REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- NIST Releases Cybersecurity Framework - Voluntary Guide for
Critical Infrastructure Sectors - The National Institute of
Standards and Technology has unveiled its long-awaited cybersecurity
framework, which provides best practices for voluntary use in all
critical infrastructure sectors, including, for example, government,
healthcare, financial services and transportation.
Study finds attack detection takes too long - Critical shortcomings
in the current approach to cyber security and incident response are
putting companies at risk, with 86 percent of respondents to a study
saying that it takes too long to detect a cyber attack.
- OIG to Review Medical Device Security - The HHS Office of
Inspector General plans to scrutinize a number of security-related
activities in the healthcare sector in fiscal 2014, including
reviewing whether hospitals' security controls over networked
medical devices are sufficient to effectively protect patients'
- South Korean credit card firms suspended over data breach - South
Korea's financial watchdog has suspended the activity of three
credit-card issuers after the firms failed to prevent a high-profile
breach resulting in the theft of data of as many as 104 million
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Federal law enforcement investigating hack of Sands casino websites
- Law enforcement are investigating the hack of several websites
operated by the Las Vegas Sands casino.
Missing thumb drive puts 3,500 Texas cancer center patients at risk
- More than 3,500 patients of The University of Texas MD Anderson
Cancer Center may have had personal information compromised after a
researcher's unencrypted USB thumb drive went missing.
Worst DDoS attack of all time hits French site - Summary: A website
in France was hammered on Monday by a Distributed Denial of Service
attack that hit it at a rate from 325Gbps to 400Gbps making it the
strongest DDoS attack ever.
DON'T PANIC! No credit card details lost after hackers crack world's
largest casino group - IT administrators at the Las Vegas Sands
casino are having a tough time restoring their systems after hackers
successfully got inside the corporation's firewall, but it appears
that the most valuable sections of the network are safe, according
to the Nevada Gaming Control Board.
- New, sophisticated ATM heist used a malware-laden USB stick to
hijack the machine -- one arrest is made - In what could be a sign
of what's ahead in ATM fraud, a highly sophisticated and well-funded
criminal gang targeted an overseas bank and commandeered at least
four of its ATM machines with malware-rigged USB sticks in order to
empty them of cash.
- Kickstarter hacked, user data stolen - The crowd-funding site says
hackers broke into its systems and made off with data. Apparently
credit card numbers escaped the attack. Hackers hit crowd-funding
site Kickstarter and made off with user information, the site said
- The Syrian Electronic Army Hacked Forbes and Dumped 1 Million
Credentials - In a brief statement, Forbes said it had been
compromised; that email addresses had been exposed (so beware of
phishing attempts); and that passwords had been stolen ('encrypted',
but change them anyway); and that law enforcement had been informed.
It doesn't name the attackers, but there is more to this news.
- THOUSANDS of Tesco.com logins and passwords leaked online -
Customers locked out of accounts, some discount vouchers AWOL -
Thousands of Tesco customers have had their emails and passwords
posted online after hackers got their hands on the login details.
- Credentials for thousands of FTP sites compromised, NYTimes among
impacted - Hackers were able to access the credentials for more than
7,000 file transfer protocol (FTP) sites and, in some instances,
uploaded malware to FTP servers with their newfound access.
- Hackers access Bank of the West job applicant data - An
undisclosed number of individuals who applied online for a position
with San Francisco-based Bank of the West may have had personal
information – including Social Security numbers – compromised after
an unauthorized party gained access to a job application system that
contained the data. Hackers access Bank of the West job applicant
- Syrian Electronic Army takes over FC Barcelona Twitter account -
Futbol Club (FC) Barcelona is the latest high-profile entity to have
its Twitter account hijacked by the Syrian Electronic Army (SEA).
- Hackers breach Texas college server, thousands compromised - Texas
State Technical College (TSTC) Waco is notifying almost 3,000 former
students and fewer than 2,000 employees that personal information
may have been compromised after an unauthorized party remotely
gained access to a server that contained the data.
- Three nursing homes' security info discovered online - Security
researchers discovered new documents online that put multiple
nursing homes' electronic medical records and payment information at
risk. The information details the type of equipment the homes use,
as well as the passwords to network firewalls and the locations of
computers and printers within the facilities.
- University of Maryland breach impacts more than 300,000 - More
than 300,000 current and former University of Maryland students,
faculty and staff had personal information compromised on Tuesday
morning. No financial, academic, health or contact information was
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Expedited Funds Availability Act (Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Routing (Part 2 of 2)
Routers and switches are sometimes difficult to locate. Users may
install their own devices and create their own unauthorized subnets.
Any unrecognized or unauthorized network devices pose security
risks. Financial institutions should periodically audit network
equipment to ensure that only authorized and maintained equipment
resides on their network.
DNS hosts, routers and switches are computers with their own
operating system. If successfully attacked, they can allow traffic
to be monitored or redirected. Financial institutions must restrict,
log, and monitor administrative access to these devices. Remote
administration typically warrants an encrypted session, strong
authentication, and a secure client. The devices should also be
appropriately patched and hardened.
Packets are sent and received by devices using a network interface
card (NIC) for each network to which they connect. Internal
computers would typically have one NIC card for the corporate
network or a subnet. Firewalls, proxy servers, and gateway servers
are typically dual-homed with two NIC cards that allow them to
communicate securely both internally and externally while limiting
access to the internal network.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
37. For annual notices only, if the institution does not employ one
of the methods described in question 36, does the institution employ
one of the following reasonable means of delivering the notice such
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer