- OCC Encourages Banks and Savings Associations To Be
Prepared - The Office of the Comptroller of Currency reminds
national banks and federal savings associations to maintain
effective plans to respond to natural disasters and other
- Judge approves class action for banks in Target breach - In the
continuing fallout from the breach of Target's point-of-sale (POS)
network during the 2013 holiday shopping season, which resulted in
the stealing of card numbers and other personal information of more
than 100 million customers, a judge in Minnesota ruled on Tuesday
"that Target was negligent in failing to provide sufficient security
to prevent the hackers from accessing customer data."
- Reports of attacks on the Dept. of Energy raise alarms - Attackers
successfully infiltrated computer systems at the Department of
Energy more than 150 times between 2010 and 2014, according to a
review of federal documents by USA Today that were obtained as a
result of a Freedom of Information Act request. In all, DoE networks
were targeted 1,131 times over the four-year span.
Justice Department Looks to Sharpen Computer Crime Law - Stung by
recent court decisions that have gone against them, Justice
Department lawyers are making a fresh push to clarify a computer
trespass law that critics malign as overly broad.
Transactions at Pentagon lead to credit card fraud, workforce
notified - The Pentagon Force Protection Agency has notified the
Pentagon workforce that its office received several reports of
fraudulent charges on credit cards belonging to Pentagon personnel.
'Information integrity' among top cyber priorities for U.S. gov't,
Clapper says - With an introduction that characterized U.S.
government data breaches as “eroding confidence in our government's
ability to counter the threat,” Representative Devin Nunes,
R-Calif., and Intelligence Committee chairman, kicked off his
committee's Thursday cybersecurity hearing.
- Industry group says OMB cybersecurity guidance too lax - Often,
vendor advocates speak out against overly specific regulations that
put additional requirements on federal contractors. However, when it
comes to cybersecurity, the Professional Services Council believes
new guidance from the Office of Management and Budget doesn't go far
- Feds drop espionage charges against physics professor - The
Justice Department will drop economic espionage charges against a
Temple University professor the government claimed was providing
secret technology to China, according to multiple reports.
- Hacking Team looks to hire hacker - Following the compromise of
400 GB-worth of databases and emails, and then the subsequent
release of those company details, Hacking Team posted a job listing
for a “hacker/developer.”
- Court orders FBI to lift National Security Letter gag order for
first time - For the first time, a recipient of a National Security
Letter (NSL) will be able to discuss the letter's contents after a
federal district court ordered the FBI to lift its gag order.
- U.S. Air Force developing airborne hacking platform - The U.S. Air
Force (USAF) is looking to expand its traditional electronic
countermeasures capability to include the ability to carve into an
enemy's computer network from the air.
- Vodafone faces security warnings over journalist hacking claims -
A journalist says she is "appalled, outraged and very upset" amid
claims her communications records were accessed by Vodafone staff,
with privacy experts warning that this kind of data is "readily
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hack of Health Insurer Excellus May Have Exposed 10M Personal
Records - A health insurer in western New York and affiliates said
Wednesday that their computers were targeted last month in a
cyberattack that may have provided unauthorized access to more than
10 million personal records.
TSA luggage locks replicated with a 3D printer - A single image of a
Transportation Security Administration (TSA) master key published
last November by the Washington Post in a story on airport luggage
has led to the key being duplicated by a 3D printer potentially
endangering travelers bags.
- Customer data possibly compromised in online photo store malware
attack - PNI Digital Media, CVS and Costco have issued statements
indicating that some customers' personal information may have been
compromised following the July malware attack that shut down the
online photo print operations at six PNI-run retailers.
- Data storage stolen at Lloyds, customer account data lost - A
Lloyds Bank data storage device stolen from an RSA data centre two
months ago contains customer names, addresses, sort codes and
account numbers for Lloyds' Premier Account customers who had Royal
Sun Alliance emergency home cover attached to their bank account
between 2006 and 2012.
- Western Sydney students access department computer system - A
small group of students from Penrith High School have allegedly used
a teacher's login credentials to access a Department of Education
computer system that contains students' assessment marks.
- Malware targets credit cards used at Pennsylvania Holiday Inn -
Milestone Hospitality Management is notifying an undisclosed number
of guests who stayed at the Holiday Inn Harrisburg/Hershey that
malware may have compromised their credit card information.
