- Scottrade had no idea about data breach until the feds showed up -
The breach affected around 4.6 million customers' names and
addresses. When an organization gets hacked, ideally they'll realize
it promptly and warn their users right away.
- Banks With Weak Cybersecurity Could Be Downgraded: S&P - Given
banks' function as key nodes in the global financial system, S&P
views banks as "natural targets facing a high threat of cyber-risk."
Standard & Poor’s on Monday said that it could downgrade banks with
weak cybersecurity, even if they haven’t been attacked.
- Into the spotlight: Cyberinsurance - Data that can be monetized
is, simply put, a magnet for the bad guys. No matter whether your
organization is big or small, if you have desirable data, you can no
longer afford to wonder whether or not to invest in cybersecurity
- Don't spend more, spend better: Interview with FireEye's Richard
Turner - It's “the same but different” says Richard Turner, EMEA
president of security company FireEye, characterising the company's
most recent Advanced Threat Report.
- Early warning helped five Russian banks ward off DDoS attacks -
Five Russian banks that experienced a distributed denial of service
(DDoS) attack Sept. 26 believed to have been aimed at starting a
bitcoin-related panic had been warned in advance by the General
Directorate of Security and Information Protection of the country's
- D.C. police sign non-disclosure with FBI to keep StingRay use
private - Under a non-disclosure agreement with the Federal Bureau
of Investigation (FBI), the Metropolitan Police Department in
Washington, D.C., will keep its StingRay surveillance use private.
- Home Depot breach costs expected to reach billions - Owing to a
slew of lawsuits filed by banks and credit unions, the expected cost
to Home Depot for a cyber intrusion may reach into the billions,
according to Insurance Business America (IBA).
- Cyber Security at Civil Nuclear Facilities: Understanding the
Risks - The risk of a serious cyber attack on civil nuclear
infrastructure is growing, as facilities become ever more reliant on
digital systems and make increasing use of commercial
‘off-the-shelf’ software, according to a new Chatham House report.
- California city mayor relinquishes electronics and passwords to
agents at SFO [Updated] - Stockton, California Mayor Anthony R.
Silva attended a recent mayor's conference in China, but his return
trip took a bit longer than usual. At the San Francisco
International Airport (SFO) this week, agents with the Department of
Homeland Security detained Silva and confiscated his personal cell
phone among other electronics. According to comments from the mayor,
that may not even be the most alarming part.
- DOD now requires contractors to report hacks - The Department of
Defense (DOD) will require its biggest contractors to disclose
certain cybersecurity breaches.
- Average cost of cybercrime rises again in 2015 to $7.7 million -
The cost of cybercrime rose yet again this year with the average
global annualized cost coming out to $7.7 million, a new report from
the Ponemon Institute and Hewlett Packard Enterprise indicates.
- Berkshire Hathaway Specialty Insurance enters cyberinsurance arena
- Warren Buffet is not exactly launching the Geico gecko into the
cyberinsurance space, but his Berkshire Hathaway Specialty Insurance
division today did unveil two new polices targeted at this area.
- NIST seeks to secure, raise trustworthiness of email - The
National Institute of Standards and Technology (NIST) unveiled two
projects designed to secure email.
- Canadian military wants to hack cars - The Canadian Department of
National Defence put a $825,000 contract up for bid to find a firm
that will study how to hack an automobile and come up with a
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Patreon thieves drop data, expose users' info all over web - 15GB
file lifted from crowd-funding outfit hits dump sites - Attackers
who compromised crowd-funding outfit Patreon have dumped its user
data on various bin sites around the web.
- Patreon's hack exposes data on 2.3 million users - Cybersecurity
firm Detectify said it tried to warn crowdfunding platform Patreon
that it was at risk of attack about five days before a hack exposed
the personal information of 2,330,382 anonymous donors.
- 15 MILLION T-Mobile US customer records swiped by hackers -
Applied for a phone contract? Successful or not, you're boned -
Experian's servers have been hacked – and now sensitive files on 15
million people who applied for T-Mobile US contracts have fallen
into the wrong hands.
- State Trooper Vehicles Hacked - Car-hacking research initiative in
Virginia shows how even older vehicles could be targeted in
cyberattacks. state trooper responding to a call starts his vehicle,
but is unable to shift the gear from park to drive. The engine RPMs
suddenly spike and the engine accelerates, no foot on the pedal.
Then the engine cuts off on its own.
- Trump confirms carders raided Las Vegas hotel sales tills -
Republican prez candidate a hit among thieves. Trump Hotel
Collection has confirmed in a letter to customers that IT security
at one of its Las Vegas hotels was breached.
- Scottrade breach affects roughly 4.6 million clients - Scottrade
is notifying approximately 4.6 million clients that illegal activity
occurred on its network and personal information may have been
- Scottrade Breach Hit 4.6 Million Customers, Began 2 Years Ago -
Social Security numbers might have been exposed, but the main target
appears to have been contact information. Today, Scottrade Inc.
announced a breach of 4.6 million customer contact information
records (and possibly Social Security numbers), resulting from an
attack that occurred between late 2013 and early 2014.
