REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- This week I am attending the ICBA National Convention and
Techworld this week in Las Vegas. If you are attending, I
forward to seeing you there.
- Investors Value A Company's Cybersecurity Record - Turns out most
U.S. investors are wary of investing in companies that have a
history of getting hacked, and they are twice as concerned about
those whose customer data was stolen than those whose intellectual
property was pilfered.
- Cyberattack leaves natural gas pipelines vulnerable to sabotage -
A government report says a cyberattack against 23 natural gas
pipeline operators stole crucial information that could compromise
security. Experts strongly suspect China's military.
- Jailed hacker allowed into IT class, hacks prison computers - He
is serving five years for creating a hacker's forum site, is somehow
invited into an IT class in jail. The consequences are difficult.
They're arguing now about who let it happen, but happen it did, with
- Tech groups question new do-not-track bill - The new legislation
would require all online companies to honor do-not-track requests -
New legislation in the U.S. Senate that would allow Internet users
to tell companies to stop tracking them is unnecessary and could
slow e-commerce growth, some tech groups said.
- Judge throws out lawsuit over LinkedIn password breach - A U.S.
District Court judge has dismissed a class-action lawsuit brought
against LinkedIn as a result of a 2012 password breach.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Australian Broadcasting Corporation confirms hack - A hacker has
claimed to have dumped information from an ABC subdomain in
retaliation for the media outlet providing an anti-Islamic MP with
air time on its Lateline show.
- 185,000 spyware emails were sent to Aaron's computers - Spyware
installed on computers leased from furniture renter Aaron's Inc.
secretly sent 185,000 emails containing sensitive information back
to the company's corporate computers, according to court documents
filed Wednesday in a class-action lawsuit.
- Bank of America says hackers lifted its data from a partner - Bank
of America blames a data breach on another company that revealed
internal emails related to monitoring of hacktivist groups including
- CloudFlare security service goes down after router failure - The
hour-long outage occurred when the Web security service detected a
DDoS attack against one of its customers and tried to defend against
it. Web security service CloudFlare was offline for about an hour
this morning due to a systemwide failure of its edge routers.
- Evernote hit in hacking attack, users must reset their passwords -
The company believes the attack was a coordinated attempt to
compromise its systems - Evernote, which makes business and consumer
productivity software for things like taking notes and doing
research, is forcing all of its 50 million users to change their
passwords after detecting a hacker intrusion on its sytem.
- Bank Muscat hit by $39m ATM cash-out heist - Cybercrooks have
pulled off a $39m ATM heist against a bank in Oman using pre-paid
travel cards. 12 Bank Muscat prepaid Travel Cards were compromised
on February 20, 2013.
- Attackers use stolen certificate to sign malicious Java applet -
Users are being duped into running a malicious Java applet that was
signed with a stolen digital certificate and designed to look like a
- Sensitive data found in dumpster reveals SSNs and health info - A
large number of medical documents and files containing private
information were found in a dumpster outside of an office complex in
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 3 of 4)
Due Diligence in Selecting a Service Provider
Once the institution has completed the risk assessment, management
should evaluate service providers to determine their ability, both
operationally and financially, to meet the institutionís needs.
Management should convey the institutionís needs, objectives, and
necessary controls to the potential service provider. Management
also should discuss provisions that the contract should contain. The
appendix to this statement contains some specific factors for
management to consider in selecting a service provider.
Contracts between the institution and service provider should take
into account business requirements and key risk factors identified
during the risk assessment and due diligence phases. Contracts
should be clearly written and sufficiently detailed to provide
assurances for performance, reliability, security, confidentiality,
and reporting. Management should consider whether the contract is
flexible enough to allow for changes in technology and the financial
institution's operations. Appropriate legal counsel should review
contracts prior to signing.
Institutions may encounter situations where service providers cannot
or will not agree to terms that the institution requests to manage
the risk effectively. Under these circumstances, institutions should
either not contract with that provider or supplement the service
providerís commitments with additional risk mitigation controls. The
appendix to this statement contains some specific considerations for
management in contracting with a service provider.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
This concludes the
series from the FDIC "Security Risks Associated with the Internet."
Starting next week, we will begin covering the OCC Bulletin
about Infrastructure Threats and Intrusion Risks.
V. Security Flaws and Bugs
Because hardware and software continue to improve, the task of
maintaining system performance and security is ongoing. Products are
frequently issued which contain security flaws or other bugs, and
then security patches and version upgrades are issued to correct the
deficiencies. The most important action in this regard is to keep
current on the latest software releases and security patches. This
information is generally available from product developers and
vendors. Also important is an understanding of the products and
their security flaws, and how they may affect system performance.
For example, if there is a time delay before a patch will be
available to correct an identified problem, it may be necessary to
invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist,
such as the Computer Emergency Response Team Coordination Center
(CERT/CC) at the Software Engineering Institute of Carnegie Mellon
University, Pittsburgh, Pennsylvania. The CERT/CC, among other
activities, issues advisories on security flaws in software
products, and provides this information to the general public
through subscription e‑mail, Internet newsgroups (Usenet), and their
Web site at www.cert.org. Many
other resources are freely available on the Internet.
Active Content Languages
Active content languages have been the subject of a number of recent
security discussions within the technology industry. While it is not
their only application, these languages allow computer programs to
be attached to Web pages. As such, more appealing and interactive
Web pages can be created, but this function may also allow
unauthorized programs to be automatically downloaded to a user's
computer. To date, few incidents have been reported of harm caused
by such programs; however, active content programs could be
malicious, designed to access or damage data or insert a virus.
Security problems may result from an implementation standpoint, such
as how the languages and developed programs interact with other
software, such as Web browsers. Typically, users can disable the
acceptance of such programs on their Web browser. Or, users can
configure their browser so they may choose which programs to accept
and which to deny. It is important for users to understand how these
languages function and the risks involved, so that they make
educated decisions regarding their use. Security alerts concerning
active content languages are usually well publicized and should
receive prompt reviews by those utilizing the technology.
Because potentially malicious programs can be downloaded directly
onto a system from the Internet, virus protection measures beyond
the traditional boot scanning techniques may be necessary to
properly protect servers, systems, and workstations. Additional
protection might include anti-virus products that remain resident,
providing for scanning during downloads or the execution of any
program. It is also important to ensure that all system users are
educated in the risks posed to systems by viruses and other
malicious programs, as well as the proper procedures for accessing
information and avoiding such threats.
Return to the top of
INTERNET PRIVACY - We continue our series listing
the regulatory-privacy examination questions. When you answer the
question each week, you will help ensure compliance with the privacy
Financial Institution Duties ( Part 4 of 6)
Requirements for Notices (continued)
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial notice
together with an opt out notice stating that the institution's
privacy notice is available upon request and explaining a reasonable
means for the consumer to obtain it. The following is a list of
disclosures regarding nonpublic personal information that
institutions must provide in their privacy notices, as applicable:
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to whom
the institution may disclose information;
4) policies with respect to the treatment of former customers'
5) information disclosed to service providers and joint marketers
6) an explanation of the opt out right and methods for opting out;
7) any opt out notices the institution must provide under the Fair
Credit Reporting Act with respect to affiliate information sharing;
8) policies for protecting the security and confidentiality of
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and