Texas State Banks
- Commissioner Cooper - Although the Cybersecurity Assessment Tool
is a voluntary method for banks to use, measuring risk and
preparedness have never been optional elements of banking.
Therefore, due to the advanced and increasing trend of cyber threats
to the banking system, the Department is requiring
that all banks measure their inherent cyber risks and cybersecurity
maturity (preparedness) by December 31, 2015.
- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- FBI recommends that victims of ransomware pay up - The Federal
Bureau of Investigation (FBI) advises companies that fall victim to
hacks involving Cryptolocker, Cryptowall or other forms of
ransomware to pay the ransom, said Joseph Bonavolonta, an assistant
special agent with FBI, speaking at the Cyber Security Summit 2015
- Proposed German law: telecoms must store customer data on airgapped servers - Law must pass upper house, president and Europe
at large; it'd also require encryption. The German Bundestag
(parliament) has passed a controversial law requiring telecoms and
Internet companies to store customers' metadata and to make it
available to law enforcement agencies investigating "severe crimes."
OMB Unveils Major Rewrite of Federal IT Policy - The White House on
Wednesday unveiled a broad rewrite of the federal government’s
strategy for buying, managing and securing agency IT systems.
Auto industry debates legislation to outlaw car hacking at
congressional hearing - Automotive industry professionals debated
proposed legislation to address privacy and security in connected
automobiles before the U.S. House of Representatives Committee on
Energy and Commerce hearing on Wednesday.
Undermining Security By Attacking Computer Clocks - A team of
researchers at Boston University has developed several attacks
against the Network Time Protocol that is used to synchronize
internal computer clocks on the Internet.
Millennial IT workers are greatest internal risk to companies -
Millennial IT professionals who have worked at a single employer for
seven years or more pose the greatest internal risk to their
company's security, according to a report.
Silicon Valley's opposition to cybersecurity bill mounts as US
Senate prepares to vote - A controversial bill that aims to thwart
hacking highlights the tension between the need for security and the
desire for privacy. Which matters more to you: curbing the onslaught
of daily cyberattacks or protecting your online privacy?
- Study highlights poor employee security habits - Beginning in
August, CompTIA arranged for 200 unbranded USB sticks to be dropped
in public places in various cities across the nation – over the
course of a few weeks, 17 percent of consumers plugged a discovered
USB stick into their own device.
- Officers recommend the Army utilize private sector tactics to
battle cyberattacks - Two U.S. Army captains are pushing for the
Army, the Department of Defense and the federal government to adopt
practices currently used by the private sector to help protect
- Lessons from the Experian hack - The recent theft of 15
million T-Mobile customers' personal data from credit checking
organisation Experian's servers could easily be dismissed as just
another hack hitting our headlines almost every day.
- LOC allows auto hacking, Congress reaction uncertain - The
Library of Congress issued new exemptions allowing researchers to
hack a car's internal software. The new rule is one of many
exemptions to the Digital Millennium Copyright Act, also making it
legal for users to hack a smart TV, access medical devices, modify a
video game, or jailbreak a smartphone.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Squealing iKettles reveal owner's Wifi passwords - Adding to the
list of insecure IoT devices, security enthusiasts have proven that
tweeting-Kettles reveal Wifi passwords, as surprise, surprise, they
don't have any built-in security.
- Wichita schools investigates possible cyber attack - The
Wichita, Kansas public school system is investigating a possible
hacking attempt on one of its networks that took place on Oct. 23.
- Scottish hair salon pays hackers after ransomware attack -
Ellen Conlin Hair & Beauty, a Scottish chain of hair salons owned by
a husband-wife team, reportedly paid hackers € 1,000 in Bitcoin to
recover the salon's data.
- 13M clients compromised in 000webhost.com hack - The free web
hosting site 000webhost.com informed customers yesterday that one of
its servers was hacked compromising its entire data base of about
13.5 million clients and an executive at a security firm pinned the
problem on outdated software.
- Maine's Yellowfront Grocery hit by breach, other stores may be
affected - Yellowfront Grocery in Damariscotta, Maine, notified its
customers via Facebook that it had experienced a point-of-sale (POS)
breach on Oct 23.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 3 of 10)
Customers may be confused about whether the financial institution or
a third party is supplying the product, service, or other website
content available through the link. The risk of customer confusion
can be affected by a number of factors:
- nature of the
third-party product or service;
- trade name of the
third party; and
- website appearance.
