Aggregator

VIMESAが提供するVHF/FM Transmitter Blue Plusには、不適切なアクセス制御の脆弱性が存在します。

Deep Sea Electronicsが提供するDSE855には、重要な機能に対する認証の欠如の脆弱性が存在します。

В России продолжается активная борьба с VPN-сервисами.

A vulnerability was found in Cisco ASA and Firepower Threat Defense Software. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Remote Access VPN. The manipulation leads to denial of service. This vulnerability is handled as CVE-2024-20481. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Verisign 和 ICANN 更新了 DNS Root Zone 维护者服务协议，任期为八年。在 DNS 的层次结构中，Root Zone 位于最上方，对几乎所有互联网导航都至关重要，充当了 DNS 中所有顶级域名的动态、加密安全和全局的目录。Root Zone 维护者是一个独一无二的角色，确保每天至少对 Root Zone 进行一次加密签名和发布，没有它互联网上的导航将是不可能的。

A vulnerability, which was classified as critical, has been found in SourceCodester Petrol Pump Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/ajax_product.php. The manipulation of the argument drop_services leads to sql injection. This vulnerability is handled as CVE-2024-10380. The attack may be launched remotely. Furthermore, there is an exploit available.

New Cybersecurity Rules for Financial Institutions in New York State Take Effect November 1, 2024
madhav
Fri, 10/25/2024 - 06:09

The next major deadline for compliance with the updated cybersecurity rules from the New York State Department of Financial Services (NYDFS) is November 1, 2024.

These new rules date back to March 1, 2017, when the NYDFS implemented comprehensive cybersecurity regulations for financial services companies and other covered entities. The regulations were most recently updated on November 1, 2023, with phased effective dates starting on December 1, 2023. Several key provisions of the amended regulations will take effect on November 1, 2024, with additional measures rolling out in 2025.

The cybersecurity regulations apply to entities overseen by the NYDFS, such as financial institutions, insurance companies, agents, and brokers, as well as banks, trusts, mortgage lenders and brokers, money transmitters, check cashers, and other related businesses. Under the revised regulations, larger entities classified as Class A companies face additional obligations, while smaller businesses are exempt from some specific requirements.

The Requirements

By November 1, banks and other firms under the department's jurisdiction must demonstrate, among other requirements, that they must:

• Have a CISO who regularly reports significant cyber incidents to senior management. Additionally, the senior governing body must possess the expertise to oversee the company's cybersecurity program.
• Encrypt "non-public" data both at rest and in motion or use effective alternative compensating controls for information at rest if approved by the CISO in writing. The feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.
• Update the incident response plan to include procedures such as the internal process for responding to cybersecurity events, recovery from backups, and conducting a root cause analysis after an event.
• Implement a business continuity and disaster recovery plan that complies with specific requirements and ensures backups are available to restore critical operations.
• Train to employees responsible for executing the incident response and disaster recovery plans, ensuring they understand their roles and responsibilities.
• Test employees responsible for these plans to assess their understanding of their roles and responsibilities.
• Conduct annual tests of the incident response plan, disaster recovery plan, and backup systems.

NYDFS-regulated companies should review their cybersecurity policies, practices, and training to ensure they comply with the amended regulations by November 1, 2024.

The Data Security Challenge

Thales recently released the 2024 Thales Data Threat Report – Financial Services Edition which highlights the latest data security challenges and threats to financial services organizations. Some of the key findings from the report include:

• The percentage of financial services organizations reporting a breach in the last 12 months decreased from 29% in 2021 to 14% in 2024.
• About one in five financial services organizations (18%) reported that they have experienced a ransomware attack.
• Human error was the leading cause of cloud-based data breaches.

Achieving NYDFS Compliance

Thales’ solutions can help Financial Institutions comply with NYDFS by simplifying compliance and automating security, reducing the burden on security and compliance teams. We help address essential cybersecurity requirements under NYDFS Part 500, including:

• Encrypting and monitoring access to non-public information
• Providing an audit trail to detect and respond to cybersecurity events
• Managing access privileges and providing multi-factor authentication
• Securing development of applications
• Assessing risk, discovering and classifying sensitive data
• Managing third party service provider risk
• Securing disposal of information

Download a copy of the 2024 Thales Data Threat Report – Financial Services Edition, and learn more about Thales solutions for NYDFS Compliance.

Data Security Compliance Regulation and compliance Encryption

Kevin Williams | VP, Americas Sales
More About This Author > Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "New Cybersecurity Rules for Financial Institutions in New York State Take Effect November 1, 2024",
"description": "Understand the new cybersecurity regulations for financial institutions in New York State, effective November 1, 2024, including requirements for encryption, incident response plans, and business continuity measures.",
"datePublished": "2024-10-25",
"author": {
"@type": "Person",
"name": "Kevin Williams",
"url": "https://cpl.thalesgroup.com/blog/author/kwilliams",
"sameAs": "https://www.linkedin.com/in/kevin-williams-a24ba91a/"
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
},
"mainEntityOfPage": "https://cpl.thalesgroup.com/blog/data-security/new-cybersecurity-rules-ny"
}

basic

The post New Cybersecurity Rules for Financial Institutions in New York State Take Effect November 1, 2024 appeared first on Security Boulevard.

Submit #431174 / VDB-281810

Submit #431092 / VDB-259631

Submit #427490 / VDB-87768

AuditBoard and Protiviti announced new joint capabilities. The joint services include advanced analytics, collaboration, transformation, and digitization capabilities, along with a joint offering to help teams prepare for the new Global Internal Audit Standards from The Institute of Internal Auditors. Available immediately, these new solutions will empower customers to dramatically transform how they gain insights, drive efficiency, and deliver transparency throughout their audit lifecycle. The launch includes: Analytics Accelerators combine AuditBoard’s modern connected risk platform … More →

The post AuditBoard and Protiviti guide enterprises in redefining the value of internal audit appeared first on Help Net Security.

A vulnerability classified as problematic was found in ESAFENET CDG 5. Affected by this vulnerability is the function actionViewDecyptFile of the file /com/esafenet/servlet/client/DecryptApplicationService.java. The manipulation of the argument decryptFileId with the input ../../../Windows/System32/drivers/etc/hosts leads to path traversal: '../filedir'. This vulnerability is known as CVE-2024-10379. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The affected function has a typo and is missing an R.

A vulnerability classified as critical has been found in ESAFENET CDG 5. Affected is the function actionViewCDGRenewFile of the file /com/esafenet/servlet/client/CDGRenewApplicationService.java. The manipulation of the argument CDGRenewFileId leads to sql injection. This vulnerability is traded as CVE-2024-10378. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in ESAFENET CDG 5. It has been rated as critical. This issue affects the function actionPassDecryptApplication1 of the file /com/esafenet/servlet/client/DecryptApplicationService.java. The manipulation of the argument id leads to sql injection. The identification of this vulnerability is CVE-2024-10377. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. This is a different issue than CVE-2024-10069.

A vulnerability was found in ESAFENET CDG 5. It has been declared as critical. This vulnerability affects the function actionPassOrNotAutoSign of the file /com/esafenet/servlet/service/processsign/AutoSignService.java. The manipulation of the argument UniqueId leads to sql injection. This vulnerability was named CVE-2024-10376. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #421906 / VDB-117657