- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent pen-testing is
part of any financial institution's cybersecurity defense. To
receive due diligence information, agreement and, cost saving fees,
please complete the information form at
All communication is kept strictly confidential.
Updated FFIEC Management Booklet Part of IT
Examination Handbook Series - The Federal Financial Institutions
Examination Council (FFIEC) has issued a revised "Management"
booklet that provides guidance to assist examiners in evaluating the
information technology (IT) governance at financial institutions and
service providers. The booklet is part of the IT Examination
70% of Brits don't think email is a potential cyber-threat - Over
two thirds (69 percent) of British respondents to a recent survey
are unaware that they could be vulnerable to cyber-attack simply by
opening an email.
- Insider threat more dangerous than external risks - While external
threats present an ever-present risk for large and small
enterprises, according to a newly released report, the actions of a
company's own employees, suppliers and partners pose more of an
- U.S. and U.K. Test Response to Major Financial Cyberattack -
Britain and the United States carried out a planned drill with
leading global firms on Thursday to see how they would respond to a
cyber incident in the financial sector.
- It’s Way Too Easy to Hack the Hospital - Firewalls and medical
devices are extremely vulnerable, and everyone’s pointing fingers.
- Oil & Gas cyber-vulnerabilities - There is no air gap between IT
and OT that was the key message for oil and gas sector CISOs coming
out of the Black Hat Amsterdam talk.
- Tor alleges FBI paid Carnegie Mellon $1M to hack hidden services -
The Tor Project is alleging that the Federal Bureau of Investigation
(FBI) paid Carnegie Mellon University (CMU) researchers $1 million
to attack Tor's hidden services last year.
- Former parking ticket bloke turns out to be cybersecurity genius -
Newcastle man posts impressively high score on infosec guru course -
Mr. Bradley, who spent the last 15 years processing car parking
fines for Newcastle City Council, is set to become one of the UK's
top cyber professionals after achieving one of the highest ever
scores in the internationally recognised GIAC cyber security
- How extorted e-mail provider got back online after crippling DDoS
attack - Hint: It had nothing to do with the $6,000 ransom it paid
to the Armada Collective.
- Pentagon purges HTML from .mil emails - The Pentagon is tightening
the screws on its campaign to improve email security. A
department-wide policy will soon be in effect to render Web links
unclickable in emails to .mil addresses, Richard Hale, DOD deputy
CIO for cybersecurity, told FCW.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers compromise 70 million prison inmate phone records - An
estimated 70 million phone calls made by prisoners in the United
States have been hacked and leaked to The Intercept.
- Comcast to reset 200K passwords after accounts compromised -
Comcast is resetting thousands of customer passwords after their
account information was spotted being marketed for up to $1,000 on a
dark web site.
- Third-party Instagram app pulled after stealing passwords - The
app, called InstaAlert, was snagging usernames and passwords and
sending them to a remote server, according to the developer who
- Police body cams found pre-installed with notorious Conficker worm
- One of the world's most prolific pieces of malware is found in
cams from Martel. One of the world's most prolific computer worms
has been found infecting several police body cameras that were sent
to security researchers, the researchers reported.
- A 23-year-old Windows 3.1 system failure crashed Paris airport -
Some of the most important networks and systems today are woefully
outdated. And that isn't always a bad thing.
- Georgia office leaks data on six million voters - A lawsuit filed
on Tuesday in Fulton County Superior Court, Georgia, alleges that
the office of Secretary of State Brian Kemp released personal
identifying information (PII) of Georgia voters to 12 organizations,
including statewide political parties and news media.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 6 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
A financial institution should conduct sufficient due diligence
to determine whether it wishes to be associated with the quality of
products, services, and overall content provided by third-party
sites. A financial institution should consider more product-focused
due diligence if the third parties are providing financial products,
services, or other financial website content. In this case,
customers may be more likely to assume the institution reviewed and
approved such products and services. In addition to reviewing the
linked third-party's financial statements and its customer service
performance levels, a financial institution should consider a review
of the privacy and security policies and procedures of the third
party. Also, the financial institution should consider the
character of the linked party by considering its past compliance
with laws and regulations and whether the linked advertisements
might by viewed as deceptive advertising in violation of Section 5
of the Federal Trade Commission Act.
the top of the newsletter
FFIEC IT SECURITY
We continue our review
of the OCC Bulletin about Infrastructure Threats and Intrusion
Risks. This week we review Gathering and Retaining Intrusion
Particular care should be taken when gathering intrusion
information. The OCC expects management to clearly assess the
tradeoff between enabling an easier recovery by gathering
information about an intruder and the risk that an intruder will
inflict additional damage while that information is being gathered.
Management should establish and communicate procedures and
guidelines to employees through policies, procedures, and training.
Intrusion evidence should be maintained in a fashion that enables
recovery while facilitating subsequent actions by law enforcement.
Legal chain of custody requirements must be considered. In general,
legal chain of custody requirements address controlling and securing
evidence from the time of the intrusion until it is turned over to
law enforcement personnel. Chain of custody actions, and those
actions that should be guarded against, should be identified and
embodied in the bank's policies, procedures, and training.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
3.4 Technology Providers
System Management/System Administrators. These personnel are the
managers and technicians who design and operate computer systems.
They are responsible for implementing technical security on computer
systems and for being familiar with security technology that relates
to their system. They also need to ensure the continuity of their
services to meet the needs of functional managers as well as
analyzing technical vulnerabilities in their systems (and their
security implications). They are often a part of a larger
Information Resources Management (IRM) organization.
Communications / Telecommunications Staff. This office is normally
responsible for providing communications services, including voice,
data, video, and fax service. Their responsibilities for
communication systems are similar to those that systems management
officials have for their systems. The staff may not be separate from
other technology service providers or the IRM office.
System Security Manager/Officers. Often assisting system management
officials in this effort is a system security manager/officer
responsible for day-to-day security implementation / administration
duties. Although not normally part of the computer security program
management office, this officer is responsible for coordinating the
security efforts of a particular system(s). This person works
closely with system management personnel, the computer security
program manager, and the program or functional manager's security
officer. In fact, depending upon the organization, this may be the
same individual as the program or functional manager's security
officer. This person may or may not be a part of the organization's
overall security office.
Help Desk. Whether or not a Help Desk is tasked with incident
handling, it needs to be able to recognize security incidents and
refer the caller to the appropriate person or organization for a
Who Should Be the Accrediting Official? (Note that
accreditation is a formality unique to the government.)
The Accrediting Officials are agency officials who have authority
to accept an application's security safeguards and approve a system
for operation. The Accrediting Officials must also be authorized to
allocate resources to achieve acceptable security and to remedy
security deficiencies. Without this authority, they cannot
realistically take responsibility for the accreditation decision. In
general, Accreditors are senior officials, who may be the Program or
Function Manager/Application Owner. For some very sensitive
applications, the Senior Executive Officer is appropriate as an
Accrediting Official. In general, the more sensitive the
application, the higher the Accrediting Officials are in the
Where privacy is a concern, federal managers can be held personally
liable for security inadequacies. The issuing of the accreditation
statement fixes security responsibility, thus making explicit a
responsibility that might otherwise be implicit. Accreditors should
consult the agency general counsel to determine their personal