, an organization's computer security incident
handling capability may be able to help other organizations and,
therefore, help protect the community as a whole.
12.2.2 Educated Constituency
Users need to know about, accept, and trust the incident handling
capability or it will not be used. Through training and awareness
programs, users can become knowledgeable about the existence of the
capability and how to recognize and report incidents. Users trust in
the value of the service will build with reliable performance.
12.2.3 Centralized Reporting and Communications
Successful incident handling requires that users be able to report
incidents to the incident handling team in a convenient,
straightforward fashion; this is referred to as centralized
reporting. A successful incident handling capability depends on
timely reporting. If it is difficult or time consuming to report
incidents, the incident handling capability may not be fully used.
Usually, some form of a hotline, backed up by pagers, works well.
Centralized communications is very useful for accessing or
distributing information relevant to the incident handling effort.
For example, if users are linked together via a network, the
incident handling capability can then use the network to send out
timely announcements and other information. Users can take advantage
of the network to retrieve security information stored on servers
and communicate with the incident response team via e-mail.
Managers need to know details about incidents, including who
discovered them and how, so that they can prevent similar incidents
in the future. However users will not be forthcoming if they fear
reprisal or that they will become scapegoats. Organizations may need
to offer incentives to employees for reporting incidents and offer
guarantees against reprisal or other adverse actions. It may also be
useful to consider anonymous reporting.