- Military Battles to Man its Developing Cyber Force - Besieged by
constant cyberattacks, the U.S. Defense Department is scrambling to
assemble 133 Cyber Mission Force teams to defend military networks,
protect critical U.S. infrastructure, and strike back in cyberspace
Manhattan DA opens international cyber threat sharing nonprofit - he
Manhattan District Attorney’s Office is using funds from one of the
largest bank settlements to found an international cybersecurity
threat sharing organization, the office announced Wednesday.
- Comcast penalized for data breach - Comcast will pay to settle
charges of unauthorized disclosure of names, phone numbers and
addresses of an estimated 75,000 customers three years ago who paid
for unlisted VoIP telephone service, according to The Wall Street
- Internal employees account for 43 percent of data loss - Although
a majority of data compromises come from external actors, including
nation-state groups and cybercrime gangs, internal employees account
for 43 percent of data loss, half of the time these leaks are
accidental, a new study from Intel Security indicates.
- Hackers, tech pros rally around teen who brought homemade clock to
school - Tech companies and a group of Dallas hackers are rallying
around a teenager arrested earlier in the week in Texas for bringing
a homemade clock to school.
- DHS CISO wants repercussions for workers who fall for security
scams - Falling for a phishing scam is embarrassing enough without
having to learn it came from your boss as part of a test of your
cybersecurity knowledge, but that is what Paul Beckman, chief
information officer of the Department of Homeland does to his staff.
- Most U.S. organizations cannot properly respond to a cyberattack -
The vast majority U.S. organizations are not prepared to properly
respond to a cyber attack, according to a new study by the Ponemon
- School board looks to protect itself with cyber liability
insurance - The Dothan City, Ala., school board on Monday allocated
$25,000 to purchase cyber liability insurance to cover the board in
case a cyberattacker gains access to district information.
- Russian firm tasked with cracking Tor throws in towel - The
company hired by the Kremlin to gather information on and crack the
anonymous browser Tor is now looking to pay more than the contract's
value in legal fees to back out of the agreement, according to
- R.T. Jones reaches settlement with SEC in data breach case - The
Securities and Exchange Commission (SEC) slapped St. Louis-based
investment adviser R.T. Jones Capital Equities Management with a
$75,000 penalty in a settlement over the firm's failure to establish
cybersecurity policies and procedures before a breach compromised
personal information of 100,000 people.
- Your identity is sold for $1 in the Dark Web - If you or your
company is a victim of a cyberattack, where does this stolen data
go, and to what purpose?
- Former WH cybersecurity advisor turned security exec stresses info
sharing - With the continued fallout from the Office of Personnel
Management (OPM) data breaches in the backdrop, the federal
government's cybersecurity posture has taken center stage
punctuating the need for agencies to take clear steps toward
strengthening its position, according to a former cybersecurity
advisor to the White House.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- American Airlines grounds flight due to computer glitch - American
Airlines has grounded flights at three of its largest hubs due to a
computer problem, according to the Federal Aviation Administration
- Commack High School student management system hacked - The Commack
School District in New York reported Thursday that its high school
student management system was accessed by an unauthorized
- AT&T sales reps accused of scheming to unlock phones - A lawsuit
alleges the former employees put malicious software on work
computers so they could help untether discounted phones from AT&T
- Symantec fires staff caught up in rogue Google SSL cert snafu -
When your business is built on making secret numbers, don't make it
look too easy - Symantec has fired some employees after Google
engineers noticed rogue SSL certificates issued in the web goliath's
- CVS employee steals data on 55K Molina Healthcare members - Molina
Healthcare is notifying nearly 55,000 current and former members
that a former CVS employee – CVS is Molina Healthcare's
over-the-counter (OTC) benefits vendor – took their personal
information from CVS' computers and sent it to his personal
- Former Morgan Stanley adviser pleads guilty to stealing data - A
former Morgan Stanley financial adviser who was fired for stealing
the data of approximately 730,000 clients pleaded guilty to one
count of unauthorized computer access in a federal court in New York
- OPM increases number of stolen fingerprints in data breach to 5.6
million - The number of fingerprints impacted in the second Office
of Personnel Management (OPM) data breach has increased by 4.5
- 3.4 million B.C., Yukon student records lost with misplaced hard
drive - Authorities in British Columbia say as many as 3.4 million
student education records dating back to 1986 may be breached due to
a misplaced backup hard drive.
- Imgur suffers DDoS attack on 4chan and 8chan servers - Imgur, the
photo-sharing website, has been exploited in a distributed
denial-of-service (DDoS) attack on the popular imageboards 4chan and
- Uber attempting to reset stolen customer passwords - Uber is
attempting to squash the use of hacked customer accounts that have
most likely been sold on the dark web and are currently being used
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of
Some of the oversight activities management should consider in
administering the service provider relationship are categorized and
listed below. The degree of oversight activities will vary depending
upon the nature of the services outsourced. Institutions should
consider the extent to which the service provider conducts similar
oversight activities for any of its significant supporting agents
(i.e., subcontractors, support vendors, and other parties) and the
extent to which the institution may need to perform oversight
activities on the service provider’s significant supporting agents.
