- It was Déjà vu all over again when it came to bad passwords in
2017 - The worst password of 2016 remains the number one worst
password of 2017 as “123456” tops the list of the most commonly
chosen passwords spotted in data leaks.
The economics of cybersecurity - Georgia jumped onto the
cybersecurity bandwagon in a big way this year with the state
investing in a massive training center to be constructed adjacent to
the Augusta University Riverfront Campus, which is very close to the
U.S. Army Cyber Command, the US Army Cyber Center of Excellence and
the National Security Agency at Fort Gordon.
2017 Biggest Data Breaches - June – Hackers accessed 8tracks's user
database and pilfered information, including email addresses and
encrypted passwords, from at least 18 million accounts signed up for
the Internet radio service using email.
Russia's Globex bank says hackers targeted its SWIFT computers -
Hackers tried to steal 55 million rubles ($940,000) from Russian
state bank Globex using the SWIFT international payments messaging
system, the bank said on Thursday, the latest in a string of
attempted cyber heists that use fraudulent wire-transfer requests.
Washington, D.C. police computers used by two Romanians to operate
ransomware campaign - The U.S. Secret Service has filed a complaint
against two Romanian nationals for allegedly compromising more than
100 Washington, D.C. police computers in order to spread ransomware.
Criminals spoof scanners and printers by the millions to spread
malware - Cybercriminals are spoofing scanners by the millions to
launch attacks containing malicious attachments that appear to be
coming from the network printer.
Third of UK Cybersecurity Execs Expect to Be Hacked: Report -
Ransomware, phishing attacks and data loss are the three biggest
issues that concern UK cybersecurity executives.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Open AWS S3 bucket exposes sensitive Experian and census info on
123 million U.S. households - Experian and the U.S. Census Bureau
that contain sensitive personal information on 123 million U.S.
Pyramid scheme: AnubisSpy Android malware steals data, seemingly
links to old Sphinx campaign - A newly discovered Android spyware
that victimizes Arabic-speakers has been potentially linked to the
2014-15 Sphinx cyber espionage campaign, which was launched by the
threat group APT-C-15 to target PC users in the Middle East.
Chinese hackers tried to spy on U.S. think tanks to steal military
strategy documents - A series of cyberattacks against Western think
tanks and nongovernmental organizations appear to be attempts by the
Chinese government to gain insight on the military strategies of
Nissan Canada Finance Alerts 1.13 Million Customers of Unauthorized
Info Access - Nissan Canada Finance (NCF) reported last week that it
became aware on Dec. 11 of unauthorized access to personal
information of some of its 1.13 million customers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Ownership and License
The contract should address ownership and allowable use by the
service provider of the institution’s data, equipment/hardware,
system documentation, system and application software, and other
intellectual property rights. Other intellectual property rights may
include the institution’s name and logo; its trademark or
copyrighted material; domain names; web sites designs; and other
work products developed by the service provider for the institution.
The contract should not contain unnecessary limitations on the
return of items owned by the institution. Institutions that purchase
software should consider establishing escrow agreements. These
escrow agreements may provide for the following: institution access
to source programs under certain conditions (e.g., insolvency of the
vendor), documentation of programming and systems, and verification
of updated source code.
Institutions should consider the type of technology and current
state of the industry when negotiating the appropriate length of the
contract and its renewal periods. While there can be benefits to
long-term technology contracts, certain technologies may be subject
to rapid change and a shorter-term contract may prove beneficial.
Similarly, institutions should consider the appropriate length of
time required to notify the service provider of the institutions’
intent not to renew the contract prior to expiration. Institutions
should consider coordinating the expiration dates of contracts for
inter-related services (e.g., web site, telecommunications,
programming, network support) so that they coincide, where
practical. Such coordination can minimize the risk of terminating a
contract early and incurring penalties as a result of necessary
termination of another related service contract.
the top of the newsletter
FFIEC IT SECURITY -
This concludes our coverage
of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Part III. Risks Associated with Both Internal Wireless Networks
and Wireless Internet Devices
Evolution and Obsolescence
As the wireless technologies available today evolve, financial
institutions and their customers face the risk of current
investments becoming obsolete in a relatively short time. As
demonstrated by the weaknesses in WEP and earlier versions of WAP
and the changes in standards for wireless technologies, wireless
networking as a technology may change significantly before it is
considered mature. Financial institutions that invest heavily in
components that may become obsolete quickly may feel the cost of
adopting an immature technology.
Controlling the Impact of Obsolescence
Wireless internal networks are subject to the same types of
evolution that encompass the computing environment in general. Key
questions to ask a vendor before purchasing a wireless internal
network solution include:
1) What is the upgrade path to the next class of network?
2) Do the devices support firmware (Flash) upgrades for security
patches and upgrades?
3) How does the vendor distribute security information and
The financial institution should also consider the evolving
standards of the wireless community. Before entering into an
expensive implementation, the institution should research when the
next major advances in wireless are likely to be released. Bank
management can then make an informed decision on whether the
implementation should be based on currently available technology or
a future implementation based on newer technology.
The potential obsolescence of wireless customer access can be
controlled in other ways. As the financial institution designs
applications that are to be delivered through wireless devices, they
should design the application so that the business logic is not tied
to a particular wireless technology. This can be accomplished by
placing the majority of the business logic on back-end or mid-tier
servers that are independent of the wireless application server. The
wireless application server then becomes a connection point between
the customer and the transactions performed. As the institution
decides to upgrade or replace the application server, the business
logic can remain relatively undisturbed.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND
Computer support and operations refers to everything done to
run a computer system. This includes both system administration and
tasks external to the system that support its operation (e.g.,
maintaining documentation). It does not include system planning or
design. The support and operation of any computer system, from a
three-person local area network to a worldwide application serving
thousands of users, is critical to maintaining the security of a
system. Support and operations are routine activities that enable
computer systems to function correctly. These include fixing
software or hardware problems, loading and maintaining software, and
helping users resolve problems.
System management and administration staff generally perform support
and operations tasks although sometimes users do. Larger systems may
have full-time operators, system programmers, and support staff
performing these tasks. Smaller systems may have a part-time
The failure to consider security as part of the support and
operations of computer systems is, for many organizations, their
Achilles heel. Computer security system literature includes many
examples of how organizations undermined their often expensive
security measures because of poor documentation, old user accounts,
conflicting software, or poor control of maintenance accounts. Also,
an organization's policies and procedures often fail to address many
of these important issues.
The important security considerations within some of the major
categories of support and operations are:
1) user support,
2) software support,
3) configuration management,
5) media controls,
6) documentation, and
Some special considerations are noted for larger or smaller systems.
The primary goal of computer support and operations is the continued
and correct operation of a computer system. One of the goals of
computer security is the availability and integrity of systems.
These goals are very closely linked.
This chapter addresses the support and operations activities
directly related to security. Every control discussed in this
handbook relies, in one way or another, on computer system support
and operations. This chapter, however, focuses on areas not covered
in other chapters. For example, operations personnel normally create
user accounts on the system. This topic is covered in the
Identification and Authentication chapter, so it is not discussed
here. Similarly, the input from support and operations staff to the
security awareness and training program is covered in the Security
Awareness, Training, and Education chapter.