- New online challenge will test teenagers’ cyber security skills -
The search is now on to inspire the UK’s next generation of cyber
security specialists as the Government’s extracurricular training
programme Cyber Discovery opens its doors.
Bank consortium founds company to vet third-party vendors - Whenever
a company announces a data breach has taken place hearing that an
error by a third-party vendor was behind the disaster is a very
Terdot banking trojan targets social media and email in addition to
financial services - Saying that Terdot malware is a banking trojan
is kind of like saying your computer is a giant calculator. Yes,
that's essentially what it is, but it's also a whole lot more.
Organizations suffer critical and costly IT incidents five times a
month - On average, organizations experience a critical IT incident
five times per month, with each one costing a mean of $141,628,
according to a new report.
Manhattan DA speaks on burden of hiring hackers to beat smartphone
encryption - Manhattan District Attorney Cy Vance, Jr. touted his
agency's use of mercenary hackers to crack phone encryption while
criticizing the lack of federal legislation to force tech giants to
make exceptions in smartphone encryption for when judicial warrants
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Tennessee city still not recovered from ransomware attack - The
City of Spring Hill, Tenn. is still suffering from the effects of a
ransomware attack that struck the municipality in early November
when government officials refused to pay the $250,000 ransom
demanded by the cybercriminals.
Forever 21 reports data breach, failed to turn on POS encryption -
The clothing retailer Forever 21 reported yesterday that
unauthorized access to its payment card system when the encryption
installed on some of those systems was not operational.
Cash Convertors hit by security breach - Pawnbroker chain Cash
Converters is investigating a data security breach at its UK
operations after receiving email threats of data release.
Misconfigured Amazon S3 server leaks Australian Broadcasting
Corporation - As misconfigured Amazon servers continue to leak
sensitive data Australian Broadcasting Corporation (ABC) is the
latest culprit of administrators not properly securing their cloud
Montgomery County (Ill.) government offices taken offline by malware
- The Montgomery County Emergency Management Agency reported that
much of the county's computer system went down last week due to what
it is calling a malware incident.
Uber hid massive hack compromising data of 57M for a year - For more
than a year, even as it negotiated with regulators in the U.S. over
privacy infractions, Uber hid a massive hack that resulted in
cyberthieves pilfering the personal information of 57 million
customers and drivers and prompted the company to fire two
Cyberthieves swipe $31 million in tokens from Tether -
Cybercriminals on Sunday stole nearly $31 million in USDT
cryptocurrency from Tether, prompting the digital currency converter
to suspend its back-end wallet service and apparently causing
cryptocurrency trading values to fall.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider
Operations and Controls
• Determine adequacy of the
service provider’s standards, policies and procedures relating
to internal controls, facilities management (e.g., access
requirements, sharing of facilities, etc.), security (e.g.,
systems, data, equipment, etc.), privacy protections,
maintenance of records, business resumption contingency
planning, systems development and maintenance, and employee
• Determine if the service provider provides sufficient security
precautions, including, when appropriate, firewalls, encryption,
and customer identity authentication, to protect institution
resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine
whether the audit scope, internal controls, and security
safeguards are adequate.
• Evaluate whether the institution will have complete and timely
access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that
are relevant to the services they are providing. (e.g.,
Regulation E, privacy and other consumer protection regulations,
Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance
coverage including fidelity, fire, liability, data losses from
errors and omissions, and protection of documents in transit.
• Analyze the service provider’s
most recent audited financial statements and annual report as
well as other indicators (e.g., publicly traded bond ratings),
• Consider factors such as how long the service provider has
been in business and the service provider’s market share for a
given service and how it has fluctuated.
• Consider the significance of the institution’s proposed
contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s
level of investment in technology consistent with supporting the
institution’s activities? Does the service provider have the
financial resources to invest in and support the required
the top of the newsletter
FFIEC IT SECURITY -
We continue our coverage of
the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Security should not be compromised when offering wireless
financial services to customers or deploying wireless internal
networks. Financial institutions should carefully consider the risks
of wireless technology and take appropriate steps to mitigate those
risks before deploying either wireless networks or applications. As
wireless technologies evolve, the security and control features
available to financial institutions will make the process of risk
mitigation easier. Steps that can be taken immediately in wireless
1) Establishing a minimum set of security requirements for
wireless networks and applications;
2) Adopting proven security policies and procedures to address
the security weaknesses of the wireless environment;
3) Adopting strong encryption methods that encompass end-to-end
encryption of information as it passes throughout the wireless
4) Adopting authentication protocols for customers using wireless
applications that are separate and distinct from those provided by
the wireless network operator;
5) Ensuring that the wireless software includes appropriate audit
capabilities (for such things as recording dropped transactions);
6) Providing appropriate training to IT personnel on network,
application and security controls so that they understand and can
respond to potential risks; and
9) Performing independent security testing of wireless network
and application implementations.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
3.6.3 Identify Target Audiences
Not everyone needs the same degree or type of computer security
information to do their jobs. A CSAT program that distinguishes
between groups of people, presents only the information needed by
the particular audience, and omits irrelevant information will have
the best results. Segmenting audiences (e.g., by their function or
familiarity with the system) can also improve the effectiveness of a
CSAT program. For larger organizations, some individuals will fit
into more than one group. For smaller organizations, segmenting may
not be needed. The following methods are some examples of ways to do
Segment according to level of awareness. Individuals may be
separated into groups according to their current level of awareness.
This may require research to determine how well employees follow
computer security procedures or understand how computer security
fits into their jobs.
Segment according to general job task or function. Individuals may
be grouped as data providers, data processors, or data users.
Segment according to specific job category. Many
organizations assign individuals to job categories. Since each job
category generally has different job responsibilities, training for
each will be different. Examples of job categories could be general
management, technology management, applications development, or
Segment according to level of computer knowledge. Computer
experts may be expected to find a program containing highly
technical information more valuable than one covering the management
issues in computer security. Similarly, a computer novice would
benefit more from a training program that presents introductory
Segment according to types of technology or systems used.
Security techniques used for each off-the-shelf product or
application system will usually vary. The users of major
applications will normally require training specific to that