REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- C.I.A. Employees Face New Inquiry Amid Clashes on Detention
Program - The Central Intelligence Agency’s attempt to keep secret
the details of a defunct detention and interrogation program has
escalated a battle between the agency and members of Congress and
led to an investigation by the C.I.A.’s internal watchdog into the
conduct of agency employees.
- Two factor authentication for online banking - Eight or nine years
ago, I was asking about banks that support two factor
authentication. At that time I found eTrade bank and Charles Schwab
and not much more.
- Russia and Ukraine in cyber 'stand-off' - As diplomatic efforts
are stepped up to ease tensions in Ukraine, security experts have
warned that Kiev and Moscow are locked in a cyber stand-off.
- Duo arrested two hours after planting card skimmer - Two Romanian
nationals planted a card skimmer at a bank ATM in Brooklyn, New York
and were arrested two hours later.
- NIST Guide Aims to Ease Access Control - New Special Publication
Explains Attribute-Based Approach - Advice on how to encourage
information sharing while preserving control over access to data is
provided in a new special publication from the National Institute of
Standards and Technology.
- Australian telcom fined less than $10k for privacy violations - An
Australian telecommunications and media company was fined $9,161.18
(AU$10,200) for violating privacy laws as a result of a data breach
affecting 15,775 of its customers.
- Health care orgs see modest decline in incidence, cost of data
breaches - An annual study revealed that data breaches at health
care organizations are, on average, less costly and occurring less
frequently than in the previous year.
- Atlanta chain banned from using software to spy via rental
computers - An Atlanta-based retailer has officially settled Federal
Trade Commission (FTC) charges related to monitoring software
installed in rental computers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Thieves Jam Up Smucker’s, Card Processor - Jam and jelly maker
Smucker’s last week shuttered its online store, notifying visitors
that the site was being retooled because of a security breach that
jeopardized customers’ credit card data.
- Computers stolen, health data compromised for 168K in L.A. -
Sutherland Healthcare Solutions (SHS), a billing and collections
services provider for Los Angeles County, is notifying more than
168,000 clients of the Los Angeles County Department of Health
Services that their personal information may be at risk after SHS
offices were broken into and computers containing personal
information were stolen.
- Johns Hopkins University web server breached; up to 1,300 affected
- As many as 1,300 current and former Johns Hopkins University
biomedical engineering students' personal information was posted
online by an attacker claiming to be affiliated with hacktivist
- Experian co. gave ID theft service access to 200 million records -
Court records in a major identify theft case have revealed the
extent of a mishap impacting major credit bureau Experian.
- Iowa DHS data breach dates back 2008, more than 2,000 impacted -
Information on more than 2,000 individuals – including Social
Security numbers – leaked outside a secure network because, since
2008, two employees with the Iowa Department of Human Services (DHS)
used personal online accounts and storage devices to maintain the
data, which goes against department policy.
- Justin Bieber's Twitter account hacked - An unknown attacker
gained access to Justin Bieber's Twitter account this past weekend
and remained in control for about 15 minutes.
- More than 162,000 WordPress sites used in DDoS attack - Under the
right conditions, any WordPress site can be used to launch a
denial-of-service (DoS) attack.
- Attacker exploits flaw, nabs info on 50,000 Statista customers -
Online statistics portal Statista discovered a vulnerability in its
administrative system that allowed an attacker to steal personal
information on an estimated 50,000 customers.
- Nearly 5,000 impacted after Ohio manufacturer stores info on
insecure server - Ohio-based manufacturer The Timken Company stored
the personal information - including Social Security numbers - of
nearly 5,000 current and former associates, as well as past
applicants, on an insecure server, during which time one
unauthorized party accessed the file containing the data.
- Unencrypted desktops stolen from Calif. medical center, 10k
impacted - Nearly 10,000 patients of University of California San
Francisco (UCSF) Family Medicine Center at Lakeshore may have
personal information at risk after unencrypted desktop computers
containing their data were stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
INFORMATION SECURITY PROGRAM
institution's board of directors and senior management should be
aware of information security issues and be involved in developing
an appropriate information security program. A comprehensive
information security policy should outline a proactive and ongoing
program incorporating three components:
Prevention measures include sound security policies,
well-designed system architecture, properly configured firewalls,
and strong authentication programs. This paper discusses two
additional prevention measures: vulnerability assessment tools and
penetration analyses. Vulnerability assessment tools generally
involve running scans on a system to proactively detect known
vulnerabilities such as security flaws and bugs in software and
hardware. These tools can also detect holes allowing unauthorized
access to a network, or insiders to misuse the system. Penetration
analysis involves an independent party (internal or external)
testing an institution's information system security to identify
(and possibly exploit) vulnerabilities in the system and surrounding
processes. Using vulnerability assessment tools and performing
regular penetration analyses will assist an institution in
determining what security weaknesses exist in its information
Detection measures involve analyzing available information to
determine if an information system has been compromised, misused, or
accessed by unauthorized individuals. Detection measures may be
enhanced by the use of intrusion detection systems (IDSs) that act
as a burglar alarm, alerting the bank or service provider to
potential external break-ins or internal misuse of the system(s)
Another key area involves preparing a response program to
handle suspected intrusions and system misuse once they are
detected. Institutions should have an effective incident response
program outlined in a security policy that prioritizes incidents,
discusses appropriate responses to incidents, and establishes
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Stateful Inspection Firewalls
Stateful inspection firewalls are packet filters that monitor the
state of the TCP connection. Each TCP session starts with an
initial handshake communicated through TCP flags in the header
information. When a connection is established the firewall adds the
connection information to a table. The firewall can then compare
future packets to the connection or state table. This essentially
verifies that inbound traffic is in response to requests initiated
from inside the firewall.
Proxy Server Firewalls
Proxy servers act as an intermediary between internal and external
IP addresses and block direct access to the internal network.
Essentially, they rewrite packet headers to substitute the IP of the
proxy server for the IP of the internal machine and forward packets
to and from the internal and external machines. Due to that limited
capability, proxy servers are commonly employed behind other
firewall devices. The primary firewall receives all traffic,
determines which application is being targeted, and hands off the
traffic to the appropriate proxy server. Common proxy servers are
the domain name server (DNS), Web server (HTTP), and mail (SMTP)
server. Proxy servers frequently cache requests and responses,
providing potential performance benefits. Additionally, proxy
servers provide another layer of access control by segregating the
flow of Internet traffic to support additional authentication and
logging capability, as well as content filtering. Web and e-mail
proxy servers, for example, are capable of filtering for potential
malicious code and application-specific commands.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
40. Does the institution provide at least one initial, annual,
and revised notice, as applicable, to joint consumers? [§9(g)]