Is your web site compliant with the American Disability Act?
For the past 20 years, our bank web site audits have covered the
ADA guidelines. Help reduce any liability, please
contact me for more information at
FYI - The FDIC and
the OCC do not have a requirement that financial institutions
change third-party vendors on a periodic basis. Any such
decision is a management decision not a regulatory decision.
Is your incident response team ready? - One of the best ways to
test incident readiness is a tabletop exercise, a mock incident
administered for senior leadership, IT, security, legal, corporate
communications and business line readiness.
UMass to pay $650K in HIPAA settlement - As a consequence of a
malware infection on one workstation, which resulted in the exposure
of personal data on nearly 1,700 individuals, the University of
Massachusetts at Amherst will pay $650,000 to settle potential
violations of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) Privacy and Security Rules, according to a
release from the U.S. Department of Health & Human Services (HHS).
Consumer IoT devices bring new security and privacy risks, BITAG
report - While acknowledging that the rapid rise of Interet of
Things (IoT) devices contribute immeasurably to convenience for
consumers in running appliances in their homes, the risk to security
and privacy for consumers installing, configuring and administering
these devices is unique.
Compliance doesn't equal security, but it sure does help - Imagine
using faulty information in creating a building design or developing
a product or running a political campaign or formulating a new drug.
Cloud security concerns linger, but not enough to stop adoption -
Organizations are increasingly willing to migrate their
applications, data and processes to the cloud in spite of lingering
Pentagon expands white-hat hacker challenge to all comers - The
Defense Department undertook a significant expansion of its new
crowdsourced approach to cybersecurity Monday, opening its “Hack the
Pentagon” challenge to literally anyone and providing them a legal
route to report any security holes they find.
Most cybercriminals earn $1K to $3K a month, report - It's not that
organized cybergangs are raking it in. It's more that a larger
number of small operators are benefiting from automated services
that can earn them an average of $2,000 a month.
Everyone is worried about internal cybersecurity threats, report -
There are few things everyone can agree upon, but according to a new
study almost all security professionals are concerned about insider
NetWire RAT acts as keylogger, steals payment card data - Criminals
used a remote access trojan with keylogging capabilities rather than
traditional point-of-sale malware.
Michigan State breach may come with $3M pricetag - A database breach
that exposed social security numbers as well as names and Michigan
State University (MSU) ID numbers will cost the school about $3
million to remediate and to bolster system safeguards.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- US Navy suffers data breach - The US Navy announced today that the
personal data of 130,000 of its enlisted men was accessed after a
contractor's laptop was breached back in October.
San Francisco public transport ticket system shut down by ransomware
- San Francisco's Municipal Transportation Agency was caught with a
HDDCryptor Ransomware infection over the weekend, leaving the agency
unable to sell tickets or charge customers for transport, unless
they pay the hackers demands of 100 Bitcoin.
Japanse SDF officials mum over reported cyberattack - Japanese
Defense Ministry and Self-Defense Force (SDF) was targeted in
September by a sophisticated cyberattack.
Deutsche Telekom customers left hanging by possible hack - Nearly a
million fixed-line network customers of German telecommunications
company Deutsche Telekom AG on Sunday began experiencing service
disruptions, possibly to due hacker sabotage, the company has
Mirai variant caused German telecom disruption; 5M routers
reportedly susceptible if left unpatched - Service disruptions
affecting nearly one million Deutsche Telekom landline customers
since last weekend are the result of a worldwide cyberattack aimed
at infecting routers with a variant of Mirai Internet of Things (IoT)
botnet malware, German authorities and security researchers have now
European Commission gets DDoSed - The European Commission was the
victim of a DDoS attack this afternoon that blocked internet
connectivity on-and-off for several hours.
Carleton University hit with ransomware attack - Carleton University
in Ontario, Canada, was hit with a ransomware attack Tuesday that
may have affected any Windows-based system connected to the network.
Hacker threatens to release Liechtenstein bank customers' finances
in extortion bid - An unknown cybercriminal is attempting to extort
customers of a Liechtenstein bank, threatening to send potentially
incriminating customer financial information to government
authorities and the media if the victims don't pay 10 percent of
26,500 National Lottery accounts hacked, says operator Camelot -
Camelot, operator of the UK's National Lottery, has cited possible
password reuse as the reason for a breach of 26,500 of its user
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the
FFIEC interagency Information Security Booklet.
CONTROLS TO PROTECT AGAINST MALICIOUS CODE
Typical controls to protect against malicious code use technology,
policies and procedures, and training. Prevention and detection of
malicious code typically involves anti-virus and other detection
products at gateways, mail servers, and workstations. Those products
generally scan messages for known signatures of a variety of
malicious code, or potentially dangerous behavioral characteristics.
