- Clarksons' breach again shows need to eliminate passwords - The
global shipping firm Clarksons reported that it has suffered a
cybersecurity breach which it, and outside security firms, believe
was caused when a lone user account was hacked, again bringing to
the forefront the need to move past the legacy username and password
for logging in to a critical system.
A postmortem of the Grey's Anatomy ransomware episode: Accurate or
Hollywood hyperbole? - Medical drama Grey's Anatomy has killed off a
lot of characters in its 14-year run. But in the Nov. 16 mid-season
finale, titled “Out of Nowhere,” Grey-Sloan Memorial Hospital itself
was on life support after its network became infected with
ransomware, causing machines all over the facility to malfunction.
Senate bill introduced that would require jail time for data breach
cover ups - Three U.S. Senators have introduced a bill that would
require jail time for corporate executives who do not notify
consumers of a breach within 30 days.
Morrisons Supermarket held liable after employee leaks data - U.K.
Supermarket chain Morrison's was found liable, in a first of its
kind data leak class action suit, for the actions of a former
employee who stole the data on thousands of his coworkers and posted
Former NSA employee pleads guilty for stealing classified data,
related to Kaspersky incident - A former NSA employee pleaded guilty
to taking classified national defense information that was later
stolen by Russian spies.
UK cybersecurity leader calls for government to drop Kaspersky Labs'
software - The UK's top cybersecurity agency has joined the U.S.
government in recommending that Kaspersky Labs' products should not
Uber Security Managers Resign in Wake of Hack, Surveillance
Allegations - Uber Technologies Inc.’s security team is crumbling
after a scandalous two weeks that included the surprise disclosure
of a year-old data breach and a damaging letter from a former
employee detailing clandestine operations.
Governor McAuliffe Announces Virginia Students Awarded $140,000 in
Cyber Security Scholarships - Governor Terry McAuliffe today
announced that Virginia students have been awarded a total of
$140,000 in cyber security scholarships as a result of their
participation in the SANS Institute CyberStart online cyber security
skills aptitude pilot program.
Retailers still in need of data breach response plan - Between the
holiday shopping season now being in full swing and the growing
number of retailers hit with data breaches Tripwire was surprised
that a recent survey it conducted found a large percentage of
retailers still had no data breach response plan in place.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- National Credit Federation unsecured AWS S3 bucket leaks credit,
personal data - In what has become a familiar and troubling refrain,
an unsecured Amazon Web Services S3 storage bucket that allows
public access, reportedly has leaked sensitive information,
including credit card numbers, credit reports from the three major
reporting agencies, bank account numbers and Social Security
Stanford University server exposes data of 10,000 staffers - The
University of Stanford announced that it has left sensitive student
and staff data exposed on three separate occasions over the last
Data breach at PayPal's TIO Networks unit affects 1.6 million
customers - PayPal Holdings on Friday acknowledged that a data
breach at recently acquired payments processor TIO Networks
compromised the personally identifiable information of roughly 1.6
Data on 31 million users leaked by smartphone keyboard app - After
the developer of virtual keyboard app Ai.Type left a 577GB
Mongo-hosted database unsecured, personal data on more than 31
million customers was exposed to anyone who has an internet
Data breach at PayPal's TIO Networks unit affects 1.6 million
customers - PayPal Holdings on Friday - A Michigan man who hacked
into his local prison's computing system to gain early release for a
friend is facing his own time inside after getting caught.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Security and Confidentiality
The contract should address the service provider’s
responsibility for security and confidentiality of the institution’s
resources (e.g., information, hardware). The agreement should
prohibit the service provider and its agents from using or
disclosing the institution’s information, except as necessary to or
consistent with providing the contracted services, to protect
against unauthorized use (e.g., disclosure of information to
institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s
customers, the institution should notify the service provider to
assess the applicability of the privacy regulations. Institutions
should require the service provider to fully disclose breaches in
security resulting in unauthorized intrusions into the service
provider that may materially affect the institution or its
customers. The service provider should report to the institution
when material intrusions occur, the effect on the institution, and
corrective action to respond to the intrusion.
