- NICC releases guidance for secure implementation and use of SIP
ALG - Guidance has been produced by NICC for the use and secure
implementation of SIP (Session Initiation Protocol) ALG (Application
HHS to stand up its own version of the NCCIC for health - The Health
and Human Services Department is taking a page out of the Homeland
Security Department’s book, as it tries to coordinate and secure the
ever-growing and complicated world of mobile health IT.
Securing robotic and IoT devices - Unsecure Internet of Things (IoT)
devices and the increasing use of automation are leading to
vulnerable robotic device, robots if you will, that if compromised
by a hacker could inflict physical harm to human not to mention
opening the device possibly compromising all types of personal
FCC chair calls for net neutrality rollback - Ajit Pai, chairman of
the Federal Communications Commission (FCC), Wednesday laid out
plans to rollback net neutrality regulations put in place under the
Paid in the USA: Americans more likely to pony up when infected with
ransomware - The U.S. suffered 34 percent of global ransomware
infections last year – and it's no wonder why, with 64 percent of
Americans willing to pay to retrieve their encrypted files, compared
to just 34 percent of victims worldwide.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- IHG data breach, cyber experts weigh in on curing POS problems -
The recent revelation by the InterContinental Hotels Group that
1,200 of its locations had been victimized by malware placed on its
front desk point-of-sale (PoS) systems should spur companies to
ensure their equipment is locked down and monitored.
Cybersecurity firm exposed non-anonymized hospital data in demos -
Cybersecurity startup Tanium is in hot water after exposing non-anonymized
network data from a California hospital during live product
demonstrations and online videos.
Hackers launch Delta fake ticket receipt scam - Heimdal Security
researchers spotted fraudsters sending phishing emails under the
guise of blank Delta Airlines' ticket confirmations.
Fake Super Mario Run App Steals Credit Card Information - Dozens of
malicious Android apps claiming to be the mobile game Super Mario
Run have been detected by researchers at Trend Micro.
20K notified of data breach at healthcare network Lifespan -
Lifespan, a Rhode Island-based healthcare network, informed 20,000
patients that an employee laptop containing patient data went
Iowa veterans warned of possible data breach - On April 21, the Iowa
Veterans Home (IVH) began notifying thousands of residents, former
residents and applicants that their personal information may have
Script kiddies pwn 1000s of Windows boxes using leaked NSA hack
tools - Vulnerable unpatched systems expose exploitable SMB
networking to world+dog - The NSA's Equation Group hacking tools,
leaked last Friday by the Shadow Brokers, have now been used to
infect thousands of Windows machines worldwide, we're told.
Data blowout at Blowout Cards - Blowout Cards,
a site for the buying, selling and trading of sports and other types
of cards, suffered a breach, according to a report on Data Breach
City of Newark reportedly hit in ransomware attack - A ransomware
attack has hit some municipal computers in New Jersey's most
populous city, Newark, TAPInto Newark reported on Monday, citing the
city's CIO Seth Wainer and a document obtained by the media outlet.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Authorization Practices for E-Banking Applications
1. Specific authorization and access privileges should
be assigned to all individuals, agents or systems, which conduct
2. All e-banking systems should be constructed to ensure that they
interact with a valid authorization database.
3. No individual agent or system should have the authority to
change his or her own authority or access privileges in an e-banking
4. Any addition of an individual, agent or system or changes to
access privileges in an e-banking authorization database should be
duly authorized by an authenticated source empowered with the
adequate authority and subject to suitable and timely oversight and
5. Appropriate measures should be in place in order to make
e-banking authorization databases reasonably resistant to tampering.
Any such tampering should be detectable through ongoing monitoring
processes. Sufficient audit trails should exist to document any such
6. Any e-banking authorization database that has been tampered with
should not be used until replaced with a validated database.
7. Controls should be in place to prevent changes to authorization
levels during e-banking transaction sessions and any attempts to
alter authorization should be logged and brought to the attention of
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
Security personnel allow legitimate users to have system
access necessary to perform their duties. Because of their internal
access levels and intimate knowledge of financial institution
processes, authorized users pose a potential threat to systems and
data. Employees, contractors, or third - party employees can exploit
their legitimate computer access for malicious, fraudulent, or
economic reasons. Additionally, the degree of internal access
granted to some users increases the risk of accidental damage or
loss of information and systems. Risk exposures from internal users
! Altering data,
! Deleting production and back up data,
! Crashing systems,
! Destroying systems,
! Misusing systems for personal gain or to damage the institution,
! Holding data hostage, and
! Stealing strategic or customer data for corporate espionage or
BACKGROUND CHECKS AND SCREENING
Financial institutions should verify job application information
on all new employees. The sensitivity of a particular job or access
level may warrant additional criminal background and credit checks.
Institutions should verify that contractors are subject to similar
screening procedures. Typically, the minimum verification
! Character references;
! Confirmation of prior experience, academic record, and
professional qualifications; and
! Confirmation of identity from government issued identification.
After employment, managers should remain alert to changes in
employees' personal circumstances that could increase incentives for
system misuse or fraud.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
Termination of a user's system access generally can be
characterized as either "friendly" or "unfriendly." Friendly
termination may occur when an employee is voluntarily transferred,
resigns to accept a better position, or retires. Unfriendly
termination may include situations when the user is being fired for
cause, "RIFed,"82 or involuntarily transferred. Fortunately, the
former situation is more common, but security issues have to be
addressed in both situations.
10.2.5.1 Friendly Termination
Friendly termination refers to the removal of an employee from the
organization when there is no reason to believe that the termination
is other than mutually acceptable. Since terminations can be
expected regularly, this is usually accomplished by implementing a
standard set of procedures for outgoing or transferring employees.
These are part of the standard employee "out-processing," and are
put in place, for example, to ensure that system accounts are
removed in a timely manner. Out-processing often involves a sign-out
form initialed by each functional manager with an interest in the
separation. This normally includes the group(s) managing access
controls, the control of keys, the briefing on the responsibilities
for confidentiality and privacy, the library, the property clerk,
and several other functions not necessarily related to information
In addition, other issues should be examined as well. The continued
availability of data, for example, must often be assured. In both
the manual and the electronic worlds, this may involve documenting
procedures or filing schemes, such as how documents are stored on
the hard disk, and how are they backed up. Employees should be
instructed whether or not to "clean up" their PC before leaving. If
cryptography is used to protect data, the availability of
cryptographic keys to management personnel must be ensured.
Authentication tokens must be collected.
Confidentiality of data can also be an issue. For example, do
employees know what information they are allowed to share with their
immediate organizational colleagues? Does this differ from the
information they may share with the public? These and other
organizational-specific issues should be addressed throughout an
organization to ensure continued access to data and to provide
continued confidentiality and integrity during personnel
transitions. (Many of these issues should be addressed on an ongoing
basis, not just during personnel transitions.) The training and
awareness program normally should address such issues.
Please don't hesitate to email me (firstname.lastname@example.org)
if you have any questions.
Have a great week,
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our cybersecurity pen-test firewall audit
meets the independent diagnostic test
requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with
Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses.
There is no charge if you are not satisfied with our service.
For more information, please call R. Kinney Williams at 806-798-7119, send
an email to
email@example.com, or visit
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors