- Tech giants team up against new cyber-security law - A public
protest has been issued against a controversial US cyber-security
bill by some of the world's tech giants. Google, Facebook, Amazon
and other major tech firms have teamed up against the Cyber-security
Information Sharing Act (CISA) that is due to be laid out for
consideration by the US Senate in the coming weeks. The CISA aims to
share threat intelligence between private companies and the
- Army Cyber Command readies cyber units for the battlefield - U.S.
soldiers may not charge into battle as they type away on their
laptops attempting to fend off enemy cyberattacks any time too soon,
but the U.S. Army Cyber Command is actively working on the role
these troops will someday play on the battlefield.
- Insider sued for hacking Skunkwerks Software clients - A February
cyberattack against clients of Vancouver, Canada-based Skunkwerks
Software is being ascribed to a former employee, according to The
- Healthcare providers must boost cyber defenses: Accenture - The
continued digitization of the nation's healthcare system will place
$305 billion worth of personal and medical information online and
squarely in the crosshairs of cybercriminals in the next five years,
according to a report by Accenture.
- Report places a value to stolen data sold on the black market -
While its no secret that stolen payment card information is
valuable, researchers at Intel Security found the price of other
types of stolen data sold on the digital black market can garner
even larger sums.
- Secret source code pronounces you guilty as charged - When a
computer "spits out something, you'd like to know how it did it."
The results from a Pennsylvania company's TrueAllele DNA testing
software have been used in roughly 200 criminal cases, from
California to Florida, helping put murderers and rapists in prison.
Former employee pleads guilty to deleting company files, disabling
accounts - A former web developer with a Winchester-based company
pleaded guilty to a federal computer crime on Wednesday in U.S.
District Court for the Western District of Virginia.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hacking group stole credit card data of 150K casino customers -
The personal information of 150,000 customers of an as-yet-unnamed
casino was compromised following an incursion by the "Fin5" hacking
group, according to The Register.
Payment card breach at Peppermill Resort Spa Casino in Reno - An
undisclosed number of individuals are being notified that an attack
may have compromised credit and debit cards used between October
2014 and February 2015 at the front desk of the Reno, Nev.-based
Peppermill Resort Spa Casino.
- Customs and Border Protection system computer problems cause
airport delays - Major airports across the country experienced
delays Wednesday night after problems with a Department of Homeland
Security computer system caused problems at U.S. ports of entry,
- Laptop theft affects thousands of OU Medicine patients - Roughly
9,300 individuals are being notified that a laptop containing
personal information was stolen from a physician who formerly worked
for the University of Oklahoma Department of Urology.
- Lloyds Group left thousands of accounts potentially open to attack
- It's a case of customer service gone bad. Lloyds Banking Group, in
a quest to simplify account signup and inter-operability between its
brands, created a system that could be hacked by someone with
virtually no IT skills.
- New details released on zoo POS breach - Service Systems
Associates (SSA), a third party vendor that handles retail and
concession payments, released new details of a point-of-sale (POS)
breach that several zoos and museums across the country earlier this
- Hackers siphon off $31 million from British bank accounts - Crime
agencies from across Europe partner with the FBI to investigate and
shut down the spread of Dridex banking malware. Hackers have stolen
more than £20 million ($31 million) from British online bank
accounts using hostile, intrusive software that harvested user
- High school student reportedly hacks CIA director's personal email
- A high school student has claimed to have hacked the private email
account of CIA Director John Brennan where the student found a
number of sensitive, government-related files, according to a report
in the New York Post.
- Dow Jones targeted by Russian hackers for trading information - A
group of Russian hackers were reported to have hacked Dow Jones &
Co. servers in pursuit of embargoed market-moving information more
than a year ago.
- Community Catalysts of California notifies clients of flash drive
theft - Community Catalysts of California is notifying more than a
thousand current and former clients that the residence of an
employee was burglarized and a flash drive containing their personal
information was stolen.
- Woods Hole Oceanographic Institution Says Hack Linked to China -
Woods Hole Oceanographic Institution, a private, nonprofit facility
that does scientific research on the world's oceans, says it was the
target of an "aggressive" cyberattack it believes to have originated
- Anonymous attacks two Japanese airports - In protest over the
Japanese dolphin-hunting industry, Anonymous has launched DDoS
attacks on two major Japanese airports.
- North Korean hackers breach South Korea's executive office servers
- North Korean hackers accessed servers belonging to the Blue House,
the executive office of South Korea, and stole data from computers
belonging to members the nation's legislature, South Korea's
intelligence agency has reported.
- EyeBuyDirect announces website breach, payment cards affected - An
undisclosed number of individuals are being notified that
unauthorized access was gained to EyeBuyDirect's website and
personal information – including payment card data – may have been
- Data accessible on internet, Salt Lake County sends out 14K
notification letters - The Salt Lake County, Utah mayor's office has
sent out approximately 14,000 notification letters to those whose
data was exposed in an incident involving workers' compensation and
other damage claims submitted to the County.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
2 of 10)
A. RISK DISCUSSION
Compliance risk arises when the linked third party acts in a manner
that does not conform to regulatory requirements. For example,
compliance risk could arise from the inappropriate release or use of
shared customer information by the linked third party. Compliance
risk also arises when the link to a third party creates or affects
compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an
institution. This guidance applies to links to affiliated, as well
as non-affiliated, third parties. A link to a third-party website
that provides a customer only with information usually does not
create a significant risk exposure if the information being provided
is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
the top of the newsletter
FFIEC IT SECURITY
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we start a
three part review of controls to prevent and detect intrusions.
Management should determine the controls necessary to deter,
detect, and respond to intrusions, consistent with the best
practices of information system operators. Controls may include the
1) Authentication. Authentication provides identification by means
of some previously agreed upon method, such as passwords and
biometrics. (A method of identifying a person's identity by
analyzing a unique physical attribute.) The means and strength of
authentication should be commensurate with the risk. For instance,
passwords should be of an appropriate length, character set, and
lifespan (The lifespan of a password is the length of time the
password allows access to the system. Generally speaking, shorter
lifespans reduce the risk of password compromises.) for the systems
being protected. Employees should be trained to recognize and
respond to fraudulent attempts to compromise the integrity of
security systems. This may include "social engineering" whereby
intruders pose as authorized users to gain access to bank systems or
2) Install and Update Systems. When a bank acquires and installs
new or upgraded systems or equipment, it should review security
parameters and settings to ensure that these are consistent with the
intrusion risk assessment plan. For example, the bank should review
user passwords and authorization levels for maintaining "separation
of duties" and "need to know" policies. Once installed, security
flaws to software and hardware should be identified and remediated
through updates or "patches." Continuous monitoring and updating is
essential to protect the bank from vulnerabilities. Information
related to vulnerabilities and patches are typically available from
the vendor, security-related web sites, and in bi-weekly National
Infrastructure Protection Center's CyberNotes.
3) Software Integrity. Copies of software and integrity checkers
(An integrity checker uses logical analysis to identify whether a
file has been changed.) are used to identify unauthorized changes to
software. Banks should ensure the security of the integrity
checklist and checking software. Where sufficient risk exists, the
checklist and software should be stored away from the network, in a
location where access is limited. Banks should also protect against
viruses and other malicious software by using automated virus
scanning software and frequently updating the signature file (The
signature file contains the information necessary to identify each
virus.) to enable identification of new viruses.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 2 - ELEMENTS OF COMPUTER SECURITY
2.4 Computer Security Responsibilities and Accountability Should
Be Made Explicit.
The responsibilities and accountability of owners, providers, and
users of computer systems and other parties concerned with the
security of computer systems should be explicit. The assignment of
responsibilities may be internal to an organization or may extend
across organizational boundaries.
Depending on the size of the organization, the program may be large
or small, even a collateral duty of another management official.
However, even small organizations can prepare a document that states
organization policy and makes explicit computer security
responsibilities. This element does not specify that individual
accountability must be provided for on all systems. For example,
many information dissemination systems do not require user
identification and, therefore, cannot hold users accountable.
2.5 Systems Owners Have Security Responsibilities Outside Their
If a system has external users, its owners have a responsibility to
share appropriate knowledge about the existence and general extent
of security measures so that other users can be confident that the
system is adequately secure. (This does not imply that all systems
must meet any minimum level of security, but does imply that system
owners should inform their clients or users about the nature of the
In addition to sharing information about security, organization
managers "should act in a timely, coordinated manner to prevent and
to respond to breaches of security" to help prevent damage to
others. However, taking such action should not jeopardize the
security of systems.
2.6 Computer Security Requires a Comprehensive and Integrated
Providing effective computer security requires a comprehensive
approach that considers a variety of areas both within and outside
of the computer security field. This comprehensive approach extends
throughout the entire information life cycle.
2.6.1 Interdependencies of Security Controls
To work effectively, security controls often depend upon the proper
functioning of other controls. In fact, many such interdependencies
exist. If appropriately chosen, managerial, operational, and
technical controls can work together synergistically. On the other
hand, without a firm understanding of the interdependencies of
security controls, they can actually undermine one another. For
example, without proper training on how and when to use a
virus-detection package, the user may apply the package incorrectly
and, therefore, ineffectively. As a result, the user may mistakenly
believe that their system will always be virus-free and may
inadvertently spread a virus. In reality, these interdependencies
are usually more complicated and difficult to ascertain.
2.6.2 Other Interdependencies
The effectiveness of security controls also depends on such factors
as system management, legal issues, quality assurance, and internal
and management controls. Computer security needs to work with
traditional security disciplines including physical and personnel
security. Many other important interdependencies exist that are
often unique to the organization or system environment. Managers
should recognize how computer security relates to other areas of
systems and organizational management.