- Is your web site compliant with the American Disability Act?
For the past 20 years, our bank web site audits have covered the
ADA guidelines. Help reduce any liability, please
contact me for more information at
FYI - The FDIC and
the OCC do not have a requirement that financial institutions
change third-party vendors on a periodic basis. Any such
decision is a management decision not a regulatory decision.
When it comes to IoT, more security is needed - Sometimes it takes
a monumental event for an industry to change. The Target hack during
the holiday season of 2013 – in which some 40 million credit card
numbers were stolen – changed people's attitudes about security
Virtualization and cloud-based security - These are two sides of the
same coin. On one side, we have security for the virtual, or
software-defined, data center. On the other, we have security for
Joomla flaw allows attacker to change passwords and seize sites -
Joomla patched a vulnerability (CVE-2016-9838) which if exploited
could allow an attacker to reset login credentials and take over
44 percent of orgs fail to meet breach investigation deadlines,
study - A recent study revealed that 44 percent of organizations in
the U.K. fail to meet deadlines for investigating and reporting data
breaches, and a lack of staff and automation may be to blame.
Breach risk assessment reveals attackers' favorite techniques - A
recent breach risk assessment of more than 20 organizations running
large enterprise networks found that 100 percent showed signs of
traffic tunneling, DNS-related exfiltration and malformed protocols
in outbound traffic – all indicators of attackers using evasion and
Insurers handling 'hundreds' of breach claims - Insurance claims for
data breaches are being made at a rate of more than one a day,
figures from CFC Underwriting suggest.
Advances in emerging surveillance technologies like cell-site
simulators – devices which transform a cell phone into a real-time
tracking device – require careful evaluation to ensure their use is
consistent with the protections afforded under the First and Fourth
Amendments to the U.S. Constitution.
59% of consumers fear cyber-attacks disrupting celebrations -
Consumers growing less forgiving: only four percent would
unconditionally stay with a business that failed to inform them of a
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- China hacked the FDIC - and US officials covered it up, report
says - China's spies hacked into computers at the Federal Deposit
Insurance Corporation from 2010 until 2013 -- and American
government officials tried to cover it up, according to a
US election agency breached by suspected Russian hacker - A
security firm discovers more than 100 login credentials for
computers at the US Election Assistance Commission on the internet
SWIFT bank system involved in hack into Turkey's third largest bank
- The third largest bank in Turkey was hit with another assault
exploiting the SWIFT money transfer system.
Howard County: Ransomware attack worse than originally thought -
Howard County (Indiana) government officials reported that more
files than originally thought were impacted by a pair of ransomware
attacks that took place in November.
Domino's Pizza advises customers to change their passwords - Pizza
purveyor Domino's Pizza has advised its customers by email to change
their account password to one which is strong and unique to avoid
fraudulent account activity, owing to recent large-scale data
breaches and password reuse across multiple websites.
PayAsUGym hacked, 305,000 sets of customer credentials stolen - The
company says that it does not store any financial credentials, but
appears to have ignored multiple attempts to work with the
individual who claims to have carried out the breach.
Data of 55K users of Lynda.com at risk following breach - Lynda.com,
the training site of LinkedIn, was hit by a breach that exposed the
user passwords of a small percentage of users, around 55,0000
accounts, according to Endgadget.
Ethereum cryptocurrency breach affects 16K - Administrators of the
Ethereum Project said the platform to trade the Ethereum
cryptocurrency incurred a breach affecting more than 16,500 users.
November healthcare breaches: 458,000 patient records affected - The
healthcare industry had an up and down November with the amount of
patient records lost in data breaches declining, but the number of
incidents reaching a new high for the year.
Alleged car thieves used breached data to help steal Hyundais and
Kias - Israeli Police reportedly have arrested three individuals
from East Jerusalem who allegedly hacked into the company servers of
car manufacturers Hyundai and Kia in order to obtain data that would
help them steal dozens of their automobiles.
