- Cybersecurity Awareness Resources - As part of the FDIC's
Community Banking Initiative, the agency is adding to its
cybersecurity awareness resources for financial institutions. These
include a Cybersecurity Awareness video and three new vignettes for
the Cyber Challenge, which consists of exercises that are intended
to encourage discussions of operational risk issues and the
potential impact of information technology disruptions on common
Tor wars: CMU says FBI came not with cash, but a subpoena -
University has broken its silence, but will that quell the critics?
Carnegie-Mellon University has fired back in the TOR war, saying
that it wasn't paid by the FBI to reveal its de-anonymisation
Sony hackers remained hidden for months due to a new toolset:
Damballa - Researchers at Damballa have discovered a toolset that
may have helped the Destover and Shamoon malware remain undetected
when they used to hack Sony and Saudi Aramco.
UK shoppers lose workday picking up aftermath of cyber-crime - More
than 12 million Brits (20 percent) have been victimised by
cyber-criminals this past year. UK consumers lost more than one full
working day (nine hours) when dealing with the aftermath of online
crime, costing roughly £134 each person or £1.6 billion across the
Critical infrastructure regulators need to improve cyber metrics -
Despite closer ties and better teamwork between critical
infrastructure providers and the federal agencies that help protect
their systems from cyberattack, the government lacks a consistent
way to gauge threats and security progress, according to a study by
the Government Accountability Office.
FDIC offers additional cybersecurity resources - New online
educational tools to assist bank executives in defending against
cybercrime have been added to the website of the FDIC (Federal
Deposit Insurance Corporation), the independent government entity
that insures depositor accounts in member banks, according to the
ABA Banking Journal.
Smart TVs not all that bright when it comes to fighting cyberthreats
- Smart TVs are not being targeted by hackers right now, but a
researcher at Symantec has noted that cybercriminals have a wide
range of options if they wish to breach the average Smart TV.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Starwood Hotels hit with POS malware - Starwood Hotels reported
that malware implanted on the point-of-sale systems at several of
its properties may have exposed customer credit card data.
IBM, Oracle, Cisco certification manager breached, info accessed - A
data breach at Pearson VUE, the certification manager for Cisco,
Oracle and IBM compromised the company's Credential Manager System
and allowed unauthorized third-party access to data of “a limited
set” of its users, Pearson VUE said in a Saturday statement.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 7 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
If a financial institution receives compensation from a third
party as the result of a weblink to the third-party's website, the
financial institution should enter into a written agreement with
that third party in order to mitigate certain risks. Financial
institutions should consider that certain forms of business
arrangements, such as joint ventures, can increase their risk. The
financial institution should consider including contract provisions
to indemnify itself against claims by:
1) dissatisfied purchasers of third-party products or
2) patent or trademark holders for infringement by the third
3) persons alleging the unauthorized release or compromise of
their confidential information, as a result of the third-party's
The agreement should not include any provision obligating the
financial institution to engage in activities inconsistent with the
scope of its legally permissible activities. In addition, financial
institutions should be mindful that various contract provisions,
including compensation arrangements, may subject the financial
institution to laws and regulations applicable to insurance,
securities, or real estate activities, such as RESPA, that establish
broad consumer protections.
In addition, the agreement should include conditions for
terminating the link. Third parties, whether they provide services
directly to customers or are merely intermediaries, may enter into
bankruptcy, liquidation, or reorganization during the period of the
agreement. The quality of their products or services may decline, as
may the effectiveness of their security or privacy policies. Also
potentially just as harmful, the public may fear or assume such a
decline will occur. The financial institution will limit its risks
if it can terminate the agreement in the event the service provider
fails to deliver service in a satisfactory manner.
Some weblinking agreements between a financial institution and a
third party may involve ancillary or collateral information-sharing
arrangements that require compliance with the Privacy Regulations.
For example, this may occur when a financial institution links to
the website of an insurance company with which the financial
institution shares customer information pursuant to a joint
the top of the newsletter
FFIEC IT SECURITY
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
Suspicious Activity Reporting.