Nature of Product or
When a financial institution provides links to third parties that
sell financial products or services, or provide information relevant
to these financial products and services, the risk is generally
greater than if third parties sell non-financial products and
services due to the greater potential for customer confusion. For
example, a link from a financial institution's website to a mortgage
bank may expose the financial institution to greater reputation risk
than a link from the financial institution to an online clothing
The risk of customer confusion with respect to links to firms
selling financial products is greater for two reasons. First,
customers are more likely to assume that the linking financial
institution is providing or endorsing financial products rather than
non-financial products. Second, products and services from certain
financial institutions often have special regulatory features and
protections, such as federal deposit insurance for qualifying
deposits. Customers may assume that these features and protections
also apply to products that are acquired through links to
third-party providers, particularly when the products are financial
When a financial institution links to a third party that is
providing financial products or services, management should consider
taking extra precautions to prevent customer confusion. For example,
a financial institution linked to a third party that offers
nondeposit investment products should take steps to prevent customer
confusion specifically with respect to whether the institution or
the third party is offering the products and services and whether
the products and services are federally insured or guaranteed by the
Financial institutions should recognize, even in the case of
non-financial products and services, that customers may have
expectations about an institution's due diligence and its selection
of third parties to which the financial institution links its
website. Should customers experience dissatisfaction as a result of
poor quality products or services, or loss as a result of their
transactions with those companies, they may consider the financial
institution responsible for the perceived deficiencies of the
the top of the newsletter
FFIEC IT SECURITY
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review part
two of three regarding controls to prevent and detect intrusions.
4) Attack Profile. Frequently systems are installed with more
available components and services than are required for the
performance of necessary functions. Banks maintaining unused
features may unwittingly enable network penetration by increasing
the potential vulnerabilities. To reduce the risk of intrusion,
institutions should use the minimum number of system components and
services to perform the necessary functions.
5) Modem Sweep. While access to a system is typically directed
through a firewall, sometimes modems are attached to the system
directly, perhaps without the knowledge of personnel responsible for
security. Those modems can provide an uncontrolled and unmonitored
area for attack. Modems that present such vulnerabilities should be
identified and either eliminated, or monitored and controlled.
6) Intrusion Identification. Real-time identification of an attack
is essential to minimize damage. Therefore, management should
consider the use of real-time intrusion detection software.
Generally, this software inspects for patterns or "signatures" that
represent known intrusion techniques or unusual system activities.
It may not be effective against new attack methods or modified
attack patterns. The quality of the software and sophistication of
an attack also may reduce the software's effectiveness. To identify
intrusions that escape software detection, other practices may be
necessary. For example, banks can perform visual examinations and
observations of systems and logs for unexpected or unusual
activities and behaviors as well as manual examinations of hardware.
Since intrusion detection software itself is subject to compromise,
banks should take steps to ensure the integrity of the software
before it is used.
7) Firewalls. Firewalls are an important component of network
security and can be effective in reducing the risk of a successful
attack. The effectiveness of a firewall, however, is dependent on
its design and implementation. Because misconfigurations, operating
flaws, and the means of attack may render firewalls ineffective,
management should consider additional security behind the firewall,
such as intrusion identification and encryption.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 2 - ELEMENTS OF COMPUTER SECURITY
2.7 Computer Security Should Be Periodically Reassessed.
Computers and the environments they operate in are dynamic. System
technology and users, data and information in the systems, risks
associated with the system and, therefore, security requirements are
ever-changing. Many types of changes affect system security:
technological developments (whether adopted by the system owner or
available for use by others); connecting to external networks; a
change in the value or use of information; or the emergence of a new
In addition, security is never perfect when a system is
implemented. System users and operators discover new ways to
intentionally or unintentionally bypass or subvert security. Changes
in the system or the environment can create new vulnerabilities.
Strict adherence to procedures is rare, and procedures become
outdated over time. All of these issues make it necessary to
reassess the security of computer systems.
2.8 Computer Security is Constrained by Societal Factors.
The ability of security to support the mission of the
organization(s) may be limited by various factors, such as social
issues. For example, security and workplace privacy can conflict.
Commonly, security is implemented on a computer system by
identifying users and tracking their actions. However, expectations
of privacy vary and can be violated by some security measures. (In
some cases, privacy may be mandated by law.)
Although privacy is an extremely important societal issue, it is
not the only one. The flow of information, especially between a
government and its citizens, is another situation where security may
need to be modified to support a societal goal. In addition, some
authentication measures, such as retinal scanning, may be considered
invasive in some environments and cultures.
The underlying idea is that security measures should be selected
and implemented with a recognition of the rights and legitimate
interests of others. This many involve balancing the security needs
of information owners and users with societal goals. However, rules
and expectations change with regard to the appropriate use of
security controls. These changes may either increase or decrease
The relationship between security and societal norms is not
necessarily antagonistic. Security can enhance the access and flow
of data and information by providing more accurate and reliable
information and greater availability of systems. Security can also
increase the privacy afforded to an individual or help achieve other
goals set by society.