Financial Services Cybersecurity Weekly Briefing 12-08-2017

Weekly FS Cybersecurity Blast

Weekly FS Cybersecurity Blast

Critical Informatics Releases Continuous Vulnerability Identification (CVI), Automating Network Vulnerability Scans and Reporting
The service is operated from the company’s Critical Insight security monitoring platform, which keeps the technology footprint and installation as light as possible. […] CVI allows administrators to schedule scans as often as needed to identify emerging vulnerabilities, or execute scans on-demand following specific events, such as application updates. The configurable intervals between scans provide insight into vulnerability trends throughout the year, something that quarterly or annual scans may overlook.

 

U.K. Banks Aren’t Telling Regulators About All Cyber Attacks
“Our suspicion is that there’s currently a material under-reporting of successful cyber attacks,” Megan Butler, the FCA’s director of supervision, said in a speech Tuesday, according to a copy of her remarks on the regulator’s website. “The number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.”

 

Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About
Globally operating financial services firms have to be aware of new cybersecurity regulations and how they affect their business in order to navigate data rules and remain compliant, especially as they conduct business across borders. Compliance is especially crucial as the punishments for noncompliance typically include large fines. Below are some of the most recent implemented or proposed cybersecurity regulations that will affect financial services firms.

 

Banks Build Line of Defense for Doomsday Cyberattack 
U.S. banks have quietly launched a doomsday project they hope will prevent a run on the financial system should one of them suffer a debilitating cyberattack. The effort, which went live earlier this year and is dubbed Sheltered Harbor, currently includes banks and credit unions that have roughly 400 million U.S. accounts. The effort requires member firms to individually back up data so it can be used by other firms to serve customers of a disabled bank.

 

US Banks Prepare Cyberattack Contingency Plan
Dubbed Sheltered Harbor, the project involves the participation of various banks and credit unions that have about 400 million accounts in the US. Members of the Sheltered Harbor project are required to individually back up data so that it can be used by other member firms to serve customers in the event of a debilitating data breach.

 

Venezuela Looks to Cyber Currency to Circumvent US Financial Sanctions
The leftist leader offered few specifics about the currency launch or how the struggling OPEC member would pull off such a feat, but he declared to cheers that “the 21st century has arrived!” “Venezuela will create a cryptocurrency,” backed by oil, gas, gold and diamond reserves, Maduro said in his regular Sunday televised broadcast, a five-hour showcase of Christmas songs and dancing.

 

Banking Apps Found Vulnerable to MITM Attacks
The use of certificate pinning allows apps to specify a specific certificate that they trust for a given server. This helps defeat a number of attacks, specifically MITM attacks that rely on spoofing the certificate for a trusted app or website. What researchers found was a vulnerability in each of the apps’ implementation of the certificate pinning and certificate verification used when creating a Transport Layer Security (TLS) connection.

 

Financial Services Organizations Fail to Properly Secure SSH Keys
According to the findings 69 percent of respondents from the financial services industry admit they don’t actively rotate keys, even when an administrator leaves their organization. This allows the former employee the potential for ongoing privileged access to critical and sensitive systems.

 

Stay up to date on the Financial Services Information Security news that you need to know by signing up for our Financial Cybersecurity Briefing Here.

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.