- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- 90% Of Industries, Not Just Healthcare, Have Disclosed PHI In
Breaches - New Verizon PHI report finds that organizations' workers
comp and wellness programs are also vulnerable repositories for
personal health information.
Juniper issues patch for ScreenOS to eliminate unauthorized code -
Juniper Networks issued a security warning and patches centered on
its ScreenOS firewall management software to eliminate illicit code
that could lead to an attacker gaining administrative control to the
company's NetScreen devices.
Former national security officials urge government to embrace rise
of encryption - A number of former senior national security
officials are urging that the government embrace the move to strong
encryption by tech companies — even if it means law enforcement will
be unable to monitor some phone calls and text messages in terrorism
and criminal investigations.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- MacKeeper Leak Highlights Danger of Misconfigured Databases - The
Shodan port-scanning service finds at least 35,000 MongoDB databases
accessible without a password. A security researcher gained access
to a database holding information on millions of users of the
often-criticized MacKeeper Mac OS X utility program, after a simple
Internet search highlighted the developer's misconfigured MongoDB
server, developer Kromtech acknowledged on Dec. 14.
Officials call City Hall
cyberattack ‘minor’ - Hackers took down
City Hall’s Internet service for a short time yesterday in a
act of cybervandalism” that officials stressed had no connection to
the threats received in Los Angeles and New York City.
Skimmers Found at Some Calif., Colo. Safeways - Sources at multiple
financial institutions say they are tracking a pattern of fraud
indicating that thieves have somehow compromised the credit card
terminals at checkout lanes within multiple Safeway stores in
California and Colorado. Safeway confirmed it is investigating
skimming incidents at several stores.
Landry's investigates a potential POS attack - The restaurant and
hospitality company Landry's is reporting that some of its customers
have had unauthorized charges placed on their payment cards after
they were used at a Landry's establishment.
Hello Kitty SanrioTown breach affects 3.3 million accounts - A
security researcher claims to have discovered a leaked database for
SanrioTown.com, the Hello Kitty official online community, which
contained the information of 3.3 million accounts.
Gyft resets some customer passwords following breach - Passwords
have been reset for a number of Gyft users as a precaution after a
trove of account data was reported for sale on an underground forum.
DOJ investigating data breach at Uber - The Department of Justice is
probing a data breach at Uber that an internal investigation
reportedly linked to an employee at rival service Lyft, Reuters
reported late Friday.
Phishing campaign targets HSBC customers - Customers of HSBC are
being sent phony emails "warning" them their account is locked,
according to a blog post from Malwarebytes.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series
on the FDIC's Supervisory Policy on Identity Theft.
1 of 6)
Policy on Identity Theft
Identity theft is fraud committed or attempted by using the
identifying information of another person without his or her
authority. Identifying information may include such things as a
Social Security number, account number, date of birth, driver's
license number, passport number, biometric data and other unique
electronic identification numbers or codes. As more financial
transactions are done electronically and remotely, and as more
sensitive information is stored in electronic form, the
opportunities for identity theft have increased significantly. This
policy statement describes the characteristics of identity theft and
emphasizes the FDIC's well-defined expectations that institutions
under its supervision detect, prevent and mitigate the effects of
identity theft in order to protect consumers and help ensure safe
and sound operations.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
Action Summary - Financial institutions should implement an ongoing
security process, and assign clear and appropriate roles and
responsibilities to the board of directors, management, and
The security process is the method an organization uses to
implement and achieve its security objectives. The process is
designed to identify, measure, manage and control the risks to
system and data availability, integrity, and confidentiality, and
ensure accountability for system actions. The process includes five
areas that serve as the framework for this booklet:
Information Security Risk Assessment - A process to identify
threats, vulnerabilities, attacks, probabilities of occurrence, and
2) Information Security Strategy - A plan to mitigate risk that
integrates technology, policies, procedures and training. The plan
should be reviewed and approved by the board of directors.
3) Security Controls Implementation - The acquisition and
operation of technology, the specific assignment of duties and
responsibilities to managers and staff, the deployment of risk -
appropriate controls, and assurance that management and staff
understand their responsibilities and have the knowledge, skills,
and motivation necessary to fulfill their duties.
4) Security Testing - The use of various methodologies to gain
assurance that risks are appropriately assessed and mitigated. These
testing methodologies should verify that significant controls are
effective and performing as intended.
5) Monitoring and Updating - The process of continuously gathering
and analyzing information regarding new threats and vulnerabilities,
actual attacks on the institution or others combined with the
effectiveness of the existing security controls. This information is
used to update the risk assessment, strategy, and controls.
Monitoring and updating makes the process continuous instead of a
one - time event.
Security risk variables include threats, vulnerabilities, attack
techniques, the expected frequency of attacks, financial institution
operations and technology, and the financial institution's defensive
posture. All of these variables change constantly. Therefore, an
institution's management of the risks requires an ongoing process.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4.3 Employee Sabotage
Employees are most familiar with their employer's computers and
applications, including knowing what actions might cause the most
damage, mischief, or sabotage. The downsizing of organizations in
both the public and private sectors has created a group of
individuals with organizational knowledge, who may retain potential
system access (e.g., if system accounts are not deleted in a timely
manner). The number of incidents of employee sabotage is believed to
be much smaller than the instances of theft, but the cost of such
incidents can be quite high.
Martin Sprouse, author of Sabotage in the American Workplace,
reported that the motivation for sabotage can range from altruism to
As long as people feel cheated, bored, harassed, endangered, or
betrayed at work, sabotage will be used as a direct method of
achieving job satisfaction -- the kind that never has to get the
Common examples of computer-related employee sabotage include:
1) destroying hardware or facilities,
2) planting logic bombs that destroy programs or data,
3) entering data incorrectly,
4) "crashing" systems,
5) deleting data,
6) holding data hostage, and
7) changing data.
Chapter 4.4 Loss of Physical and Infrastructure Support
The loss of supporting infrastructure includes power failures
(outages, spikes, and brownouts), loss of communications, water
outages and leaks, sewer problems, lack of transportation services,
fire, flood, civil unrest, and strikes. These losses include such
dramatic events as the explosion at the World Trade Center and the
Chicago tunnel flood, as well as more common events, such as broken
water pipes. Many of these issues are covered in Chapter. A loss of
infrastructure often results in system downtime, sometimes in
unexpected ways. For example, employees may not be able to get to
work during a winter storm, although the computer system may be