- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
Releases Statement on Cyber Attacks Involving Extortion - The
Federal Financial Institutions Examination Council members today
issued a statement alerting financial institutions to the increasing
frequency and severity of cyber attacks involving extortion.
LifeLock settlement could reach $116 million - The Identity theft
protection firm LifeLock and the Federal Trade Commission (FTC)
announced that they have reached a tentative settlement that should
close out a five-year-long case over alleged deceptive business
- Pentagon Creates Cybersecurity Exchange Program With Industry -
The U.S. Defense Department is sending career personnel on tours
with private cybersecurity companies and bringing in specialists
from those companies to gain the skills necessary to defend military
networks from hackers, the Pentagon’s chief information officer
- IRS tells Senate: We only use our stingrays with court orders -
"It can only be used based on probable cause of criminal activity."
The head of the Internal Revenue Service told a Senate committee on
Tuesday that its stingrays are "only used in criminal
- ENISA puts smart devices and IoT on top of European security
agenda - EU infosec body broadens remit with funding into car,
healthcare and airport IT security research.
- U.S. Air Force adds extra pay for cyberspace specialists - The
U.S. Air Force has added cyber warfare operations as a job position
eligible for special duty pay.
- F-Secure launches bug bounty program with max reward valued at
nearly $17,000 - F-Secure launched a bug bounty this past week,
which could dole out max rewards amounting to approximately $16,527.
- White House Issues Governmentwide Cyber Action - The White House
on Friday issued a broad new plan designed to better respond to
cybersecurity incidents such as those that exposed secrets on
millions of citizens as well as government operations.
- Which Navy N00bs Have a Gift for Stopping Hacks? - The Navy is
preparing to experiment with an exam aimed at predicting the types
of sailors capable of grasping cybersecurity skills without ever
having picked up a book or keyboard.
- Say What? Even the Experts Disagree on Cyber Terminology - The
recent Office of Personnel Management cyber breach was not only a
case of stolen federal employee and contractor data. It may also
have been one of mistaken identity.
- Bank of England to test banks' security in operation Resilient
Shield - As attacks on the UK's financial institutions increase, The
Bank of England is getting ready to test out the bank's preparedness
for such an event.
- Get used to it?: Mega breaches - Amid widespread cynicism about
mass cybersecurity failures, IT security pros, analysts and vendors
are scrambling to develop the strategies, technologies and tools to
plug the leaks today and develop long-term approaches to prevent
similar collapses in the future.
- OPM appoints new cyber advisor - The U.S. Office of Personnel
Management (OPM) appointed a new cyber and information advisor on
- OMB framework lays out privacy requirements for fed agencies - The
privacy framework proposed by the Office of Management and Budget
(OMB) is a “big, bold statement” by an influential government body,
Trevor Hughes, president and CEO of the International Association of
Privacy Professionals (IAPP), told SCMagazine.com Wednesday, that
will hold federal agencies to some very specific and critical
requirements to safeguard privacy.
- JPMorgan Chase CSO reportedly reassigned following data breach -
JPMorgan Chase & Co.'s CSO was reportedly reassigned to a new
position within the bank following the company's major data breach
this past year.
- Many U.K. workers willing to sell their company's IP: Study -
Demonstrating that financial gain can be a motivator for nefarious
activity, 35 percent of employees were willing to sell their firm's
intellectual property if the price was right.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- First National Bank of Omaha issuing new debit cards after large
breach - The First National Bank of Omaha is issuing new debit cards
to customers in seven states after a large data breach at an
unidentified national firm.
- Almost 2,000 Vodafoners open to fraud after details stolen -
Telecoms provider Vodafone has reported that nearly 2,000 of its
customers have had their details accessed. According to Vodafone,
the incident happened between Wednesday and Thursday last week.
- License Plate Readers Exposed! How Public Safety Agencies
Responded to Major Vulnerabilities in Vehicle Surveillance Tech -
Law enforcement agencies around the country have been all too eager
to adopt mass surveillance technologies, but sometimes they have put
little effort into ensuring the systems are secure and the sensitive
data they collect on everyday people is protected.