- Jihadist cyber-attack on Cabinet was entirely avoidable, say
experts - The news that top government ministers may have been
hacked by the Cyber-Caliphate has set alarm bells ringing among
- UK firms hit as Dridex criminals target 385 million emails - UK
government agencies and banks feature prominently on a ‘hitlist' of
385 million email addresses that has been used by Russian-based
cyber-criminals to spread the Dridex banking Trojan.
- Charlotte-Mecklenburg Schools breach affects 7,600 job applicants
- North Carolina-based Charlotte-Mecklenburg Schools (CMS) is
notifying about 7,600 job applicants that a CMS employee disclosed
employment application information to an outside contractor prior to
obtaining appropriate authorization.
- Kardashian websites exposed user data - Social media websites blew
up earlier this week when the Kardashian sisters launched their own
line of apps and websites to provide fans with exclusive content.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The extent and flexibility of termination rights sought can vary
depending upon the service. Contracts for technologies subject to
rapid change, for example, may benefit from greater flexibility in
termination rights. Termination rights may be sought for a variety
of conditions including change in control (e.g., acquisitions and
mergers), convenience, substantial increase in cost, repeated
failure to meet service levels, failure to provide critical
company closure, and insolvency.
Institution management should consider whether or not the contract
permits the institution to terminate the contract in a timely manner
and without prohibitive expense (e.g., reasonableness of cost or
penalty provisions). The contract should state termination and
notification requirements with time frames to allow the orderly
conversion to another provider. The contract must provide for return
of the institution’s data, as well as other institution resources,
in a timely manner and in machine readable format. Any costs
associated with transition assistance should be clearly stated.
The institution should consider contract provisions that prohibit
assignment of the contract to a third party without the
institution’s consent, including changes to subcontractors.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 1 of 2)
If passwords are used for access control or authentication
measures, users should be properly educated in password selection.
Strong passwords consist of at least six to eight alpha numeric
characters, with no resemblance to any personal data. PINs should
also be unique, with no resemblance to personal data. Neither
passwords nor PINs should ever be reduced to writing or shared with
Other security measures should include the adoption of one-time
passwords, or password aging measures that require periodic changes.
Encryption technology can also be employed in the entry and
transmission of passwords, PINs, user IDs, etc. Any password
directories or databases should be properly protected, as well.
Password guessing programs can be run against a system. Some can
run through tens of thousands of password variations based on
personal information, such as a user's name or address. It is
preferable to test for such vulnerabilities by running this type of
program as a preventive measure, before an unauthorized party has
the opportunity to do so. Incorporating a brief delay requirement
after each incorrect login attempt can be very effective against
these types of programs. In cases where a potential attacker is
monitoring a network to collect passwords, a system utilizing
one-time passwords would render any data collected useless.
When additional measures are necessary to confirm that passwords or
PINs are entered by the user, technologies such as tokens, smart
cards, and biometrics can be useful. Utilizing these technologies
adds another dimension to the security structure by requiring the
user to possess something physical.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We begin the series on the National
Institute of Standards and Technology (NIST) Handbook.
Section I. Introduction & Overview
This handbook provides assistance in securing computer-based
resources (including hardware, software, and information) by
explaining important concepts, cost considerations, and
interrelationships of security controls. It illustrates the benefits
of security controls, the major techniques or approaches for each
control, and important related considerations.
The handbook provides a broad overview of computer security to help
readers understand their computer security needs and develop a sound
approach to the selection of appropriate security controls. It does
not describe detailed steps necessary to implement a computer
security program, provide detailed implementation procedures for
security controls, or give guidance for auditing the security of
specific systems. General references are provided at the end of this
chapter, and references of "how-to" books and articles are provided
at the end of each chapter in Parts II, III and IV.
The purpose of this handbook is not to specify requirements but,
rather, to discuss the benefits of various computer security
controls and situations in which their application may be
appropriate. Some requirements for federal systems are noted in the
text. This document provides advice and guidance; no penalties are
1.2 Intended Audience
The handbook was written primarily for those who have computer
security responsibilities and need assistance understanding basic
concepts and techniques. Within the federal government, this
includes those who have computer security responsibilities for
For the most part, the concepts presented in the handbook are also
applicable to the private sector. While there are differences
between federal and private-sector computing, especially in terms of
priorities and legal constraints, the underlying principles of
computer security and the available safeguards -- managerial,
operational, and technical -- are the same. The handbook is
therefore useful to anyone who needs to learn the basics of computer
security or wants a broad overview of the subject. However, it is
probably too detailed to be employed as a user awareness guide, and
is not intended to be used as an audit guide.