REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Target, Neiman Marcus Differ on EMV - Executives Share Views on
Security at Senate Hearing - At a Feb. 4 Senate hearing, a senior
executive from Target Corp. endorsed a shift to chip cards, combined
with PINs, to enhance security, while a Neiman Marcus executive
questioned if that was a prudent move.
- Getting ahead of new threats - There are six security threats all
businesses should be aware of for 2014 - Cyber security stepped into
the limelight in 2013 with numerous global cyber attacks,
high-profile data breaches and the arrest of several prominent cyber
- Finger-Pointing at Breach Hearing - Retailers, Banks Debate Card
Security Issues - Several payment system experts testifying at a
Senate hearing Feb. 3 urged the adoption of chip card technology in
the wake of high-profile breaches at Target Corp. and Neiman Marcus.
- 75 Percent of Pentagon Contractors Adjusted Security After Snowden
Leaks - Leaks of national secrets by former federal contractor
Edward Snowden drove 75 percent of U.S. defense company executives
to adjust information security procedures, mostly by increasing
employee training and going on high alert for deviant behavior.
- We want it HARDER: City bankers survive simulated cyber-war -
Finance firms reckon Waking Shark II should have featured espionage
& malware threats - A Bank of England-sponsored exercise designed to
test how well financial firms handle a major cyber attack has
uncovered serious communication problems.
- Cryptolocker makes millions of dollars in four months - If hackers
aren't out to steal a few numbers off the back of a credit card,
then they've graduated onto holding an entire computer system
- National Cyber Defense competition comes to Iowa State - Since the
recent NSA leaks, cyber defense has been in the headlines of U.S.
news. Iowa State held the National Cyber Defense Competition. The
competition is designed to mimic real-world situations in which
students would have to act quickly to defend their network from
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Sochi hackers compromise reporter's laptops, smartphone - An
experiment set up by NBC News reporter Richard Engel demonstrated
this week how quickly Russian hackers can break into the laptops and
other mobile devices of those traveling to Sochi for the Winter
- Target vendor, Fazio Mechanical, confirms being victim of attack -
Target announced last week that hackers were able to compromise its
systems using credentials stolen from a third party vendor. On
Wednesday, technology journalist Brian Krebs identified the vendor
as Fazio Mechanical Services, a provider of refrigeration and HVAC
- At least 4,500 payment cards compromised by JackPOS malware in
U.S. and Canada - At least 4,500 payment cards have been compromised
in the United States and Canada by a new point-of-sale (POS)
malware, JackPOS, that is based on Alina, according to researchers
with cyber intelligence company IntelCrawler.
- Barclays data breach affects thousands - A major British bank is
investigating the possible theft and sale of customers' personal
data. At least 2,000 Barclays customers might be affected.
- Nielsen staffer accidentally sends mass email containing employee
data - An undisclosed number of Nielsen Audio employees are being
notified that their personal information – including Social Security
numbers – may be at risk after an employee with human resources
mistakenly sent out a mass email containing the data.
- Hackers break into networks of 3 big medical device makers -
Hackers have penetrated the computer networks of the country's top
medical device makers.
- Two skimming devices found on California hotel computers - South
San Francisco Embassy Suites hotel is notifying an undisclosed
number of guests that their payment card information may be at risk
after skimming devices were discovered on two computers in 2013.
- Laptop stolen from California charity employee, thousands impacted
- More than 3,000 clients and potential clients of Easter Seal
Society of Superior California, a nonprofit charity group serving
adults and children with special needs, may have had personal
information compromised after an employee's vehicle was broken into
and a work-issued laptop was stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Routing (Part 1 of 2)
Packets are moved through networks using routers, switches, and
hubs. The unique IP address is commonly used in routing. Since users
typically use text names instead of IP addresses for their
addressing, the user's software must obtain the numeric IP address
before sending the message. The IP addresses are obtained from the
Domain Naming System (DNS), a distributed database of text names
(e.g., anybank.com) and their associated IP addresses. For example,
financial institution customers might enter the URL of the Web site
in their Web browser. The user's browser queries the domain name
server for the IP associated with anybank.com. Once the IP is
obtained, the message is sent. Although the example depicts an
external address, DNS can also function on internal addresses.
A router directs where data packets will go based on a table that
links the destination IP address with the IP address of the next
machine that should receive the packet. Packets are forwarded from
router to router in that manner until they arrive at their
destination. Since the router reads the packet header and uses a
table for routing, logic can be included that provides an initial
means of access control by filtering the IP address and port
information contained in the message header. Simply put, the router
can refuse to forward, or forward to a quarantine or other
restricted area, any packets that contain IP addresses or ports that
the institution deems undesirable. Security policies should define
the filtering required by the router, including the type of access
permitted between sensitive source and destination IP addresses.
Network administrators implement these policies by configuring an
access configuration table, which creates a filtering router or a
A switch directs the path a message will take within the network.
Switching works faster than IP routing because the switch only looks
at the network address for each message and directs the message to
the appropriate computer. Unlike routers, switches do not support
packet filtering. Switches, however, are designed to send messages
only to the device for which they were intended. The security
benefits from that design can be defeated and traffic through a
switch can be sniffed.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
36. Does the institution use a reasonable means for delivering
the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
c. for the consumer who conducts transactions electronically,
clearly and conspicuously posting the notice on the institution's
electronic site and requiring the consumer to acknowledge receipt as
a necessary step to obtaining a financial product or service;
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge
receipt as a necessary step to obtaining the financial product or
(Note: insufficient or unreasonable means of delivery include:
exclusively oral notice, in person or by telephone; branch or office
signs or generally published advertisements; and electronic mail to
a customer who does not obtain products or services electronically.
[§9 (b)(2)(i) and (ii), and (d)])