Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Hacking now responsible for most of exposed records - Until last
year, lost and stolen laptops were to blame for the largest
percentage of breach types. Now, hacking has claimed the top spot.
- Air Force Special Operations cancels iPad buy - The Air Force
Special Operations Command canceled its planned acquisition of Apple
iPad tablet computers last week, two days after receiving a query
from Nextgov about the inclusion of Russian-developed security and
documents reader software specified in procurement documents.
- Voluntary guidelines for Web privacy backed by Obama
administration - The Obama administration on Thursday announced
voluntary guidelines for Web companies to protect consumers’ privacy
online, a win for Google, Facebook and other Internet giants that
have fought against heavier federal mandates.
- First IPv6 Distributed Denial of Service Internet attacks seen -
You know IPv6 must finally be making it: The first IPv6 Distributed
Denial of Service Internet attacks have been spotted in the wild.
The clock is running out on IPv4 on the Internet, but even so the
next generation of Internet traffic protocols, IPv6, is being
adopted very slowly.
- Forcing Defendant to Decrypt Hard Drive Is Unconstitutional,
Appeals Court Rules - Forcing a criminal suspect to decrypt hard
drives so their contents can be used by prosecutors is a breach of
the Fifth Amendment right against compelled self-incrimination, a
federal appeals court ruled Thursday.
- DHS pinpoints government computers set to lose Internet access -
The Obama administration employed a new governmentwide network
surveillance tool and private sector assistance to search for
corrupted agency computers that are at risk of going offline in less
than two weeks, Homeland Security Department officials said.
- FBI turns off 3,000 GPS trackers after Supreme Court ruling -
Andrew Weissmann, general counsel for the FBI, has announced that
his agency is switching off thousands of Global Positioning
System-based tracking devices used for surveillance after a Supreme
Court decision last month.
- Deception and the art of cyber security - “Warfare is the way of
deception,” said Sun Tzu, the ancient Chinese military strategist.
Cyber attackers have long embraced deception by deploying tactics,
such as social engineering help-desk employees to install trojans or
obtain users' credentials.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 'Iran Cyber Army' hits Azerbaijan state TV site - Hackers calling
themselves the 'Iranian Cyber Army' have attacked the website of
mainly Muslim neighbour Azerbaijan's state television station, the
communications ministry said on Thursday.
- News of the World hacker named after court block lifted - A man
accused of hacking into the computers of a former British Army
intelligence officer on behalf of a News of the World editor has
been named who is also a former British Army intelligence officer.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with high customer expectations for constant and
rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users
and be able to maintain such availability in all circumstances.
Effective incident response mechanisms are also critical to minimize
operational, legal and reputational risks arising from unexpected
events, including internal and external attacks, that may affect the
provision of e-banking systems and services. To meet customers'
expectations, banks should therefore have effective capacity,
business continuity and contingency planning. Banks should also
develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk
and limit liability associated with disruptions in their e-banking
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Software support should incorporate a process to update and
patch operating system and application software for new
vulnerabilities. Frequently, security vulnerabilities are discovered
in operating systems and other software after deployment. Vendors
often issue software patches to correct those vulnerabilities.
Financial institutions should have an effective monitoring process
to identify new vulnerabilities in their hardware and software.
Monitoring involves such actions as the receipt and analysis of
vendor and governmental alerts and security mailing lists. Once
identified, secure installation of those patches requires a process
for obtaining, testing, and installing the patch.
Patches make direct changes to the software and configuration of
each system to which they are applied. They may degrade system
performance. Also, patches may introduce new vulnerabilities, or
reintroduce old vulnerabilities. The following considerations can
help ensure patches do not compromise the security of systems:
! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as
comparisons of cryptographic hashes to ensure the patch obtained is
the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the
patch (1) is compatible with other software used on systems to which
the patch will be applied, (2) does not alter the system's security
posture in unexpected ways, such as altering log settings, and (3)
corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and
update the cryptographic checksums of key files as well as that
system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
5) When the subsequent delivery of a privacy notice is
permitted, does the institution provide notice after establishing a
customer relationship within a reasonable time? [§4(e)]