|
FYI
- Is your web site compliant with the American Disability Act?
For the past 20 years, our bank web site audits have covered the
ADA guidelines. Help reduce any liability, please
contact me for more information at
examiner@yennik.com.
Cybercrime lab debuts in Manhattan DA's office - Being touted as
the first of its kind in the country, a cybercrime lab has opened in
the office of the Manhattan district attorney.
https://www.scmagazine.com/cybercrime-lab-debuts-in-manhattan-das-office/article/573810/
Inadequate cyber-security budgets 'putting NHS patients at risk' -
Some NHS trusts were spending as much as £100,000 a year on
cyber-security in 2015 while others were spending nothing, according
to figures collated by Sky News.
https://www.scmagazine.com/inadequate-cyber-security-budgets-putting-nhs-patients-at-risk/article/573637/
Britain has passed the 'most extreme surveillance law ever passed in
a democracy' - The law forces UK internet providers to store
browsing histories -- including domains visited -- for one year, in
case of police investigations.
http://www.zdnet.com/article/snoopers-charter-expansive-new-spying-powers-becomes-law/
CyberSec skills shortage poses risk to African businesses - African
businesses a particular cyber-security risk due to skills shortages,
with expenditure expected to rise, especially in S Africa and
Nigeria.
https://www.scmagazine.com/cybersec-skills-shortage-poses-risk-to-african-businesses/article/574214/
Scaling up federal cyberdefenses - Forget about World War III, when
it comes to cybersecurity it might just be World War II all over
again.
https://www.scmagazine.com/scaling-up-federal-cyberdefenses/article/574247/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Amn3s1a Team breaches and dumps MEGA source code - The Amn3s1a
Team hacking group has released a data dump containing what the
group claims is nearly 2GB of source code stolen from several
Mega.nz servers.
https://www.scmagazine.com/mega-breach-results-in-2gb-source-code-dump/article/574118/
Chicago Public School data improperly shared - Chicago Public School
student information was improperly shared with a third party.
https://www.scmagazine.com/chicago-public-school-data-improperly-shared/article/573961/
Nebraska irrigation district thwarts ransomware attack with
automatic backup - A scheme by hackers who disabled antivirus
software on a computer system for the Central Platte Natural
Resources District in Nebraska, then infected it with ransomware,
was thwarted by an automated program that backed up the systems
every 15 minutes.
https://www.scmagazine.com/irrigation-district-breached-refuses-to-pay-ransom/article/574443/
Three mobile data breach: Company confirms data from 133,827
accounts could have been accessed - Information including names,
addresses, and DOBs of some Three customers obtained in data breach.
http://www.zdnet.com/article/three-mobile-data-breach-company-confirms-data-from-133827-accounts-could-have-been-accessed/
Data breach hits MSG: Rangers, Knicks, Rockettes fans hacked -
Madison Square Garden Company (MSG) reported payment card
information was stolen from potentially hundreds of thousands of
customers who attended shows or sporting events at the
organization's five major venues during the last year.
https://www.scmagazine.com/data-breach-hits-msg-rangers-knicks-rockettes-fans-hacked/article/574880/
Leaks discovered containing info from State Farm, U.S. military,
others - Security researchers disclosed a series of leaky databases
on Monday that the researchers said includes data from State Farm,
Sheet Metal Workers Union, Anchor Loans, and the U.S. military.
https://www.scmagazine.com/leaks-discovered-containing-info-from-state-farm-us-military-others/article/574529/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this
Report fall into three broad, and often overlapping, categories of
issues. However, these principles are not weighted by order of
preference or importance. If only because such weighting might
change over time, it is preferable to remain neutral and avoid such
prioritization.
A. Board and Management Oversight (Principles 1 to 3):
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process for
outsourcing relationships and other third-party dependencies.
B. Security Controls (Principles 4 to 10):
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking transactions.
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems,
databases and applications.
8. Data integrity of e-banking transactions, records, and
information.
9. Establishment of clear audit trails for e-banking transactions.
10. Confidentiality of key bank information.
C. Legal and Reputational Risk Management (Principles 11 to
14):
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to
ensure availability of e-banking systems and services.
14. Incident response planning.
Each of the above principles will be cover over the next few weeks,
as they relate to e-banking and the underlying risk management
principles that should be considered by banks to address these
issues.
Return to
the top of the newsletter
FFIEC IT SECURITY
-
We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)
Additional operating system access controls include the following
actions:
! Ensure system administrators and security professionals have
adequate expertise to securely configure and manage the operating
system.
! Ensure effective authentication methods are used to restrict
system access to both users and applications.
! Activate and utilize operating system security and logging
capabilities and supplement with additional security software where
supported by the risk assessment process.
! Restrict operating system access to specific terminals in
physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals
residing outside physically secure locations.
! Restrict and log access to system utilities, especially those
with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions,
where feasible, and at a minimum require strong authentication and
encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating
systems and grant only the minimum level of access required to
perform routine responsibilities.
! Segregate operating system access, where possible, to limit full
or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time
of access.
! Update operating systems with security patches and using
appropriate change control mechanisms.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 9 - Assurance
Computer security assurance is the degree of confidence one has
that the security measures, both technical and operational, work as
intended to protect the system and the information it processes.
Assurance is not, however, an absolute guarantee that the measures
work as intended. Like the closely related areas of reliability and
quality, assurance can be difficult to analyze; however, it is
something people expect and obtain (though often without realizing
it). For example, people may routinely get product recommendations
from colleagues but may not consider such recommendations as
providing assurance.
Assurance is a degree of confidence, not a true measure of how
secure the system actually is. This distinction is necessary because
it is extremely difficult -- and in many cases virtually impossible
-- to know exactly how secure a system is.
Assurance is a challenging subject because it is difficult to
describe and even more difficult to quantify. Because of this, many
people refer to assurance as a "warm fuzzy feeling" that controls
work as intended. However, it is possible to apply a more rigorous
approach by knowing two things: (1) who needs to be assured and (2)
what types of assurance can be obtained. The person who needs to be
assured is the management official who is ultimately responsible for
the security of the system. Within the federal government, this
person is the authorizing or accrediting official.
There are many methods and tools for obtaining assurance. For
discussion purposes, this chapter categorizes assurance in terms of
a general system life cycle. The chapter first discusses planning
for assurance and then presents the two categories of assurance
methods and tools: (1) design and implementation assurance and (2)
operational assurance. Operational assurance is further categorized
into audits and monitoring.
The division between design and implementation assurance and
operational assurance can be fuzzy. While such issues as
configuration management or audits are discussed under operational
assurance, they may also be vital during a system's development. The
discussion tends to focus more on technical issues during design and
implementation assurance and to be a mixture of management,
operational, and technical issues under operational assurance. The
reader should keep in mind that the division is somewhat artificial
and that there is substantial overlap.
Security assurance is the degree of confidence one has that the
security controls operate correctly and protect the system as
intended.
|
®