- State Department Wants to Compile Cybersecurity 'Playbook' - The
State Department, fresh off the heels of a highly publicized
cyberintrusion, is picking industry's brain for tactics to block and
perhaps strike back at hackers, according to new contracting
- Court tosses suit against UCLA health system over exposed patient
data - The University of California Los Angeles Health System is not
to blame for Norma Lozano's medical records being accessed without
authorization and distributed to her ex-boyfriend among others, a
California court ruled Thursday.
- Arrests Tied to Citadel, Dridex Malware - Authorities in Europe
have arrested alleged key players behind the development and
deployment of sophisticated banking malware, including Citadel and
- DHS awards Univ. of Houston $2.6M contract for DDoS research - The
University of Houston was awarded a $2.6 million contract from the
Department of Homeland Security (DHS) Science and Technology (S&T)
Directorate to develop technologies to defend emergency response
systems from distributed denial-of-service (DDoS) attacks.
- How corporate fears of hacks just created Silicon Valley's newest
$1 billion startup - Okta receives a $75 million investment, the
latest sign companies are scrambling for cybersecurity software that
can prevent them from becoming the next Ashley Madison, Sony or
Target. Don't want to become the next Ashley Madison? Silicon Valley
thinks you need to upgrade your security.
- Cyber-crime empties pockets of UK businesses about £2.8bn per year
- Allianz Global has claimed in its report that cyber-crime costs UK
businesses about £2.8 billion annually, and also accounts for 16
percent of gross domestic product (GDP). The global economy also
feels the impact with £289.6 billion annual costs.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Former Tesla engineer charged with hacking and leaking data - A
former Tesla Motors mechanical engineer is facing federal charges in
a San Jose District Court on two counts of felony computer
intrusion, and one count of misdemeanor computer intrusion.
- Fiat Chrysler recalls 7,810 SUVs for software issues - Customers
have been asked to check on the software updates site of the
UConnect telematics system.
- Firefox zero-days exposed after attacker compromises privileged
account - An attacker compromised a privileged Mozilla account to
break into the company's Bugzilla bug tracker tool and steal
“security-sensitive information,” the company disclosed in a Friday
- Excellus BlueCross BlueShield announces breach, 10.5M records at
risk - Rochester, NY-based Excellus Bluecross BlueShield (BCBS) and
affiliate Lifetime Healthcare Companies (LTHC) have been breached.
- Eight Cal State campuses, 79K students impacted in vendor breach -
About 79,000 California State University (CSU) students in eight
campuses are being notified that their data could have been exposed
in a breach of We End Violence, a violence prevention education
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The institution should consider including in the contract a
provision for a dispute resolution process that attempts to resolve
problems in an expeditious manner as well as provide for
continuation of services during the dispute resolution period.
Indemnification provisions generally require the financial
institution to hold the service provider harmless from liability for
the negligence of the institution, and vice versa. These provisions
should be reviewed to reduce the likelihood of potential situations
in which the institution may be liable for claims arising as a
result of the negligence of the service provider.
Limitation of Liability
Some service provider standard contracts may contain clauses
limiting the amount of liability that can be incurred by the service
provider. If the institution is considering such a contract,
consideration should be given to whether the damage limitation bears
an adequate relationship to the amount of loss the financial
institution might reasonably experience as a result of the service
provider’s failure to perform its obligations.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Product Certification and Security Scanning Products
Several organizations exist which independently assess and
certify the adequacy of firewalls and other computer system related
products. Typically, certified products have been tested for their
ability to permit and sustain business functions while protecting
against both common and evolving attacks.
Security scanning tools should be run frequently by system
administrators to identify any new vulnerabilities or changes in the
system. Ideally, the scan should be run both with and without the
firewall in place so the firewall's protective capabilities can be
fully evaluated. Identifying the susceptibility of the system
without the firewall is useful for determining contingency
procedures should the firewall ever go down. Some scanning tools
have different versions with varying degrees of intrusion/attack
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
This chapter has
illustrated how many of the concepts described in previous chapters
might be applied in a federal agency. An integrated example
concerning a Hypothetical Government Agency (HGA) has been discussed
and used as the basis for examining a number of these concepts.
HGA's distributed system architecture and its uses were described.
The time and attendance application was considered in some detail.
For context, some national and agency-level policies were
referenced. Detailed operational policies and procedures for
computer systems were discussed and related to these high-level
policies. HGA assets and threats were identified, and a detailed
survey of selected safeguards, vulnerabilities, and risk mitigation
actions were presented. The safeguards included a wide variety of
procedural and automated techniques, and were used to illustrate
issues of assurance, compliance, security program oversight, and
As illustrated, effective computer security requires clear direction
from upper management. Upper management must assign security
responsibilities to organizational elements and individuals and must
formulate or elaborate the security policies that become the
foundation for the organization's security program. These policies
must be based on an understanding of the organization's mission
priorities and the assets and business operations necessary to
fulfill them. They must also be based on a pragmatic assessment of
the threats against these assets and operations. A critical element
is assessment of threat likelihoods. These are most accurate when
derived from historical data, but must also anticipate trends
stimulated by emerging technologies.
A good security program relies on an integrated, cost-effective
collection of physical, procedural, and automated controls.
Cost-effectiveness requires targeting these controls at the threats
that pose the highest risks while accepting other residual risks.
The difficulty of applying controls properly and in a consistent
manner over time has been the downfall of many security programs.
This chapter has provided numerous examples in which major security
vulnerabilities arose from a lack of assurance or compliance. Hence,
periodic compliance audits, examinations of the effectiveness of
controls, and reassessments of threats are essential to the success
of any organization's security program.