Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Plans to migrate LAPD to Google's cloud apps dropped - Service is
incompatible with FBI's security requirements, city says - After
more than two years of trying, the City of Los Angeles has abandoned
plans to migrate its police department to Google's hosted email and
office application platform saying the service cannot meet certain
FBI security requirements.
- DARPA to start checking your email for threats - Troops’ emails
will be under surveillance as part of a new Defense Department
project to help detect potential “insider threats,” or potential
traitors or terrorists inside the military.
- Carrier IQ analysis finds no evidence of 'keylogger' - A Linux
kernel hacker who completed an in-depth analysis of Carrier IQ's
controversial software has determined that it's incapable of
recording keystrokes or perusing SMS messages and e-mail
- DHS program to monitor social media users draws lawsuit - Privacy
advocates are suing the Homeland Security Department to obtain
information on a program that monitors the social media interactions
of citizens following a federal vendor's private sector plans to
sabotage certain groups' online activities with similar technology.
- Lax security exposes voice mail to hacking, study says -
Thirty-one mobile carriers 'proven' to be open to surveillance and
customer ID theft. It may be tempting to view the illegal
interception of telephone voice mail, a practice that has caused
anger in Britain after a scandal involving the media empire of
Rupert Murdoch, as an arcane tool of scofflaw journalists with
friends in Scotland Yard.
- Indian court orders 22 websites to remove offensive content - The
Indian government had recently complained about objectionable
content on the Web - A court in Delhi on Saturday ordered 22
Internet companies, including Google and Facebook, to remove certain
"anti-religious" and "anti-social" content, the Press Trust of India
news agency reported.
- Email from The New York Times meant for 300, sent to 8M - An email
asking people to reconsider their cancellation of home delivery from
The New York Times accidentally was sent to some eight million
people on Wednesday, but was intended to reach only a few hundred.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Chinese hackers breached U.S. Chamber of Commerce - Attackers may
have accessed data undetected for a year, says Wall Street Journal -
Chinese hackers once broke into computers at the U.S. Chamber of
Commerce and had access to everything on the organization's systems,
including information on about 3 million of its members.
- Iran spy drone GPS hijack boasts: Rubbish, say experts - Cockup
far more likely than conspiracy, as usual - Doubts that Iran managed
to bring down an advanced US drone over the country last month using
an advanced GPS spoofing attack have been raised by experts, who say
that attacks of this type would be extremely tough to pull off.
- Web security questioned after data leak - The personal information
of more than 6 million Internet users on CSDN, or China Software
Developer Network, the country's largest programmers' website, was
leaked by hackers, raising concerns about web security and
triggering widespread panic.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
"Member FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement. Conversely, subsidiary web pages
that relate to loans do not require the official advertising
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
EXAMPLES OF ENCRYPTION USES
Asymmetric encryption is the basis of PKI, or public key
infrastructure. In theory, PKI allows two parties who do not know
each other to authenticate each other and maintain the
confidentiality, integrity, and accountability for their messages.
PKI rests on both communicating parties having a public and a
private key, and keeping their public keys registered with a third
party they both trust, called the certificate authority, or CA. The
use of and trust in the third party is a key element in the
authentication that takes place. For example, assume individual A
wants to communicate with individual B. A first hashes the message,
and encrypts the hash with A's private key. Then A obtains B's
public key from the CA, and encrypts the message and the hash with
B's public key. Obtaining B's public key from the trusted CA
provides A assurance that the public key really belongs to B and not
someone else. Using B's public key ensures that the message will
only be able to be read by B. When B receives the message, the
process is reversed. B decrypts the message and hash with B's
private key, obtains A's public key from the trusted CA, and
decrypts the hash again using A's public key. At that point, B has
the plain text of the message and the hash performed by A. To
determine whether the message was changed in transit, B must re -
perform the hashing of the message and compare the newly computed
hash to the one sent by A. If the new hash is the same as the one
sent by A, B knows that the message was not changed since the
original hash was created (integrity). Since B obtained A's public
key from the trusted CA and that key produced a matching hash, B is
assured that the message came from A and not someone else
Various communication protocols use both symmetric and asymmetric
encryption. Transaction layer security (TLS, the successor to SSL)
uses asymmetric encryption for authentication, and symmetric
encryption to protect the remainder of the communications session.
TLS can be used to secure electronic banking and other transmissions
between the institution and the customer. TLS may also be used to
secure e - mail, telnet, and FTP sessions. A wireless version of TLS
is called WTLS, for wireless transaction layer security.
Virtual Private Networks (VPNs) are used to provide employees,
contractors, and customers remote access over the Internet to
institution systems. VPN security is provided by authentication and
authorization for the connection and the user, as well as encryption
of the traffic between the institution and the user. While VPNs can
exist between client systems, and between servers, the typical
installation terminates the VPN connection at the institution
firewall. VPNs can use many different protocols for their
communications. Among the popular protocols are PPTP (point - to -
point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use
different authentication methods, and different components on the
host systems. Implementations between vendors, and between products,
may differ. Currently, the problems with VPN implementations
generally involve interfacing a VPN with different aspects of the
host systems, and reliance on passwords for authentication.
IPSec is a complex aggregation of protocols that together provide
authentication and confidentiality services to individual IP
packets. It can be used to create a VPN over the Internet or other
untrusted network, or between any two computers on a trusted
network. Since IPSec has many configuration options, and can provide
authentication and encryption using different protocols,
implementations between vendors and products may differ. Secure
Shell is frequently used for remote server administration. SSH
establishes an encrypted tunnel between a SSH client and a server,
as well as authentication services.
Disk encryption is typically used to protect data in storage.
Return to the top of
INTERNET PRIVACY - Sharing
nonpublic personal information with nonaffiliated third parties
under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual privacy
notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
consumer records where available, determine if the institution has
adequate procedures in place to provide notices to consumers, as
appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)).