- Breach at the American Bankers Association exposes 6,400 emails
and passwords - The American Bankers Association (ABA), based in
Washington, D.C., is notifying more than 6,000 ABA shopping cart
users of a breach that exposed their personal information.
- Fake LinkedIn profiles, 'convincing' network linked to Iran-based
group - The Counter Threat Unit (CTU), the Dell SecureWorks research
team, uncovered an initiative by an Iran-based threat group it
dubbed Threat Group 2889, to create a network of fake LinkedIn
profiles for “obtaining confidential information they can use for
cyber espionage purposes.”
- Sony hack's invasion of privacy still grates on CEO - Nearly a
year after a crippling hack, the studio's boss says he was
distressed by how some people combed leaked emails for embarrassing
information. Almost a year after a massive hack crippled Sony
Entertainment, it's still a sore subject with CEO Michael Lynton.
- Samsung says customer payment data not affected by hack attack - A
March attack was aimed at LoopPay, a payments company owned by
Samsung, but the electronics giant insists customer data is safe.
Customers who use the Samsung Pay mobile payments system weren't
hurt by a hack attack on LoopPay, a company Samsung acquired to help
power the service, the company said on Thursday.
- Report indicates Uber looking into Lyft employee as possible
culprite in data breach - As Uber continues to investigate a data
breach of its drivers database, Reuters came out with a report
Thursday that claimed the car service's primary suspect is also its
main rival: Lyft.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of
Monitor Contract Compliance and Revision Needs
• Review invoices to assure
proper charges for services rendered, the appropriateness of
rate changes and new service charges.
• Periodically, review the service provider’s performance
relative to service level agreements, determine whether other
contractual terms and conditions are being met, and whether any
revisions to service level expectations or other terms are
needed given changes in the institution’s needs and
• Maintain documents and records regarding contract compliance,
revision and dispute resolution.
Resumption Contingency Plans
• Review the service provider’s
business resumption contingency plans to ensure that any
services considered mission critical for the institution can be
restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan
testing. For many critical services, annual or more frequent
tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for
mission critical services and applications.
the top of the newsletter
FFIEC IT SECURITY
Over the next few weeks, we will cover the OCC
Bulletin about Infrastructure Threats and Intrusion Risks.
This bulletin provides guidance to financial institutions on how to
prevent, detect, and respond to intrusions into bank computer
systems. Intrusions can originate either inside or outside of the
bank and can result in a range of damaging outcomes, including the
theft of confidential information, unauthorized transfer of funds,
and damage to an institution's reputation.
The prevalence and risk of computer intrusions are increasing as
information systems become more connected and interdependent and as
banks make greater use of Internet banking services and other remote
access devices. Recent e-mail-based computer viruses and the
distributed denial of service attacks earlier this year revealed
that the security of all Internet-connected networks are
increasingly intertwined. The number of reported incidences of
intrusions nearly tripled from 1998 to 1999, according to Carnegie
Mellon University's CERT/CC.
Management can reduce a bank's risk exposure by adopting and
regularly reviewing its risk assessment plan, risk mitigation
controls, intrusion response policies and procedures, and testing
processes. This bulletin provides guidance in each of these critical
areas and also highlights information-sharing mechanisms banks can
use to keep abreast of current attack techniques and potential
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 2 - ELEMENTS OF COMPUTER SECURITY
2.1 Computer Security Supports the Mission of the Organization.
The purpose of computer security is to protect an organization's
valuable resources, such as information, hardware, and software.
Through the selection and application of appropriate safeguards,
security helps the organization's mission by protecting its physical
and financial resources, reputation, legal position, employees, and
other tangible and intangible assets. Unfortunately, security is
sometimes viewed as thwarting the mission of the organization by
imposing poorly selected, bothersome rules and procedures on users,
managers, and systems. On the contrary, well-chosen security rules
and procedures do not exist for their own sake -- they are put in
place to protect important assets and thereby support the overall
Security, therefore, is a means to an end and not an end in itself.
For example, in a private- sector business, having good security is
usually secondary to the need to make a profit. Security, then,
ought to increase the firm's ability to make a profit. In a
public-sector agency, security is usually secondary to the agency's
service provided to citizens. Security, then, ought to help improve
the service provided to the citizen.
To act on this, managers need to understand both their
organizational mission and how each information system supports that
mission. After a system's role has been defined, the security
requirements implicit in that role can be defined. Security can then
be explicitly stated in terms of the organization's mission.
The roles and functions of a system may not be constrained to a
single organization. In an interorganizational system, each
organization benefits from securing the system. For example, for
electronic commerce to be successful, each of the participants
requires security controls to protect their resources. However, good
security on the buyer's system also benefits the seller; the buyer's
system is less likely to be used for fraud or to be unavailable or
otherwise negatively affect the seller. (The reverse is also true.)