- Our cybersecurity testing meets
the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense.
To receive due diligence information, agreement and, cost saving fees,
please complete the information form at
https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.
- Cyber insurance rejects claim after BitPay lost $1.8 million in
phishing attack - BitPay was spearphished, the CFO's credentials
were stolen, and the company was scammed out of $1.8 million in
bitcoins, but its cyber insurance company refused to pay.
- Forcing suspects to reveal phone passwords is unconstitutional,
court says - Demanding "personal thought processes" amounts to
compelled self incrimination. The Fifth Amendment right against
compelled self-incrimination would be breached if two insider
trading suspects were forced to turn over the passcodes of their
locked mobile phones to the Securities and Exchange Commission, a
federal judge ruled Wednesday.
- New Data Finds Women Still Only 10% Of Security Workforce - But
more women hold governance, risk and compliance (GRC) roles than
men, new (ISC)2 report finds. The needle has not moved: new data
released today by (ISC)2 and Booz Allen Hamilton shows that the
percentage of women in cybersecurity worldwide has remained static
over the past two years, holding at an anemic 10%.
- Companies leaving known vulnerabilities unchecked for 120 days -
Most major corporations have nobody to blame but themselves when it
comes to making themselves open to non-targeted online attacks with
the average company leaving known vulnerabilities open for months
giving hackers more than enough time to take action.
- Thousands of medical systems found vulnerable to attack -
Thousands of medical systems are vulnerable to cyberattacks, new
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- OPM breach included five times more stolen fingerprints - But good
news: "the ability to misuse fingerprint data is limited."
- About 2,800 Kentucky high school students notified of breach -
Kentucky-based Oldham County Schools is notifying about 2,800
current and former North Oldham High School students that their
personal information may have been compromised as part of a breach
involving a phishing scheme.
- Card Breach at Hilton Hotel Properties - Multiple sources in the
banking industry say they have traced a pattern of credit card fraud
that suggests hackers have compromised point-of-sale registers in
gift shops and restaurants at a large number of Hilton Hotel and
franchise properties across the United States. Hilton says it is
investigating the claims.
- DDoS attack sent 4.5 billion requests using mobile browsers -
Researchers at CloudFlare spotted a distributed denial-of-service
(DDoS) attack that used mobile device browsers to flood a site with
4.5 billion requests.
- Members of NJ health insurer had data accessed, used in fraud
scheme - More than a thousand Horizon Blue Cross Blue Shield of New
Jersey (BCBSNJ) members are being notified that access may have been
gained to their personal information, and nearly 60 are being
alerted that their data was used to submit false claims.
- Data breach hits roughly 15M T-Mobile customers, applicants - A
hack of Experian, the company that handles credit checks for the
wireless carrier, results in the loss of Social Security numbers,
birth dates and names. Hackers stole the personal data of 15 million
T-Mobile customers by going after the company that processes the
wireless carrier's credit checks.
- Trump Hotel Collection confirms customer data compromised - The
Trump Hotel Collection (THC) confirmed that malware was used to gain
unauthorized access to customer payment card data at seven
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of
Assess Quality of Service and Support
• Regularly review reports
documenting the service provider’s performance. Determine if the
reports are accurate and allow for a meaningful assessment of
the service provider’s performance.
• Document and follow up on any problem in service in a timely
manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change
controls are in effect, and ensure authorization is established
for significant system changes.
• Evaluate the provider’s ability to support and enhance the
institution’s strategic direction including anticipated business
development goals and objectives, service delivery requirements,
and technology initiatives.
• Determine adequacy of training provided to financial
• Review customer complaints on the products and services
provided by the service provider.
• Periodically meet with contract parties to discuss performance
and operational issues.
• Participate in user groups and other forums.
the top of the newsletter
FFIEC IT SECURITY
This concludes the
series from the FDIC "Security Risks Associated with the Internet."
Starting next week, we will begin covering the OCC Bulletin
about Infrastructure Threats and Intrusion Risks.
V. Security Flaws and Bugs
Because hardware and software continue to improve, the task of
maintaining system performance and security is ongoing. Products are
frequently issued which contain security flaws or other bugs, and
then security patches and version upgrades are issued to correct the
deficiencies. The most important action in this regard is to keep
current on the latest software releases and security patches. This
information is generally available from product developers and
vendors. Also important is an understanding of the products and
their security flaws, and how they may affect system performance.
