- NYC mayor reveals plan to add 10,000 cybersecurity jobs over the
next decade - New York City Mayor Bill de Blasio on Thursday
unveiled a ten-year plan to introduce 100,000 jobs with annual
salaries of $50,000 or greater by strategically investing in
multiple industries, with a strong emphasis on cybersecurity.
FIN7 targeting restaurants with fileless malware - FIN7 is back at
it again this time using their infamous fileless malware to target
U.S. restaurants using clever phishing emails designed to look like
Report predicts banks to get €4.7bn fines in first 3 years under
GDPR - Report urges banks to focus on breach response readiness to
mitigate GDPR risk as predicted number and levels of fines are
Banks will be forced to reveal cyber security breaches to European
Central Bank - Big British banks, such as RBS, Barclays and HSBC,
will all have to report major breaches to the ECB.
How to Know Which NIST Framework to Use - One of the most important
aspects of the recent cybersecurity executive order is also the
aspect causing the most confusion.
Why Girl Scouts Make Great Cybersecurity Hackers - Your favorite
cookie sellers are in training to become white hat hackers.
Bank websites struggle, consumer services sites shine in online
trust assessment - An audit of more than 1,000 top websites found
that 52 percent have highly trustworthy cybersecurity and privacy
practices – the highest percentage ever for this annual evaluation –
yet 46 percent failed the assessment altogether, with bank sites
surprisingly faring worst of all.
Combatting the Security Risks of the IoT - The market for connected
devices has exploded in recent years, leading to billions of
Internet of Things (IoT) devices being deployed around the globe.
One quarter of Australian companies hit by phishing attack this
week: Mailguard - The phishing attacks against Australian energy
customers grew yesterday with Mailguard reporting an enormous number
of phishing attempts made centered on fake Origin Energy bills.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Georgia special election disruption concerns rise after 6.7M
records leaked - Several security vulnerabilities in systems used to
manage Georgia's election technology, exposing the records of 6.7
million voters months before the nation most expensive House race
slated for June 20, has raised the fears that the election could be
Data breach at Oklahoma U impacts 30K students - Lax privacy
settings in a campus file-sharing network led to an unintentional
exposure of the educational records of thousands of students at
University College London fights off ransomware infection - One of
London's most prestigious universities is fighting off a ransomware
infection, according to its information security team.
Accounts of 6M CashCrate users exposed - User data on six million
subscribers to the cash-for-surveys site CashCrate has been
Brute Force Breach? WSU 85-pound safe theft compromises 1M records -
A recent theft at Washington State University is redefine the
definition of a brute force breach after someone made off with a
85-pound safe containing a hard drive holding the data of a million
Erebus ransomware attack demanded $1.62 million from South Korean
firm - South Korean firm NAYANA was hit with a Linux ransomware
attack that demanded an unprecedented 550 Bitcoins (BTC) or $1.62
No recourse, perhaps, for 200M affected in breach of RNC database,
attorney - The 200 million registered voters whose personal details
were compromised in a massive data breach face an uphill battle
should they choose to petition for a class-action suit or seek
recompense for the exposure.
POS data breach hits Buckle Inc. stores - Buckle Inc. was hit with
point-of-sale (POS) malware on the payment data systems at an
undisclosed number of locations.
2,000 Texas HHSC clients health data compromised - The Texas Health
and Human Services Commission (HHSC) reported a data breach possibly
affecting almost 2,000 people in the Houston area.
Hacktivist hits Minnesota gov databases to protest Philando Castile
verdict - A hacktivist Sunday breached Minnesota government
databases and stole 1,400 email credentials, along with other
information, to Protest the Philando Castile verdict.
New York Supreme Court Justice fell for $1M phishing attack - New
York State Supreme Court Justice Lori Sattler was duped out of more
than $1 million while trying to sell her Upper East Side apartment
and purchase another.
Japanese Honda factory hit with WannaCry ransomware, halts
production - A Honda plant in Sayama, Japan was forced to halt
domestic production for a day after its network was hit with
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (5 of 12)
An institution should notify its primary Federal regulator as soon
as it becomes aware of the unauthorized access to or misuse of
sensitive customer information or customer information systems.
Notifying the regulatory agency will help it determine the potential
for broader ramifications of the incident, especially if the
incident involves a service provider, as well as assess the
effectiveness of the institution's IRP.
Institutions should develop procedures for notifying law
enforcement agencies and filing SARs in accordance with their
primary Federal regulator's requirements. Law enforcement agencies
may serve as an additional resource in handling and documenting the
incident. Institutions should also establish procedures for filing
SARs in a timely manner because regulations impose relatively quick
filing deadlines. The SAR form itself may serve as a resource in the
reporting process, as it contains specific instructions and
thresholds for when to file a report. The SAR form instructions also
clarify what constitutes a "computer intrusion" for filing purposes.
Defining procedures for notifying law enforcement agencies and
filing SARs can streamline these notification and reporting
Institutions should also address customer notification procedures
in their IRP. When an institution becomes aware of an incident
involving unauthorized access to sensitive customer information, the
institution should conduct a reasonable investigation to determine
the likelihood that such information has been or will be misused. If
the institution determines that sensitive customer information has
been misused or that misuse of such information is reasonably
possible, it should notify the affected customer(s) as soon as
possible. Developing standardized procedures for notifying customers
will assist in making timely and thorough notification. As a
resource in developing these procedures, institutions should
reference the April 2005 interpretive guidance, which specifically
addresses when customer notification is necessary, the recommended
content of the notification, and the acceptable forms of
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A maxim of security is "prevention is ideal, but detection is a
must." Security systems must both restrict access and protect
against the failure of those access restrictions. When those systems
fail, however, an intrusion occurs and the only remaining protection
is a detection - and - response capability. The earlier an intrusion
is detected, the greater the institution's ability to mitigate the
risk posed by the intrusion. Financial institutions should have a
capability to detect and react to an intrusion into their
Preparation for intrusion detection generally involves identifying
data flows to monitor for clues to an intrusion, deciding on the
scope and nature of monitoring, implementing that monitoring, and
establishing a process to analyze and maintain custody over the
resulting information. Additionally, legal requirements may include
notifications of users regarding the monitoring and the extent to
which monitoring must be performed as an ordinary part of ongoing
Adequate preparation is a key prerequisite to detection. The best
intrusion detection systems will not identify an intrusion if they
are not located to collect the relevant data, do not analyze correct
data, or are not configured properly. Even if they detect an
intrusion, the information gathered may not be usable by law
enforcement if proper notification of monitoring and preservation of
data integrity has not taken place.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.2 Step 2: Identifying the Resources That Support Critical
Applications and Data
Computer systems run applications that process data. Without
current electronic versions of both applications and data,
computerized processing may not be possible. If the processing is
being performed on alternate hardware, the applications must be
compatible with the alternate hardware, operating systems and other
software (including version and configuration), and numerous other
technical factors. Because of the complexity, it is normally
necessary to periodically verify compatibility.
11.2.4 Computer-Based Services
An organization uses many different kinds of computer-based
services to perform its functions. The two most important are
normally communications services and information services.
Communications can be further categorized as data and voice
communications; however, in many organizations these are managed by
the same service. Information services include any source of
information outside of the organization. Many of these sources are
becoming automated, including on-line government and private
databases, news services, and bulletin boards.
11.2.5 Physical Infrastructure
For people to work effectively, they need a safe working
environment and appropriate equipment and utilities. This can
include office space, heating, cooling, venting, power, water,
sewage, other utilities, desks, telephones, fax machines, personal
computers, terminals, courier services, file cabinets, and many
other items. In addition, computers also need space and utilities,
such as electricity. Electronic and paper media used to store
applications and data also have physical requirements
11.2.6 Documents and Papers
Many functions rely on vital records and various documents, papers,
or forms. These records could be important because of a legal need
(such as being able to produce a signed copy of a loan) or because
they are the only record of the information. Records can be
maintained on paper, microfiche, microfilm, magnetic media, or
Please don't hesitate to email me (firstname.lastname@example.org)
if you have any questions.
Have a great week,
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our cybersecurity pen-test firewall audit
meets the independent diagnostic test
requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with
Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses.
There is no charge if you are not satisfied with our service.
For more information, please call R. Kinney Williams at 806-798-7119, send
an email to
email@example.com, or visit
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors