- Australian official: Hackers stole documents on spy planes and
warships - Hackers breached a contractor for Australia's Department
of Defence and stole documents containing information about
next-generation spy planes and naval warships, a government official
Bill legalizing hacking back introduced in the House - Reps. Tom
Graves, R-Ga., and Kyrsten Sinema, D-Az., today introduced the
Active Cyber Defense Bill which if passed would give individuals and
companies hit with a cyberattack the legal authority to hack back
against their assailant.
Oilpro.com founder sentenced to prison after pleading guilty for
hacking competitor - The founder of a professional networking site
was sentenced to a year and one day in prison after hacking into a
competitor's database and attempting to sell his site to the same
company whose database he hacked.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Another AWS leak exposes 150,000 Patient Home Monitoring Corp.
client records - Another publicly accessible Amazon S3 repository
has been once again been left exposing sensitive consumer
information, this time affecting approximately 150,000 U.S.
Hyatt Hotels reports POS data breach - Hyatt Hotels announced today
a point of sale (POS) breach that impacted several dozen of the
company's locations between March and July 2017.
KU student expelled after using Keystroke logger to change grades -
A University of Kansas student was expelled from the school after
allegedly changing his grades from an "F" to an "A" using
information he obtained via a keystroke logger.
DDoS attacks delay trains, stymie transportation services in Sweden
- A series of distributed of denial of service attacks aimed at
Sweden's transportation services caused train delays and disrupted
over travel service earlier this week.
Delayed delivery? Pizza Hut waits two weeks to disclose payment card
data breach - Any way you slice it, it's not great news for Pizza
Hut customers who learned on Saturday their personal data was stolen
during an Oct. 1-2 breach of the Italian food chain's website.
We Heart It breached, 8 million affected - The online image sharing
website We Heart It told its members late last week that more than 8
million of its accounts were compromised in a data breach that took
place four years ago.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 2 of 4)
The board of directors and senior management are responsible for
understanding the risks associated with outsourcing arrangements for
technology services and ensuring that effective risk management
practices are in place. As part of this responsibility, the board
and management should assess how the outsourcing arrangement will
support the institution’s objectives and strategic plans and how the
service provider’s relationship will be managed. Without an
effective risk assessment phase, outsourcing technology services may
be inconsistent with the institution’s strategic plans, too costly,
or introduce unforeseen risks.
Outsourcing of information and transaction processing and settlement
activities involves risks that are similar to the risks that arise
when these functions are performed internally. Risks include threats
to security, availability and integrity of systems and resources,
confidentiality of information, and regulatory compliance. In
addition, the nature of the service provided, such as bill payment,
funds transfer, or emerging electronic services, may result in
entities performing transactions on behalf of the institution, such
as collection or disbursement of funds, that can increase the levels
of credit, liquidity, transaction, and reputation risks.
Management should consider additional risk management controls when
services involve the use of the Internet. The broad geographic
reach, ease of access, and anonymity of the Internet require close
attention to maintaining secure systems, intrusion detection and
reporting systems, and customer authentication, verification, and
authorization. Institutions should also understand that the
potential risks introduced are a function of a system’s structure,
design and controls and not necessarily the volume of activity.
An outsourcing risk assessment should consider the following:
• Strategic goals, objectives, and business needs of the
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service
• Contingency plans, including availability of alternative
service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate
consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines
affected and technologies used.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - OUTSOURCED SYSTEMS
Management is responsible for ensuring institution and customer
data is protected, even when that data is transmitted, processed, or
stored by a service provider. Service providers should have
appropriate security testing based on the risk to their
organization, their customer institutions, and the institution's
customers. Accordingly, management and auditors evaluating TSPs
providers should use the above testing guidance in performing
initial due diligence, constructing contracts, and exercising
ongoing oversight or audit responsibilities. Where indicated by the
institution's risk assessment, management is responsible for
monitoring the testing performed at the service provider through
review of timely audits and test results or other equivalent
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
People are a crucial factor in ensuring the security of computer
systems and valuable information resources. Human actions account
for a far greater degree of computer-related loss than all other
sources combined. Of such losses, the actions of an organization's
insiders normally cause far more harm than the actions of outsiders.
(Chapter 4 discusses the major sources of computer-related loss.)
The major causes of loss due to an organization's own employees
are: errors and omissions, fraud, and actions by disgruntled
employees. One principal purpose of security awareness, training,
and education is to reduce errors and omissions. However, it can
also reduce fraud and unauthorized activity by disgruntled employees
by increasing employees' knowledge of their accountability and the
penalties associated with such actions.
Management sets the example for behavior within an organization. If
employees know that management does not care about security, no
training class teaching the importance of security and imparting
valuable skills can be truly effective. This "tone from the top" has
myriad effects an organization's security program.