National banks are required to report intrusions and other computer
crimes to the OCC and law enforcement by filing a Suspicious
Activity Report (SAR) form and submitting it to the Financial Crimes
Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This
reporting obligation exists regardless of whether the institution
has reported the intrusion to the information-sharing organizations
discussed below. For purposes of the regulation and the SAR form
instructions, an "intrusion" is defined as gaining access to the
computer system of a financial institution to remove, steal, procure
or otherwise affect information or funds of the institution or
customers. It also includes actions that damage, disable, or
otherwise affect critical systems of the institution. For example,
distributed denial of service attaches (DDoS) attacks should be
reported on a SAR because they may temporarily disable critical
systems of financial institutions.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
3.5 Supporting Functions
The security responsibilities of managers, technology providers and
security officers are supported by functions normally assigned to
others. Some of the more important of these are described below.
Audit. Auditors are responsible for examining systems to
see whether the system is meeting stated security requirements,
including system and organization policies, and whether security
controls are appropriate. Informal audits can be performed by those
operating the system under review or, if impartiality is important,
by outside auditors.
Physical Security. The physical security office is usually
responsible for developing and enforcing appropriate physical
security controls, in consultation with computer security
management, program and functional managers, and others, as
appropriate. Physical security should address not only central
computer installations, but also backup facilities and office
environments. In the government, this office is often responsible
for the processing of personnel background checks and security
Disaster Recovery/Contingency Planning Staff. Some
organizations have a separate disaster recovery/contingency planning
staff. In this case, they are normally responsible for contingency
planning for the organization as a whole, and normally work with
program and functional mangers/application owners, the computer
security staff, and others to obtain additional contingency planning
support, as needed.
Quality Assurance. Many organizations have established a
quality assurance program to improve the products and services they
provide to their customers. The quality officer should have a
working knowledge of computer security and how it can be used to
improve the quality of the program, for example, by improving the
integrity of computer-based information, the availability of
services, and the confidentiality of customer information, as
Procurement. The procurement office is responsible for
ensuring that organizational procurements have been reviewed by
appropriate officials. The procurement office cannot be responsible
for ensuring that goods and services meet computer security
expectations, because it lacks the technical expertise.
Nevertheless, this office should be knowledgeable about computer
security standards and should bring them to the attention of those
requesting such technology.
Training Office. An organization has to decide whether the
primary responsibility for training users, operators, and managers
in computer security rests with the training office or the computer
security program office. In either case, the two organizations
should work together to develop an effective training program.
Personnel. The personnel office is normally the first
point of contact in helping managers determine if a security
background investigation is necessary for a particular position. The
personnel and security offices normally work closely on issues
involving background investigations. The personnel office may also
be responsible for providing security-related exit procedures when
employees leave an organization.
Risk Management/Planning Staff. Some organizations have a
full-time staff devoted to studying all types of risks to which the
organization may be exposed. This function should include computer
security-related risks, although this office normally focuses on
"macro" issues. Specific risk analyses for specific computer systems
is normally not performed by this office.
Physical Plant. This office is responsible for ensuring
the provision of such services as electrical power and environmental
controls, necessary for the safe and secure operation of an
organization's systems. Often they are augmented by separate
medical, fire, hazardous waste, or life safety personnel.
Users also have responsibilities for computer security. Two kinds
of users, and their associated responsibilities, are described
Users of Information. Individuals who use information
provided by the computer can be considered the "consumers" of the
applications. Sometimes they directly interact with the system
(e.g., to generate a report on screen) -- in which case they are
also users of the system (as discussed below). Other times, they may
only read computer-prepared reports or only be briefed on such
material. Some users of information may be very far removed from the
computer system. Users of information are responsible for letting
the functional mangers/application owners (or their representatives)
know what their needs are for the protection of information,
especially for its integrity and availability.
Users of Systems. Individuals who directly use computer
systems (typically via a keyboard) are responsible for following
security procedures, for reporting security problems, and for
attending required computer security and functional training.