- "The FDIC does not require
financial institutions we supervise to change penetration
testing firms on a periodic basis. Any such decision would be up
to bank management." You can find the complete letter at
Is your web site compliant with the American Disability Act?
For the past 20 years, our bank web site audits have covered the
ADA guidelines. Help reduce any liability, please
contact me for more information at
Yahoo tells SEC it knew of network intrusion as far back as 2014 -
In a filing with the Securities and Exchange Commission (SEC) on
Wednesday, Yahoo admitted that some individuals within the company
were aware of a network systems intrusion by a state-sponsored actor
– one that ultimately led to the compromise of over 500 million
accounts – shortly after the incident occurred in late 2014.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Lansing, Mich., utility admits paying ransomware demand -
Officials with the Lansing Board of Water & Light (BWL) publicly
acknowledged on Tuesday that the utility paid a cybercriminal
operation $25,000 to regain control of its accounting and email
systems in the days following an April 25 ransomware attack.
Former patients affected in Broward Health breach - Fort Lauderdale,
Fla.-based Broward Health announced a breach that may have
compromised patient data.
Russian banks hit by cyber-attack - Five Russian banks have been
under intermittent cyber-attack for two days, said the country's
Finns chilling as DDoS knocks out building control system - Hint:
next time, buy a firewall before you're attacked - Residents in two
apartment buildings in the Finnish town of Lappeenranta had a
chill-out lasting more than a week after a DDoS attack battered
unprotected building management systems.
Capgemini leaks 780,000 Michael Page job candidate CVs - UK-based
international recruitment firm Michael Page has had a database of
780,000 of its job applicants from around the world accidentally
leaked by consulting firm Capgemini.
2,100 veterans PII sent in unencrypted email - More than 2,100
veterans in Colorado and Kansas received an unpleasant alert just in
time for Veterans Day.
Biggest hack of 2016: 412 million FriendFinder Networks accounts
exposed - More than 412 million user accounts have been exposed
thanks FriendFinder Networks being hacked. The breach included 20
years of historical customer data from six compromised databases.
Baxter Credit Union email account compromised exposing customer data
- The Baxter Credit Union (BCU), headquartered in Deerfield, Ill.,
reported that on October 11 it learned an employee email account had
been compromised and used to send spam and other unsolicited emails.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Risk management principles (Part 2 of 2)
The Committee recognizes that banks will need to develop risk
management processes appropriate for their individual risk profile,
operational structure and corporate governance culture, as well as
in conformance with the specific risk management requirements and
policies set forth by the bank supervisors in their particular
jurisdiction(s). Further, the numerous e-banking risk management
practices identified in this Report, while representative of current
industry sound practice, should not be considered to be
all-inclusive or definitive, since many security controls and other
risk management techniques continue to evolve rapidly to keep pace
with new technologies and business applications.
This Report does not attempt to dictate specific technical
solutions to address particular risks or set technical standards
relating to e-banking. Technical issues will need to be addressed on
an on-going basis by both banking institutions and various
standards-setting bodies as technology evolves. Further, as the
industry continues to address e-banking technical issues, including
security challenges, a variety of innovative and cost efficient risk
management solutions are likely to emerge. These solutions are also
likely to address issues related to the fact that banks differ in
size, complexity and risk management culture and that jurisdictions
differ in their legal and regulatory frameworks.
For these reasons, the Committee does not believe that a "one size
fits all" approach to e-banking risk management is appropriate, and
it encourages the exchange of good practices and standards to
address the additional risk dimensions posed by the e-banking
delivery channel. In keeping with this supervisory philosophy, the
risk management principles and sound practices identified in this
Report are expected to be used as tools by national supervisors and
implemented with adaptations to reflect specific national
requirements where necessary, to help promote safe and secure
e-banking activities and operations.
The Committee recognizes that each bank's risk profile is different
and requires a risk mitigation approach appropriate for the scale of
the e-banking operations, the materiality of the risks present, and
the willingness and ability of the institution to manage these
risks. These differences imply that the risk management principles
presented in this Report are intended to be flexible enough to be
implemented by all relevant institutions across jurisdictions.
National supervisors will assess the materiality of the risks
related to e-banking activities present at a given bank and whether,
and to what extent, the risk management principles for e-banking
have been adequately met by the bank's risk management framework.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 1 of 2)
Financial institutions must control access to system software
within the various network clients and servers as well as
stand-alone systems. System software includes the operating system
and system utilities. The computer operating system manages all of
the other applications running on the computer. Common operating
systems include IBM OS/400 and AIX, LINUX, various versions of
Microsoft Windows, and Sun Solaris. Security administrators and IT
auditors need to understand the common vulnerabilities and
appropriate mitigation strategies for their operating systems.
Application programs and data files interface through the operating
system. System utilities are programs that perform repetitive
functions such as creating, deleting, changing, or copying files.
System utilities also could include numerous types of system
management software that can supplement operating system
functionality by supporting common system tasks such as security,
system monitoring, or transaction processing.
System software can provide high-level access to data and data
processing. Unauthorized access could result in significant
financial and operational losses. Financial institutions must
restrict privileged access to sensitive operating systems. While
many operating systems have integrated access control software,
third - party security software is available for most operating
systems. In the case of many mainframe systems, these programs are
essential to ensure effective access control and can often integrate
the security management of both the operating system and the
applications. Network security software can allow institutions to
improve the effectiveness of the administration and security policy
compliance for a large number of servers often spanning multiple
operating system environments. The critical aspects for access
control software, whether included in the operating system or
additional security software, are that management has the capability
! Restrict access to sensitive or critical system resources or
processes and have the capability, depending on the sensitivity to
extend protection at the program, file, record, or field level;
! Log user or program access to sensitive system resources
including files, programs, processes, or operating system
! Filter logs for potential security events and provide adequate
reporting and alerting capabilities.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
Like many management controls, life cycle planning relies upon
other controls. Three closely linked control areas are policy,
assurance, and risk management.
Policy. The development of system-specific policy is an
integral part of determining the security requirements.
Assurance. Good life cycle management provides assurance
that security is appropriately considered in system design and
Risk Management. The maintenance of security throughout the
operational phase of a system is a process of risk management:
analyzing risk, reducing risk, and monitoring safeguards. Risk
assessment is a critical element in designing the security of
systems and in reaccreditations.
8.6 Cost Considerations
Security is a factor throughout the life cycle of a system.
Sometimes security choices are made by default, without anyone
analyzing why choices are made; sometimes security choices are made
carefully, based on analysis. The first case is likely to result in
a system with poor security that is susceptible to many types of
loss. In the second case, the cost of life cycle management should
be much smaller than the losses avoided. The major cost
considerations for life cycle management are personnel costs and
some delays as the system progresses through the life cycle for
completing analyses and reviews and obtaining management approvals.
It is possible to overmanage a system: to spend more time planning,
designing, and analyzing risk than is necessary. Planning, by
itself, does not further the mission or business of an organization.
Therefore, while security life cycle management can yield
significant benefits, the effort should be commensurate with the
system's size, complexity, and sensitivity and the risks associated
with the system. In general, the higher the value of the system, the
newer the system's architecture, technologies, and practices, and
the worse the impact if the system security fails, the more effort
should be spent on life cycle management.