Data of 400K Community Health Plan of Washington members compromised
by breach - Personal information, including Social Security numbers,
were compromised in a recent data breach of Community Health Plan of
Washington, the insurance arm of 19 community health centers in
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight -
Principle 2: The Board of Directors and senior management should
review and approve the key aspects of the bank's security control
The Board of Directors and senior management should oversee
the development and continued maintenance of a security control
infrastructure that properly safeguards e-banking systems and data
from both internal and external threats. This should include
establishing appropriate authorization privileges, logical and
physical access controls, and adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities.
Safeguarding of bank assets is one of the Board's fiduciary duties
and one of senior management's fundamental responsibilities.
However, it is a challenging task in a rapidly evolving e-banking
environment because of the complex security risks associated with
operating over the public Internet network and using innovative
To ensure proper security controls for e-banking activities, the
Board and senior management need to ascertain whether the bank has a
comprehensive security process, including policies and procedures,
that addresses potential internal and external security threats both
in terms of incident prevention and response. Key elements of an
effective e-banking security process include:
1) Assignment of explicit management/staff responsibility for
overseeing the establishment and maintenance of corporate security
2) Sufficient physical controls to prevent unauthorized physical
access to the computing environment.
3) Sufficient logical controls and monitoring processes to prevent
unauthorized internal and external access to e-banking applications
4) Regular review and testing of security measures and controls,
including the continuous tracking of current industry security
developments and installation of appropriate software upgrades,
service packs and other required measures.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - PHYSICAL
The confidentiality, integrity, and availability of information can
be impaired through physical access and damage or destruction to
physical components. Conceptually, those physical security risks are
mitigated through zone-oriented implementations. Zones are physical
areas with differing physical security requirements. The security
requirements of each zone are a function of the sensitivity of the
data contained or accessible through the zone and the information
technology components in the zone. For instance, data centers may be
in the highest security zone, and branches may be in a much lower
security zone. Different security zones can exist within the same
structure. Routers and servers in a branch, for instance, may be
protected to a greater degree than customer service terminals.
Computers and telecommunications equipment within an operations
center will have a higher security zone than I/O operations, with
the media used in those equipment stored at yet a higher zone.
The requirements for each zone should be determined through the
risk assessment. The risk assessment should include, but is not
limited to, the following threats:
! Aircraft crashes
! Chemical effects
! Electrical supply interference
! Electromagnetic radiation
! Wireless emissions
! Any other threats applicable based on the entity's unique
geographical location, building configuration, neighboring entities,
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
Conformance Testing and Validation Suites
NIST produces validation suites and conformance testing to
determine if a product (software, hardware, firmware) meets
specified standards. These test suites are developed for specific
standards and use many methods. Conformance to standards can be
important for many reasons, including interoperability or strength
of security provided. NIST publishes a list of validated products
9.3.3 Use of Advanced or Trusted Development
In the development of both commercial off-the-shelf products and
more customized systems, the use of advanced or trusted system
architectures, development methodologies, or software engineering
techniques can provide assurance. Examples include security design
and development reviews, formal modeling, mathematical proofs, ISO
9000 quality techniques, or use of security architecture concepts,
such as a trusted computing base (TCB) or reference monitor.
9.3.4 Use of Reliable Architectures
Some system architectures are intrinsically more reliable, such as
systems that use fault-tolerance, redundance, shadowing, or
redundant array of inexpensive disks (RAID) features. These examples
are primarily associated with system availability.
9.3.5 Use of Reliable Security
One factor in reliable security is the concept of ease of safe use,
which postulates that a system that is easier to secure will be more
likely to be secure. Security features may be more likely to be used
when the initial system defaults to the "most secure" option. In
addition, a system's security may be deemed more reliable if it does
not use very new technology that has not been tested in the "real"
world (often called "bleeding-edge" technology). Conversely, a
system that uses older, well-tested software may be less likely to