REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - HTC settles with FTC over software security vulnerabilities - Mobile handset maker HTC has agreed to settle a complaint filed against it by the Federal Trade Commission accusing the company of failing to take "reasonable steps" to patch a security flaw in software running on its smartphones. http://news.cnet.com/8301-1009_3-57570778-83/htc-settles-with-ftc-over-software-security-vulnerabilities/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - Malware once used exclusively for bank fraud is finding a new mission - Attackers who once relied on malware exclusively to initiate financial fraud are finding that it also can be used to pillage intellectual property, researchers have found. http://www.scmagazine.com/malware-once-used-exclusively-for-bank-fraud-is-finding-a-new-mission/article/281425/?DCMP=EMC-SCUS_Newswire

FYI - China blames U.S. for most cyberattacks against military Web sites - China's Defense Ministry claims that almost two-thirds of the cyberattacks against its military sites have come from the United States. http://news.cnet.com/8301-1009_3-57571811-83/china-blames-u.s-for-most-cyberattacks-against-military-web-sites/?tag=nl.e757&s_cid=e757&ttag=e757

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Add Microsoft to list of hacked companies - Undisclosed number of computers are found with malware, but the company says no customer data has been compromised. http://news.cnet.com/8301-1009_3-57570861-83/add-microsoft-to-list-of-hacked-companies/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - DDoS Attack on Bank Hid $900,000 Cyberheist - A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000. http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/

FYI - Many companies likely affected by iOS developer forum compromise - The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed Wednesday that it had been compromised by hackers who used it to launch attacks against its users. http://www.computerworld.com/s/article/9236996/Many_companies_likely_affected_by_iOS_developer_forum_compromise?taxonomyId=17

FYI - Microsoft joins list of recently hacked companies - The software giant said it was hit with a similar hack to that used against - Microsoft has disclosed that it recently fell victim to the same type of cyberattack that targeted Apple and Facebook. http://www.computerworld.com/s/article/9237074/Microsoft_joins_list_of_recently_hacked_companies?taxonomyId=17

FYI - NBC.com hacked to serve up banking malware - NBC said it was working to clear up the issues, which also affected some of its other websites - Websites affiliated with U.S. broadcaster NBC were hacked for several hours on Thursday, serving up malicious software intended to steal bank account details. http://www.computerworld.com/s/article/9237044/NBC.com_hacked_to_serve_up_banking_malware?taxonomyId=17

FYI - Server hack prompts call for cPanel customers to take “immediate action” - Change root and account passwords and rotate SSH keys, company advises. The providers of the cPanel website management application are warning some users to immediately change their systems' root or administrative passwords after discovering one of its servers has been hacked. http://arstechnica.com/security/2013/02/server-hack-prompts-call-for-cpanel-customers-to-take-immediate-action/

FYI - Overseas hackers nab more than 1TB of data daily - A new report shows that the recent wave of cyberattacks on the U.S. are coming from a highly sophisticated group of hackers that are most likely state-sponsored. http://news.cnet.com/8301-1009_3-57571724-83/overseas-hackers-nab-more-than-1tb-of-data-daily/?tag=nl.e757&s_cid=e757&ttag=e757

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 2 of 4)

Risk Assessment

The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution’s strategic plans, too costly, or introduce unforeseen risks.

Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks.

Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.

An outsourcing risk assessment should consider the following:  

• Strategic goals, objectives, and business needs of the financial institution.
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial institution.
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service provider.
• Contingency plans, including availability of alternative service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines affected and technologies used.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls (Part 2 of 2)

Tokens

Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.

Smart Cards

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.

Biometrics 

Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.