- Kaspersky Labs denies report its software was used to hack NSA -
Russian hackers used a Kaspersky Labs antivirus product to steal
hacking tools from the National Security Agency (NSA).
Equifax snags $7.25M no-bid IRS ID verification, fraud prevention
contract - The Internal Revenue Service handed breach-beleaguered
Equifax a $7.25 million for identity verification and fraud
Cyberattack to cause power disruption within five years, utility
execs fear - Three-quarters of North American utility executives
believe there is at least a moderate chance that the electrical grid
in their nation will be interrupted by a cyberattack sometime in the
next five years.
Brazilian banking trojan uses legit VMware binary to bypass security
- Cybercriminals are using legitimate VMware binary to spread
banking trojans in a new phishing campaign targeting the Brazilian
Sole Equifax security worker at fault for failed patch, says former
CEO -Someone failed to order the patch. If it was you, c'mere, have
a hug. And a new identity - Recently-and-forcibly-retired Equifax
CEO Rick Smith has laid the blame for his credit-check biz's IT
security breach on a single member of the company's security team.
White House wants to end Social Security numbers as a national ID -
US government is examining the use of a “modern cryptographic
identifier.” Rob Joyce, the White House cybersecurity czar, said on
Tuesday that the government should end using the Social Security
number as a national identification method.
Secret Service nixes personal mobile devices in West Wing after
Kelly hack - After it came to light that the smartphone of White
House Chief of Staff Gen. John Kelly was hacked by potentially by
foreign operatives, the Secret Service reportedly has put the kibosh
on personal devices in the West Wing.
Yahoo breach underscores importance of heeding risk factors, renews
interest in legislation - That the 2013 Yahoo breach tripled – to
three billion - the number of affected accounts previously reported
demonstrates the far-reaching and ongoing impact of an undetected
hack, underscores the cost of unexamined risk, points to the dangers
of neglecting vulnerabilities and will likely renew calls for
federal data breach notification legislation, information security
professionals said in the aftermath of the revelation by Verizon
Communications, which acquired Yahoo earlier this year.
Using Public Data to Alert Missouri Entities of Vulnerabilities -
The State of Missouri Office of Cyber Security’s (OCS) “Using Public
Data to Alert Organizations of Vulnerabilities” program identifies
vulnerable internet connected systems belonging to organizations
from various industries across the State of Missouri.
Microsoft silently fixes security holes in Windows 10 – dumps Win 7,
8 out in the cold - Versions in use by millions lag behind latest
OS, leaving systems vulnerable to attack - Microsoft is silently
patching security bugs in Windows 10, and not immediately rolling
out the same updates to Windows 7 and 8, potentially leaving
hundreds of millions of computers at risk of attack.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- A new report suggests that the FDIC could have been breached
numerous times between 2015 and 2016, leading to the leak of PII
data. - Over the course of two years, the Federal Deposit Insurance
Corporation (FDIC) could have experienced as many as 54 data
breaches, according to a recent report from the Office of the
Inspector General. The breaches occurred between 2015 and 2016, and
could have compromised personally identifiable information (PII)
data, the report said.
Russians hacked smartphones of 4,000 NATO troops - NATO troops'
smartphones are under attack by Russian hackers bent on obtaining
information on and exploiting soldiers as well as getting a handle
on NATO military capabilities.
6,000 Atlanta Public School employees possibly compromised - Federal
investigators have warned the Atlanta Public School system that all
6,000 of its employees may have had their personal information
compromised due to a phishing scam.
128,000 Arkansas Oral & Facial Surgery Center patients compromised -
In late July the Arkansas Oral & Facial Surgery Center was hit with
a ransomware attack that not only locked up patient records, but may
have also exposed their personal information.
City of Englewood, Colo. hit with ransomware - The city of
Englewood, Colo. was hit with a ransomware attack which brought down
the city's internal network.