Monitor Financial Condition and Operations
• Evaluate the service
provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to
subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews)
as well as regulatory examination reports if available, and
evaluate the adequacy of the service providers’ systems and
controls including resource availability, security, integrity,
• Follow up on any deficiencies noted in the audits and reviews
of the service provider.
• Periodically review the service provider’s policies relating
to internal controls, security, systems development and
maintenance, and back up and contingency planning to ensure they
meet the institution’s minimum guidelines, contract
requirements, and are consistent with the current market and
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel
allocated to the institution.
• Review and monitor the service provider’s insurance policies
for effective coverage.
• Perform on-site inspections in conjunction with some of the
reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client
Some services provided to insured
depository institutions by service providers are examined by the
FFIEC member agencies. Regulatory examination reports, which are
only available to clients/customers of the service provider, may
contain information regarding a service provider’s operations.
However, regulatory reports are not a substitute for a financial
institution’s due diligence in oversight of the service provider.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 2 of 2)
Token technology relies on a separate physical device, which is
retained by an individual, to verify the user's identity. The token
resembles a small hand-held card or calculator and is used to
generate passwords. The device is usually synchronized with security
software in the host computer such as an internal clock or an
identical time based mathematical algorithm. Tokens are well suited
for one‑time password generation and access control. A separate PIN
is typically required to activate the token.
Smart cards resemble credit cards or other traditional magnetic
stripe cards, but contain an embedded computer chip. The chip
includes a processor, operating system, and both read only memory
(ROM) and random access memory (RAM). They can be used to generate
one-time passwords when prompted by a host computer, or to carry
cryptographic keys. A smart card reader is required for their use.
Biometrics involves identification and verification of an
individual based on some physical characteristic, such as
fingerprint analysis, hand geometry, or retina scanning. This
technology is advancing rapidly, and offers an alternative means to
authenticate a user.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section I. Introduction & Overview
INTRODUCTION - 1.3 Organization
The first section of the handbook
contains background and overview material, briefly discusses of
threats, and explains the roles and responsibilities of individuals
and organizations involved in computer security. It explains the
executive principles of computer security that are used throughout
the handbook. For example, one important principle that is
repeatedly stressed is that only security measures that are
cost-effective should be implemented. A familiarity with the
principles is fundamental to understanding the handbook's
philosophical approach to the issue of security.
The next three major sections deal with security controls:
Operational Controls (III), and Technical Controls (IV). Most
controls cross the boundaries between management, operational, and
technical. Each chapter in the three sections provides a basic
explanation of the control; approaches to implementing the control,
some cost considerations in selecting, implementing, and using the
control; and selected interdependencies that may exist with other
controls. Each chapter in this portion of the handbook also provides
references that may be useful in actual implementation.
! The Management Controls section addresses security
topics that can be characterized as managerial. They are techniques
and concerns that are normally addressed by management in the
organization's computer security program. In general, they focus on
the management of the computer security program and the management
of risk within the organization.
! The Operational Controls section addresses security
controls that focus on controls that are, broadly speaking,
implemented and executed by people (as opposed to systems). These
controls are put in place to improve the security of a particular
system (or group of systems). They often require technical or
specialized expertise -- and often rely upon management activities
as well as technical controls.
! The Technical Controls section focuses on security
controls that the computer system executes. These controls are
dependent upon the proper functioning of the system for their
effectiveness. The implementation of technical controls, however,
always requires significant operational considerations -- and should
be consistent with the management of security within the
Finally, an example is presented to aid the reader in correlating
some of the major topics discussed in the handbook. It describes a
hypothetical system and discusses some of the controls that have
been implemented to protect it. This section helps the reader better
understand the decisions that must be made in securing a system, and
illustrates the interrelationships among controls.
Many people think that sensitive information only requires
protection from unauthorized disclosure. However, the Computer
Security Act provides a much broader definition of the term
"any information, the loss, misuse, or unauthorized access to or
modification of which could adversely affect the national interest
or the conduct of federal programs, or the privacy to which
individuals are entitled under section 552a of title 5, United
States Code (the Privacy Act), but which has not been specifically
authorized under criteria established by an Executive Order or an
Act of Congress to be kept secret in the interest of national
defense or foreign policy."
The above definition can be contrasted with the long-standing
confidentiality-based information classification system for national
security information (i.e., CONFIDENTIAL, SECRET, and TOP SECRET).
This system is based only upon the need to protect classified
information from unauthorized disclosure; the U.S. Government does
not have a similar system for unclassified information. No
government wide schemes (for either classified or unclassified
information) exist which are based on the need to protect the
integrity or availability of information.