REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit
Card Data - The hackers who raided the credit-card payment system of
Neiman Marcus Group set off alerts on the company’s security systems
about 60,000 times as they slunk through the network, according to
an internal company investigation.
- Critical Infrastructure Security Incidents Go Unnoticed - Many
security incidents that affect components of the nation's critical
infrastructure go unnoticed due to a lack of sufficient detection or
logging capabilities, according to a new report from the Industrial
Control Systems Cyber Emergency Response Team.
- HSBC Requires Dual Authentication - Bank Mandates Use for
High-Risk Online Transactions - In a groundbreaking effort to boost
security, HSBC Bank USA is now requiring its retail banking
customers to use dual-factor authentication for certain sensitive
online banking transactions.
- NIST Unveils Crypto Standards Proposal - Feedback Sought on
Development Process - Because of concerns of possible National
Security Agency meddling with its cryptographic standards, the
National Institute of Standards and Technology has issued a draft
report proposing revisions in how it develops cryptographic
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cyberattack victim gaming website offers $13,000 to bring hackers
to justice - Online gaming website Wurm, a recent victim of a
cyberattack, has offered a bounty not for the discovery of bugs --
but of hackers.
- Data breach at University of Maryland exposes 300K records -
School president apologies for a "sophisticated" security breach
that exposed the sensitive personal information faculty, staff, and
students at the school since 1998. The sensitive personal
information for more than 300,000 faculty, staff, and students at
the University of Maryland were stolen in a "sophisticated"
cyberattack on the school's recently bolstered security defenses.
- The Target Data Hack Cost Banks More Than $200 Million - The
gargantuan theft of data from credit and debit cards used at Target
stores during last year's holiday shopping season is now believed to
have cost financial institutions more than $200 million.
- Roughly 1,100 Indianapolis patients impacted following laptop
theft - More than a thousand patients of St. Vincent Indianapolis
hospital are being notified that their personal information may have
been compromised after a password-protected laptop containing the
data was stolen.
- EC-Council website defaced by hacker - A hacker has defaced the
website of the EC-Council, a member-supported organization that
offers training for the Certified Ethical Hacker (CEH) program.
- IRS exposing Social Security numbers online - This tax season you
may have more to worry about than how much you owe. A new study from
Identity Finder finds the IRS is not properly protecting social
security numbers in some tax returns.
- Neiman Marcus Downsizes Breach Estimate - Investigation Finds Far
Fewer Payment Cards Compromised - Neiman Marcus has revised downward
its estimate of the number of payment cards compromised in its
breach last year.
- Harvard student thrown off 14,000-core super ... for mining
Dogecoin - Wow. Very misuse. Much banned. 'For fairly obvious
reasons' - A Harvard University student is in hot water for using
the Ivy League school's 14,000-core supercomputer to mine Dogecoins.
- Source code for data-stealing Android app leaks - Mobile malware,
which often disguises itself as an Android "security app," may
threaten a greater number of users now that its source code has
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Over the next
few weeks we will cover the FDIC's paper "Risk Assessment Tools and
Practices or Information System Security" dated July 7, 1999. This
is our first selection for your reading.
Whether financial institutions contract with third-party providers
for computer services such as Internet banking, or maintain computer
services in-house, bank management is responsible for ensuring that
systems and data are protected against risks associated with
emerging technologies and computer networks. If a bank is relying on
a third-party provider, management must generally understand the
provider's information security program to effectively evaluate the
security system's ability to protect bank and customer data.
The FDIC has previously issued guidance on information security
concerns such as data privacy and confidentiality, data integrity,
authentication, non-repudiation, and access control/system design.
This paper is designed to supplement Financial Institution Letter
131-97, "Security Risks Associated With the Internet," dated
December 18, 1997, and to complement the FDIC's safety and soundness
electronic banking examination procedures. Related guidance can be
found in the FFIEC Information Systems Examination Handbook.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
A firewall is a collection of components (computers, routers, and
software) that mediate access between different security domains.
All traffic between the security domains must pass through the
firewall, regardless of the direction of the flow. Since the
firewall serves as a choke point for traffic between security
domains, they are ideally situated to inspect and block traffic and
coordinate activities with network IDS systems.
Financial institutions have four primary firewall types from which
to choose: packet filtering, stateful inspection, proxy servers, and
application-level firewalls. Any product may have characteristics of
one or more firewall types. The selection of firewall type is
dependent on many characteristics of the security zone, such as the
amount of traffic, the sensitivity of the systems and data, and
applications. Over the next few weeks we will discussed the
different types of firewalls.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
38. For customers only, does the institution ensure that the
initial, annual, and revised notices may be retained or obtained
later by the customer in writing, or if the customer agrees,