Differences between products exist in detection capabilities and the
range of malicious code included in their signatures. Detection
products should not be relied upon to detect all malicious code.
Additionally, anti-virus and other products that rely on signatures
generally are ineffective when the malicious code is encrypted. For
example, VPNs, IPSec, and encrypted e-mail will all shield malicious
code from detection.
Signature-based anti-virus products scan for unique components of
certain known malicious code. Since new malicious code is created
daily, the signatures need to be updated continually. Different
vendors of anti-virus products update their signatures on different
frequencies. When an update appears, installing the update on all of
an institution's computers may involve automatically pushing the
update to the computers, or requesting users to manually obtain the
Heuristic anti - virus products generally execute code in a
protected area of the host to analyze and detect any hostile intent.
Heuristic products are meant to defend against previously unknown or
disguised malicious code.
Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail
attachments, as well as any Active-X or Java applets. A more refined
strategy might block based on certain characteristics of known code.
Protection of servers involves examining input from users and only
accepting that input which is expected. This activity is called
filtering. If filtering is not employed, a Web site visitor, for
instance, could employ an attack that inserts code into a response
form, causing the server to perform certain actions. Those actions
could include changing or deleting data and initiating fund
Protection from malicious code also involves limiting the
capabilities of the servers and Web applications to only include
functions necessary to support operations. See "Systems Development,
Acquisition, and Maintenance."
Anti-virus tools and code blocking are not comprehensive solutions.
New malicious code could have different signatures, and bypass other
controls. Protection against newly developed malicious code
typically comes in the form of policies, procedures, and user
awareness and training. For example, policies could prohibit the
installation of software by unauthorized employees, and regular
reviews for unauthorized software could take place. System users
could be trained not to open unexpected messages, not to open any
executables, and not to allow or accept file transfers in P2P
communications. Additional protection may come from disconnecting
and isolating networks from each other or from the Internet in the
face of a fast-moving malicious code attack.
An additional detection control involves network and host intrusion
detection devices. Network intrusion detection devices can be tuned
to alert when known malicious code attacks occur. Host intrusion
detection can be tuned to alert when they recognize abnormal system
behavior, the presence of unexpected files, and changes to other
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - APPLICATION
1 of 2)
Sensitive or mission - critical applications should incorporate
appropriate access controls that restrict which application
functions are available to users and other applications. The most
commonly referenced applications from an examination perspective
support the information processing needs of the various business
lines. These computer applications allow authorized users or other
applications to interface with the related database. Effective
application access control can enforce both segregation of duties
and dual control. Access rights to sensitive or critical
applications and their database should ensure that employees or
applications have the minimum level of access required to perform
their business functions. Effective application access control
involves a partnership between the security administrators, the
application programmers (including TSPs and vendors), and the
Some security software programs will integrate access control for
the operating system and some applications. That software is useful
when applications do not have their own access controls, and when
the institution wants to rely on the security software instead of
the application's access controls. Examples of such security
software products for mainframe computers include RACF, CA - ACF2,
and CA - TopSecret. Institutions should understand the functionality
and vulnerabilities of their application access control solutions
and consider those issues in their risk assessment process.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
9.1 Accreditation and
Accreditation is a management official's formal acceptance of the
adequacy of a system's security. The best way to view computer
security accreditation is as a form of quality control. It forces
managers and technical staff to work together to find workable,
cost-effective solutions given security needs, technical
constraints, operational constraints, and mission or business
requirements. The accreditation process obliges managers to make the
critical decision regarding the adequacy of security safeguards and,
therefore, to recognize and perform their role in securing their
systems. In order for the decisions to be sound, they need to be
based on reliable information about the implementation of both
technical and nontechnical safeguards. These include:
! Technical features (Do they operate as intended?).
! Operational practices (Is the system operated according to
! Overall security (Are there threats which the technical features
and operational practices do not address?).
! Remaining risks (Are they acceptable?).
A computer system should be accredited before the system becomes
operational with periodic reaccreditation after major system changes
or when significant time has elapsed.72 Even if a system was not
initially accredited, the accreditation process can be initiated at
any time. Chapter 8 further discusses accreditation.
9.1.1 Accreditation and Assurance
Assurance is an extremely important -- but not the only -- element
in accreditation. As shown in the diagram, assurance addresses
whether the technical measures and procedures operate either (1)
according to a set of security requirements and specifications or
(2) according to general quality principles. Accreditation also
addresses whether the system's security requirements are correct and
well implemented and whether the level of quality is sufficiently