- Salt Lake schools hit with DDoS attack - The Salt Lake City School
District was struck by a DDoS attack last Friday that brought down
the district's website, phone system and online administrative
- User data compromised in breach of vBulletin - All passwords have
been reset for users of vBulletin software, used for website forums,
following a breach that compromised the personally identifiable
information of nearly 480,000 subscribers, according to ars technica.
- Utah student information compromised over six-year period - The
Utah State Office of Education discovered student information was
compromised over the last six years.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a
third-party's website depends on several factors. These factors
include the nature of the products and services provided on the
third-party's website, and the nature of the institution's business
relationship with the third party. This is particularly true with
respect to compensation arrangements for links. For example, a
financial institution that receives payment for offering
advertisement-related weblinks to a settlement service provider's
website should carefully consider the prohibition against kickbacks,
unearned fees, and compensated referrals under the Real Estate
Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as reputation
risk if linked third parties offer less security and privacy
protection than the financial institution. Third-party sites may
have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
FFIEC IT SECURITY
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review the
last of a three part series regarding controls to prevent and detect
8) Encryption. Encryption is a means of securing data. Data can by
encrypted when it is transmitted, and when it is stored. Because
networks are not impervious to penetration, management should
evaluate the need to secure their data as well as their network.
Management's use of encryption should be based on an internal risk
assessment and a classification of data. The strength of encryption
should be proportional to the risk and impact if the data were
9) Employee and Contractor Background Checks. Management should
ensure that information technology staff, contractors, and others
who can make changes to information systems have passed background
checks. Management also should revalidate periodically access lists
and logon IDs.
10) Accurate and Complete Records of Uses and Activities. Accurate
and complete records of users and activities are essential for
analysis, recovery, and development of additional security measures,
as well as possible legal action. Information of primary importance
includes the methods used to gain access, the extent of the
intruder's access to systems and data, and the intruder's past and
current activities. To ensure that adequate records exist,
management should consider collecting information about users and
user activities, systems, networks, file systems, and applications.
Consideration should be given to protecting and securing this
information by locating it in a physical location separate from the
devices generating the records, writing the data to a tamperproof
device, and encrypting the information both in transit and in
storage. The OCC expects banks to limit the use of personally
identifiable information collected in this manner for security
purposes, and to otherwise comply with applicable law and
regulations regarding the privacy of personally identifiable
11) Vendor Management. Banks rely on service providers, software
vendors, and consultants to manage networks and operations. In
outsourcing situations, management should ensure that contractual
agreements are comprehensive and clear with regard to the vendor's
responsibility for network security, including its monitoring and
reporting obligations. Management should monitor the vendor's
performance under the contract, as well as assess the vendor's
financial condition at least annually.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 3 - Roles and Responsibilities
One fundamental issue that arises in discussions of computer
security is: "Whose responsibility is it?" Of course, on a basic
level the answer is simple: computer security is the responsibility
of everyone who can affect the security of a computer system.
However, the specific duties and responsibilities of various
individuals and organizational entities vary considerably.
This chapter presents a brief overview of roles and
responsibilities of the various officials and organizational offices
typically involved with computer security. They include the
1) senior management,
2) program/functional managers/application owners,
3) computer security management,
4) technology providers,
5) supporting organizations, and
This chapter is intended to give the reader a basic familiarity
with the major organizational elements that play a role in computer
security. It does not describe all responsibilities of each in
detail, nor will this chapter apply uniformly to all organizations.
Organizations, like individuals, have unique characteristics, and no
single template can apply to all. Smaller organizations, in
particular, are not likely to have separate individuals performing
many of the functions described in this chapter. Even at some larger
organizations, some of the duties described in this chapter may not
be staffed with full-time personnel. What is important is that these
functions be handled in a manner appropriate for the organization.
As with the rest of the handbook, this chapter is not intended to be
used as an audit guide.
3.1 Senior Management - Senior management has ultimate
responsibility for the security of an organization's computer
Ultimately, responsibility for the success of an organization lies
with its senior managers. They establish the organization's computer
security program and its overall program goals, objectives, and
priorities in order to support the mission of the organization.
Ultimately, the head of the organization is responsible for ensuring
that adequate resources are applied to the program and that it is
successful. Senior managers are also responsible for setting a good
example for their employees by following all applicable security