Consideration should be given to contract provisions addressing
control over operations such as:
Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and
the institution’s approval rights
regarding material changes to services, systems, controls, key
project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial
functions, such as payments
processing and any extensions of credit on behalf of the
• Insurance coverage to be maintained by the service provider.
the top of the newsletter
FFIEC IT SECURITY -
We continue our coverage of
the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Using "Wired Equivalent Privacy" (WEP) by itself to provide
wireless network security may lead a financial institution to a
false sense of security. Information traveling over the network
appears secure because it is encrypted. This appearance of security,
however, can be defeated in a relatively short time.
Through these types of attacks, unauthorized personnel could gain
access to the financial institution's data and systems. For example,
an attacker with a laptop computer and a wireless network card could
eavesdrop on the bank's network, obtain private customer
information, obtain access to bank systems and initiate unauthorized
transactions against customer accounts.
Another risk in implementing wireless networks is the potential
disruption of wireless service caused by radio transmissions of
other devices. For example, the frequency range used for 802.11b
equipment is also shared by microwave ovens, cordless phones and
other radio-wave-emitting equipment that can potentially interfere
with transmissions and lower network performance. Also, as wireless
workstations are added within a relatively small area, they will
begin to compete with each other for wireless bandwidth, decreasing
the overall performance of the wireless network.
Risk Mitigation Components -- Wireless Internal Networks
A key step in mitigating security risks related to the use of
wireless technologies is to create policies, standards and
procedures that establish minimum levels of security. Financial
institutions should adopt standards that require end-to-end
encryption for wireless communications based on proven encryption
methods. Also, as wireless technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless network devices.
For wireless internal networks, financial institutions should
adopt standards that require strong encryption of the data stream
through technologies such as the IP Security Protocol (IPSEC). These
methods effectively establish a virtual private network between the
wireless workstation and other components of the network. Even
though the underlying WEP encryption may be broken, an attacker
would be faced with having to defeat an industry-proven security
Financial institutions should also consider the proximity of their
wireless networks to publicly available places. A wireless network
that does not extend beyond the confines of the financial
institution's office space carries with it far less risk than one
that extends into neighboring buildings. Before bringing a wireless
network online, the financial institution should perform a limited
pilot to test the effective range of the wireless network and
consider positioning devices in places where they will not broadcast
beyond the office space. The institution should also be mindful that
each workstation with a wireless card is a transmitter. Confidential
customer information may be obtained by listening in on the
workstation side of the conversation, even though the listener may
be out of range of the access device.
The financial institution should consider having regular
independent security testing performed on its wireless network
environment. Specific testing goals would include the verification
of appropriate security settings, the effectiveness of the wireless
security implementation and the identification of rogue wireless
devices that do not conform to the institution's stated standards.
The security testing should be performed by an organization that is
technically qualified to perform wireless testing and demonstrates
appropriate ethical behavior.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
13.6.5 Administer the Program
There are several important considerations for administering the
Visibility. The visibility of a CSAT program plays a key
role in its success. Efforts to achieve high visibility should begin
during the early stages of CSAT program development. However, care
should be give not to promise what cannot be delivered.
Training Methods. The methods used in the CSAT program
should be consistent with the material presented and tailored to the
audience's needs. Some training and awareness methods and techniques
are listed above (in the Techniques sections). Computer security
awareness and training can be added to existing courses and
presentations or taught separately. On-the-job training should also
Training Topics. There are more topics in computer security
than can be taught in any one course. Topics should be selected
based on the audience's requirements.
Training Materials. In general, higher-quality training
materials are more favorably received and are more expensive. Costs,
however, can be minimized since training materials can often be
obtained from other organizations. The cost of modifying materials
is normally less than developing training materials from scratch.
Training Presentation. Consideration should be given to the
frequency of training (e.g., annually or as needed), the length of
training presentations (e.g., twenty minutes for general
presentations, one hour for updates or one week for an off-site
class), and the style of training presentation (e.g., formal
presentation, informal discussion, computer-based training,
The Federal Information Systems Security Educators' Association and
NIST Computer Security Program Managers' Forum provide two means for
federal government computer security program managers and training
officers to share training ideas and materials.