- Is your web site compliant with the American Disability Act?
For the past 20 years, our web site audits have included the
guidelines of the ADA. Help reduce any liability, please
contact me for more information at
NIST study warns of security fatigue among users - Most web users
are overwhelmed with warning of online threats and suffer from
“security fatigue,” according to the National Institute of Standards
and Technology (NIST).
Cybersecurity preparedness requires threat intelligence information
sharing - Threat intelligence information sharing efforts have
become increasingly important as breaches become more pervasive.
Karen Epper Hoffman reports.
Russian anti-terrorism law allows security firms to hack Facebook
Messenger, Skype, WhatsApp - A recently passed Russian law has given
the country's security firms the green light to crack encrypted
communication services including Facebook Messenger, Skype and
Researchers send wireless logins through the human body - As
security professionals continue to warn of serious threats facing
mobile, wearable, Internet of Things (IoT), and medical devices, a
team of researchers has developed a method of sending passwords
through the human body that may assist in securing commodity
TalkTalk fined £400,000 for theft of customer details - TalkTalk has
been fined a record £400,000 for poor website security which led to
the theft of the personal data of nearly 157,000 customers.
Two Teenagers Arrested For Alleged Cyberattack-For-Hire Services -
The American and Dutch suspects allegedly associated with 'Lizard
Squad' hacking group also operated websites to launch DDoS attacks
and traffic stolen payment card details.
Consumer cybersecurity concerns cost U.K. economy billions, study -
U.K. consumers put their money where the security is as a recent
study found 36 percent of them are more reluctant to use apps out of
security concerns and their actions have cost the U.K. economy
nearly $2.8 billion this year alone.
Europe to Push New Security Rules Amid IoT Mess - The European
Commission is drafting new cybersecurity requirements to beef up
security around so-called Internet of Things (IoT) devices such as
Web-connected security cameras, routers and digital video recorders
GAO - Health Care Quality: HHS Should Set Priorities and
Comprehensively Plan Its Efforts to Better Align Health Quality
Top five email phishing attack lures revealed and how to prevent
them - Phishing remains one of the top threats seen by organisations
today. Threat actors use various social engineering tricks to
convince users that their requests for information or money
transfers are legitimate.
Hype hampers understanding of cyber-security says Aussie government
- A report by the Australian Cyber-Security Centre says that the
misuse and over-hyping of cyber-security terms has hampered the
public's ability to understand cyber-security issues.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- WordPress site hack highlights emerging 'Windows keys' redirect
scam - Researchers at Sucuri are monitoring a rise in website
compromises in which visitors are redirected to domains that offer
to sell Windows product keys.
BuzzFeed hacked by OurMine - Following its exposé accusing OurMine
of web defacements, the website BuzzFeed was itself hit.
Email that hacked AZ voter registration looked like an employee,
official says - The email that gave Russian hackers access to an
Arizona registration base looked like it came from an employee, and
any normal person would have clicked on it, Arizona Secretary of
State Michele Reagan said Wednesday.
Central Ohio Urology Group reports 300K records compromised - The
Central Ohio Urology Group reported that in early August it became
aware of an incident where an unauthorized posted patient and
employee information to Twitter.
How France's TV5 was almost destroyed by 'Russian hackers' -
TV5Monde was taken off air in April 2015. A group calling itself the
Cyber Caliphate, linked to so-called Islamic State, first claimed
J&J warns diabetic patients: Insulin pump vulnerable to hacking -
Johnson & Johnson is telling patients that it has learned of a
security vulnerability in one of its insulin pumps that a hacker
could exploit to overdose diabetic patients with insulin, though it
describes the risk as low.
Data breach and ransomware hit Hutchinson Community Foundation - The
Hutchinson Community Foundation in Kansas was hit with a data breach
and ransomware attack.
Unsecured database lets hacker expose 58 million plus records from
data management firm - A hacker scanning for unsecured databases was
able to compromise at least 58.8 million records – and possibly as
many as 258 million – from Modern Business Solutions (MBS), a data
management and monetization firm primarily serving the automotive,
employment and real-estate industries.
Malware behind payment card breach at University of Central Florida
- A malware infection is to blame for a payment card data breach
affecting at least 230 University of Central Florida students.
Potter County, Texas voter website hacked - Potter County, Texas
officials are assuring users that their voter information website is
safe after learning that hackers gained access to it.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
While the Board of Directors has the responsibility for ensuring
that appropriate security control processes are in place for
e-banking, the substance of these processes needs special management
attention because of the enhanced security challenges posed by
e-banking. This should include establishing appropriate
authorization privileges and authentication measures, logical and
physical access controls, adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities and data integrity of transactions,
records and information. In addition, the existence of clear audit
trails for all e-banking transactions should be ensured and measures
to preserve confidentiality of key e-banking information should be
appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from
jurisdiction to jurisdiction, banks generally have a clear
responsibility to provide their customers with a level of comfort.
Regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when
using traditional banking distribution channels. To minimize legal
and reputational risk associated with e-banking activities conducted
both domestically and cross-border, banks should make adequate
disclosure of information on their web sites and take appropriate
measures to ensure adherence to customer privacy requirements
applicable in the jurisdictions to which the bank is providing
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Application - Level Firewalls
Application-level firewalls perform application-level screening,
typically including the filtering capabilities of packet filter
firewalls with additional validation of the packet content based on
the application. Application-level firewalls capture and compare
packets to state information in the connection tables. Unlike a
packet filter firewall, an application-level firewall continues to
examine each packet after the initial connection is established for
specific application or services such as telnet, FTP, HTTP, SMTP,
etc. The application-level firewall can provide additional screening
of the packet payload for commands, protocols, packet length,
authorization, content, or invalid headers. Application-level
firewalls provide the strongest level of security, but are slower
and require greater expertise to administer properly.
The primary disadvantages of application - level firewalls are:
! The time required to read and interpret each packet slows network
traffic. Traffic of certain types may have to be split off before
the application level firewall and passed through different access
! Any particular firewall may provide only limited support for new
network applications and protocols. They also simply may allow
traffic from those applications and protocols to go through the
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
A separate implementation phase is not always specified in some
life cycle planning efforts. (It is often incorporated into the end
of development and acquisition or the beginning of operation and
maintenance.) However, from a security point of view, a critical
security activity, accreditation, occurs between development and the
start of system operation. The other activities described in this
section, turning on the controls and testing, are often incorporated
at the end of the development/acquisition phase.
188.8.131.52 Install/Turn-On Controls
While obvious, this activity is often overlooked. When acquired, a
system often comes with security features disabled. These need to be
enabled and configured. For many systems this is a complex task
requiring significant skills. Custom-developed systems may also
require similar work.
184.108.40.206 Security Testing
System security testing includes both the testing of the particular
parts of the system that have been developed or acquired and the
testing of the entire system. Security management, physical
facilities, personnel, procedures, the use of commercial or in-house
services (such as networking services), and contingency planning are
examples of areas that affect the security of the entire system, but
may be specified outside of the development or acquisition cycle.
Since only items within the development of acquisition cycle will
have been tested during system acceptance testing, separate tests or
reviews may need to be performed for these additional security
Security certification is a formal testing of the security
safeguards implemented in the computer system to determine whether
they meet applicable requirements and specifications. To provide
more reliable technical information, certification is often
performed by an independent reviewer, rather than by the people who
designed the system. (This is the type of independent testing we
perform. For more information visit