- Is your web site compliant with the American Disability Act?
For the past 20 years, our web site audits have included the
guidelines of the ADA. Help reduce any liability, please
contact me for more information at
SWIFT warns of more 'sophisticated' attacks, readies anti-fraud
tool - Haven't hardened? You're still gunna get hacked, says CISO -
The chief information security officer for global money transfer
network SWIFT says banks are still under attack from fraudsters
hoping to cash in on identified security gaps to steal millions of
US cities promise to crack down on police surveillance tech -
Growing demand for greater oversight of how snoopware is obtained by
cops - A handful of US cities are banding together in an effort to
change the way police acquire and use surveillance technology.
Cybercriminals already able to hack ATM biometric readers - A report
indicates that using biometric data as a replacement for a password
or PIN at an ATM is not only already in the process of being hacked
by cybercriminals, but the potential downside of a person having
their biometrics stolen is much more severe than losing a username
GAO - Electronic Health Information: HHS Needs to Strengthen
Security and Privacy Guidance and Oversight.
Uber prevents fraud and protects driver accounts with selfies - Uber
will now require drivers to take selfies to prevent fraud and
protect their accounts from compromise.
Cybersecurity can't be centralized - There are few federal officials
more central to cybersecurity than Andy Ozment, the Department of
Homeland Security's assistant secretary for cybersecurity and
communications. Yet Ozment is adamant that cybersecurity
responsibilities cannot be consolidated at his agency or any other.
Cyber Bill Would Let Agency Heads Be Fired If There’s a Data Breach
- A new bill would let agency heads be demoted, fired or punished if
a data breach occurs under their purview.
RTCA airline recs aim to strengthen aviation cybersecurity - A
technical committee that provides guidance to the Federal Aviation
Administration has reportedly developed drafting recommendations for
strengthening the aviation industry's cybersecurity posture.
185M incidents bypassed perimeter defenses - Two recent industry
reports warned of the dangers of over-reliance on perimeter security
as an enterprise defense method.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Yahoo Reveals Nation State-Borne Data Breach Affecting A
Half-Billion Users - But still unconfirmed is whether the newly
revealed attack is related to recently dumped Yahoo user credentials
in an online cybercrime forum. The other shoe has dropped - maybe.
Nearly two months after signs of a Yahoo data breach surfaced with
leaked user credentials in the cybercrime underground, Yahoo today
confirmed that it had suffered a cyberattack in late 2014 by what
the company says was likely a nation-state actor.
Massive web attack hits security blogger - One of the biggest web
attacks ever seen has been aimed at a security blogger after he
exposed hackers who carry out such attacks for cash.
Email of White House staffer hacked, purported scan of First Lady's
passport leaked - The White House has announced a cyber-security
breach, as a purported photocopy of Michelle Obama's passport
Discover Financial Services reports three data breaches to
California AG - For the second time this year, Discover Financial
Services reported a set of data breaches on the same day to the
California Attorney General's Office.
OVH suffers massive 1.1Tbps DDoS attack - Hosting company OVH has
been subject to the biggest attack DDoS known to date, with peaks of
over 1 Tb per second of traffic.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Over the next few
weeks, we will cover some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Continuing technological innovation and competition among
existing banking organizations and new entrants have allowed for a
much wider array of banking products and services to become
accessible and delivered to retail and wholesale customers through
an electronic distribution channel collectively referred to as
e-banking. However, the rapid development of e-banking capabilities
carries risks as well as benefits.
The Basel Committee on Banking Supervision expects such risks to be
recognized, addressed and managed by banking institutions in a
prudent manner according to the fundamental characteristics and
challenges of e-banking services. These characteristics include the
unprecedented speed of change related to technological and customer
service innovation, the ubiquitous and global nature of open
electronic networks, the integration of e-banking applications with
legacy computer systems and the increasing dependence of banks on
third parties that provide the necessary information technology.
While not creating inherently new risks, the Committee noted that
these characteristics increased and modified some of the traditional
risks associated with banking activities, in particular strategic,
operational, legal and reputational risks, thereby influencing the
overall risk profile of banking.
Based on these conclusions, the Committee considers that while
existing risk management principles remain applicable to e-banking
activities, such principles must be tailored, adapted and, in some
cases, expanded to address the specific risk management challenges
created by the characteristics of e-banking activities. To this end,
the Committee believes that it is incumbent upon the Boards of
Directors and banks' senior management to take steps to ensure that
their institutions have reviewed and modified where necessary their
existing risk management policies and processes to cover their
current or planned e-banking activities. The Committee also believes
that the integration of e-banking applications with legacy systems
implies an integrated risk management approach for all banking
activities of a banking institution.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Packet Filter Firewalls
Basic packet filtering was described in the router section and does
not include stateful inspection. Packet filter firewalls evaluate
the headers of each incoming and outgoing packet to ensure it has a
valid internal address, originates from a permitted external
address, connects to an authorized protocol or service, and contains
valid basic header instructions. If the packet does not match the
pre-defined policy for allowed traffic, then the firewall drops the
packet. Packet filters generally do not analyze the packet contents
beyond the header information. Dynamic packet filtering incorporates
stateful inspection primarily for performance benefits. Before
re-examining every packet, the firewall checks each packet as it
arrives to determine whether it is part of an existing connection.
If it verifies that the packet belongs to an established connection,
then it forwards the packet without subjecting it to the firewall
Weaknesses associated with packet filtering firewalls include the
! The system is unable to prevent attacks that employ application
specific vulnerabilities and functions because the packet filter
cannot examine packet contents.
! Logging functionality is limited to the same information used to
make access control decisions.
! Most do not support advanced user authentication schemes.
! Firewalls are generally vulnerable to attacks and exploitation
that take advantage of problems in the TCP/IP specification.
! The firewalls are easy to misconfigure, which allows traffic to
pass that should be blocked.
Packet filtering offers less security, but faster performance than
application-level firewalls. The former are appropriate in high -
speed environments where logging and user authentication with
network resources are not important. Packet filter firewalls are
also commonly used in small office/home office (SOHO) systems and
default operating system firewalls.
Institutions internally hosting Internet-accessible services should
consider implementing additional firewall components that include
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
184.108.40.206 Incorporating Security Requirements Into Specifications
Determining security features, assurances, and operational
practices can yield significant security information and often
voluminous requirements. This information needs to be validated,
updated, and organized into the detailed security protection
requirements and specifications used by systems designers or
purchasers. Specifications can take on quite different forms,
depending on the methodology used for to develop the system, or
whether the system, or parts of the system, are being purchased off
As specifications are developed, it may be necessary to update
initial risk assessments. A safeguard recommended by the risk
assessment could be incompatible with other requirements or a
control may be difficult to implement. For example, a security
requirement that prohibits dial-in access could prevent employees
from checking their e-mail while away from the office.
Besides the technical and operational controls of a system,
assurance also should be addressed. The degree to which assurance
(that the security features and practices can and do work correctly
and effectively) is needed should be determined early. Once the
desired level of assurance is determined, it is necessary to figure
out how the system will be tested or reviewed to determine whether
the specifications have been satisfied (to obtain the desired
assurance). This applies to both system developments and
acquisitions. For example, if rigorous assurance is needed, the
ability to test the system or to provide another form of initial and
ongoing assurance needs to be designed into the system or otherwise
Developing testing specifications early can be critical to being
able to cost-effectively test security features.