For example, if there is a time delay before a patch will be
available to correct an identified problem, it may be necessary to
invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist,
such as the Computer Emergency Response Team Coordination Center
(CERT/CC) at the Software Engineering Institute of Carnegie Mellon
University, Pittsburgh, Pennsylvania. The CERT/CC, among other
activities, issues advisories on security flaws in software
products, and provides this information to the general public
through subscription e‑mail, Internet newsgroups (Usenet), and their
Web site at www.cert.org. Many
other resources are freely available on the Internet.
Active Content Languages
Active content languages have been the subject of a number of
recent security discussions within the technology industry. While it
is not their only application, these languages allow computer
programs to be attached to Web pages. As such, more appealing and
interactive Web pages can be created, but this function may also
allow unauthorized programs to be automatically downloaded to a
user's computer. To date, few incidents have been reported of harm
caused by such programs; however, active content programs could be
malicious, designed to access or damage data or insert a virus.
Security problems may result from an implementation standpoint,
such as how the languages and developed programs interact with other
software, such as Web browsers. Typically, users can disable the
acceptance of such programs on their Web browser. Or, users can
configure their browser so they may choose which programs to accept
and which to deny. It is important for users to understand how these
languages function and the risks involved, so that they make
educated decisions regarding their use. Security alerts concerning
active content languages are usually well publicized and should
receive prompt reviews by those utilizing the technology.
Because potentially malicious programs can be downloaded directly
onto a system from the Internet, virus protection measures beyond
the traditional boot scanning techniques may be necessary to
properly protect servers, systems, and workstations. Additional
protection might include anti-virus products that remain resident,
providing for scanning during downloads or the execution of any
program. It is also important to ensure that all system users are
educated in the risks posed to systems by viruses and other
malicious programs, as well as the proper procedures for accessing
information and avoiding such threats.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section I. Introduction & Overview
INTRODUCTION - 1.4 Important Terminology
To understand the rest of the handbook, the reader must be familiar
with the following key terms and definitions as used in this
handbook. In the handbook, the terms computers and computer systems
are used to refer to the entire spectrum of information technology,
including application and support systems. Other key terms include:
Computer Security: The protection afforded to an automated
information system in order to attain the applicable objectives of
preserving the integrity, availability and confidentiality of
information system resources (includes hardware, software, firmware,
information/data, and telecommunications).
Integrity: In lay usage, information has integrity when it
is timely, accurate, complete, and consistent. However, computers
are unable to provide or protect all of these qualities. Therefore,
in the computer security field, integrity is often discussed more
narrowly as having two facets: data integrity and system integrity.
"Data integrity is a requirement that information and programs are
changed only in a specified and authorized manner."6 System
integrity is a requirement that a system "performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system." The definition
of integrity has been, and continues to be, the subject of much
debate among computer security experts.
Availability: A "requirement intended to assure that systems
work promptly and service is not denied to authorized users."
Confidentiality: A requirement that private or confidential
information not be disclosed to unauthorized individuals.
1.5 Legal Foundation for Federal Computer Security Programs
The executive principles discussed in the next chapter explain the
need for computer security. In addition, within the federal
government, a number of laws and regulations mandate that agencies
protect their computers, the information they process, and related
technology resources (e.g., telecommunications).9The most important
are listed below.
! The Computer Security Act of 1987 requires agencies to identify
sensitive systems, conduct computer security training, and develop
computer security plans.
! The Federal Information Resources Management Regulation (FIRMR)
is the primary regulation for the use, management, and acquisition
of computer resources in the federal government.
! OMB Circular A-130 (specifically Appendix III) requires that
federal agencies establish security programs containing specified
Note that many more specific requirements, many of which are agency
specific, also exist.
Federal managers are responsible for familiarity and compliance
with applicable legal requirements. However, laws and regulations do
not normally provide detailed instructions for protecting
computer-related assets. Instead, they specify requirements -- such
as restricting the availability of personal data to authorized
users. This handbook aids the reader in developing an effective,
overall security approach and in selecting cost-effective controls
to meet such requirements.