- California cops, want to use a stingray? Get a warrant, governor
says - On Thursday, California Governor Jerry Brown signed a bill
into law that requires police get a warrant to use a stingray during
investigations. The devices, which are also known as cell-site
simulators, are usually used to locate a phone but can also in some
cases intercept calls and text messages.
- What’s in a Boarding Pass Barcode? A Lot - The next time you’re
thinking of throwing away a used boarding pass with a barcode on it,
consider tossing the boarding pass into a document shredder instead.
- Computer attack insurance rates rise after high-profile breaches -
Hacks of Sony, Target, Home Depot and major health insurers have
made it more expensive to cope with data theft, Reuters reports.
Just as you safeguard your home with insurance, companies get
insurance to cover any problems with customer and corporate data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- LoopPay hackers may have wanted magnetic card-swipe tech -
Backwards-compatible feature used for old cash registers - Samsung’s
mobile payment system supplier, LoopPay, was hacked back in March
this year, it has emerged.
- After USPS Phishing Hack, Audit Shows Postal Workers Still Click
on Links - Months after a suspected malicious email attack breached
U.S. Postal Service personnel data, a quarter of agency employees
fell for a simulated email scheme, according to an internal
- Dow Jones & Co. breached, current and former subscribers contacted
- Hackers broke into Dow Jones & Co. systems and were able to access
information on fewer than 3,500 of the company's current and former
- E-Trade notifies 31,000 customers that their contact info may have
been breached in 2013 hack - Financial services company E-Trade
notified about 31,000 customers this week that some of their
personal information may have been accessed during a cyberattack in
- Dow Jones breached in hacking campaign - In a letter sent to
customers, the financial information company said there is no
evidence that data was stolen but that the hackers may also have
accessed credit card information of fewer than 3,500 individuals.
- No evidence hackers caused flight delays - Southwest Airlines said
there is no evidence that a cybersecurity breach led to the
technical failures that delayed flights and stranded passengers
across the country on Sunday.
- Cyber Attack on South Korean Subway System Could Be a Sign of
Nastier Things to Come - A South Korean legislator revealed this
week that a report from the country's intelligence service suggested
that the North Korean government might have been behind a hack of
the Seoul Metro system last year that lasted several months.
incident affects 9,400 Schwab Retirement Plan Services participants
- Schwab Retirement Plan Services (SRPS) is notifying approximately
9,400 plan participants that a spreadsheet containing their personal
information was accidentally emailed to a participant in another
retirement plan serviced by SRPS.
numbers compromised in America's Thrift Store data breach -
America's Thrift Stores reported a breach that compromised credit
card information for an unknown number of its customers who shopped
at the 18-store chain in September 2015.
exposes nearly 1,000 of its driver's personal documents - Uber
accidentally exposed the personal information of hundreds of U.S.
drivers during the Tuesday release of its “Uber Partner app.”
siphon off $31 million from British bank accounts - Crime agencies
from across Europe partner with the FBI to investigate and shut down
the spread of Dridex banking malware. Hackers have stolen more than
£20 million ($31 million) from British online bank accounts using
hostile, intrusive software that harvested user log-in details.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We begin this week reviewing
the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part 1 of
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking relationships
are exposed to several risks associated with the use of this
technology. The most significant risks are reputation risk and
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in
distinguishing whether the financial institution or the linked
third party is offering products and services;
dissatisfaction with the quality of products or services
obtained from a third party; and
- customer confusion as
to whether certain regulatory protections apply to third-party
products or services.
the top of the newsletter
FFIEC IT SECURITY
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
security strategies and plans.
Senior management and the board of directors are responsible for
overseeing the development and implementation of their bank's
security strategy and plan. Key elements to be included in those
strategies and plans are an intrusion risk assessment plan, risk
mitigation controls, intrusion response policies and procedures, and
testing processes. These elements are needed for both internal and
The first step in managing the risks of intrusions is to assess the
effects that intrusions could have on the institution. Effects may
include direct dollar loss, damaged reputation, improper disclosure,
lawsuits, or regulatory sanctions. In assessing the risks,
management should gather information from multiple sources,
including (1) the value and sensitivity of the data and processes to
be protected, (2) current and planned protection strategies, (3)
potential threats, and (4) the vulnerabilities present in the
network environment. Once information is collected, management
should identify threats and the likelihood of those threats
materializing, rank critical information assets and operations, and
estimate potential damage.
The analysis should be used to develop an intrusion protection
strategy and risk management plan. The intrusion protection strategy
and risk management plan should be consistent with the bank's
information security objectives. It also should balance the cost of
implementing adequate security controls with the bank's risk
tolerance and profile. The plan should be implemented within a
reasonable time. Management should document this information, its
analysis of the information, and decisions in forming the protection
strategy and risk management plan. By documenting this information,
management can better control the assessment process and facilitate
future risk assessments.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 2 - ELEMENTS OF COMPUTER SECURITY
2.2 Computer Security is an Integral Element of Sound
Information and computer systems are often critical assets that
support the mission of an organization. Protecting them can be as
critical as protecting other organizational resources, such as
money, physical assets, or employees.
However, including security considerations in the management of
information and computers does not completely eliminate the
possibility that these assets will be harmed. Ultimately,
organization managers have to decide what the level of risk they are
willing to accept, taking into account the cost of security
As with many other resources, the management of information and
computers may transcend organizational boundaries. When an
organization's information and computer systems are linked with
external systems, management's responsibilities also extend beyond
the organization. This may require that management (1) know what
general level or type of security is employed on the external
system(s) or (2) seek assurance that the external system provides
adequate security for the using organization's needs.
2.3 Computer Security Should Be Cost-Effective.
The costs and benefits of security should be carefully examined in
both monetary and non-monetary terms to ensure that the cost of
controls does not exceed expected benefits. Security should be
appropriate and proportionate to the value of and degree of reliance
on the computer systems and to the severity, probability and extent
of potential harm. Requirements for security vary, depending upon
the particular computer system.
In general, security is a smart business practice. By investing in
security measures, an organization can reduce the frequency and
severity of computer security-related losses. For example, an
organization may estimate that it is experiencing significant losses
per year in inventory through fraudulent manipulation of its
computer system. Security measures, such as an improved access
control system, may significantly reduce the loss.
Moreover, a sound security program can thwart hackers and can
reduce the frequency of viruses. Elimination of these kinds of
threats can reduce unfavorable publicity as well as increase morale
Security benefits, however, do have both direct and indirect costs.
Direct costs include purchasing, installing, and administering
security measures, such as access control software or
fire-suppression systems. Additionally, security measures can
sometimes affect system performance, employee morale, or retraining
requirements. All of these have to be considered in addition to the
basic cost of the control itself. In many cases, these additional
costs may well exceed the initial cost of the control (as is often
seen, for example, in the costs of administering an access control
package). Solutions to security problems should not be chosen if
they cost more, directly or indirectly, than simply tolerating the