NFL player personal data found on open Elasticsearch server - NFL
players may not mind having their views on social issues known, but
they are probably not happy that a publicly accessible database has
been found containing private information on about 1,100 players and
Disqus confirmed a 2012 database breach on Friday impacting some
data for 17.5 million users and including information dating back to
Market Research Firm Forrester Says Hackers Stole Sensitive Reports
- Forrester, one of the world's leading market research and
investment advisory firms, admitted late Friday afternoon to a
security breach that took place during the past week.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 1 of 4)
Purpose and Background
This statement focuses on the risk management process of
identifying, measuring, monitoring, and controlling the risks
associated with outsourcing technology services.1 Financial
institutions should consider the guidance outlined in this statement
and the attached appendix in managing arrangements with their
technology service providers. While this guidance covers a broad
range of issues that financial institutions should address, each
financial institution should apply those elements based on the scope
and importance of the outsourced services as well as the risk to the
institution from the services.
Financial institutions increasingly rely on services provided by
other entities to support an array of technology-related functions.
While outsourcing to affiliated or nonaffiliated entities can help
financial institutions manage costs, obtain necessary expertise,
expand customer product offerings, and improve services, it also
introduces risks that financial institutions should address. This
guidance covers four elements of a risk management process: risk
assessment, selection of
service providers, contract review, and monitoring of service
the top of the newsletter
FFIEC IT SECURITY -
e continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - KEY FACTORS
Management is responsible for considering the following key factors
in developing and implementing independent diagnostic tests:
Personnel. Technical testing is frequently only as good as
the personnel performing and supervising the test. Management is
responsible for reviewing the qualifications of the testing
personnel to satisfy themselves that the capabilities of the testing
personnel are adequate to support the test objectives.
Scope. The tests and methods utilized should be sufficient
to validate the effectiveness of the security process in identifying
and appropriately controlling security risks.
Notifications. Management is responsible for considering
whom to inform within the institution about the timing and nature of
the tests. The need for protection of institution systems and the
potential for disruptive false alarms must be balanced against the
need to test personnel reactions to unexpected activities.
Controls Over Testing. Certain testing can adversely affect
data integrity, confidentiality, and availability. Management is
expected to limit those risks by appropriately crafting test
protocols. Examples of issues to address include the specific
systems to be tested, threats to be simulated, testing times, the
extent of security compromise allowed, situations in which testing
will be suspended, and the logging of test activity. Management is
responsible for exercising oversight commensurate with the risk
posed by the testing.
Frequency. The frequency of testing should be determined by
the institution's risk assessment. High - risk systems should be
subject to an independent diagnostic test at least once a
year. Additionally, firewall policies and other policies addressing
access control between the financial institution's network and other
networks should be audited and verified at least quarterly. Factors
that may increase the frequency of testing include the extent of
changes to network configuration, significant changes in potential
attacker profiles and techniques, and the results of other testing.
(FYI - This is
exactly the type of independent diagnostic testing that we perform.
Please refer to
http://www.internetbankingaudits.com/ for information.)
Proxy Testing. Independent diagnostic testing of a proxy
system is generally not effective in validating the effectiveness of
a security process. Proxy testing, by its nature, does not test the
operational system's policies and procedures, or its integration
with other systems. It also does not test the reaction of personnel
to unusual events. Proxy testing may be the best choice, however,
when management is unable to test the operational system without
creating excessive risk.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
People, who are all fallible, are usually recognized as one of the
weakest links in securing systems. The purpose of computer security
awareness, training, and education is to enhance security by:
1) improving awareness of the need to protect system resources;
2) developing skills and knowledge so computer users can perform
their jobs more securely; and
3) building in-depth knowledge, as needed, to design, implements,
or operate security programs for organizations and systems.
Making computer system users aware of their security
responsibilities and teaching them correct practices helps users
change their behavior. It also supports individual accountability,
which is one of the most important ways to improve computer
security. Without knowing the necessary security measures (and to
how to use them), users cannot be truly accountable for their
actions. The importance of this training is emphasized in the
Computer Security Act, which requires training for those involved
with the management, use, and operation of federal computer systems.
This chapter first discusses the two overriding benefits of
awareness, training, and education, namely: (1) improving employee
behavior and (2) increasing the ability to hold employees
accountable for their actions. Next, awareness, training, and
education are discussed separately, with techniques used for each.
Finally, the chapter presents one approach for developing computer
security awareness and training program.