REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- The six most dangerous infosec attacks - The most popular track
session of RSA San Francisco for the past five years was again
packed to the rafters.
- Uncle Sam: If It Ends in .Com, It’s .Seizable - When U.S.
authorities shuttered sports-wagering site Bodog.com last week, it
raised eyebrows across the net because the domain name was
registered with a Canadian company, ostensibly putting it beyond the
reach of the U.S. government.
- FCC: No, you can't jam your neighbor's cellphone - The Federal
Communications Commission is officially reminding people that it is
illegal to use cell phone jammers on other people, no matter how
annoying you find their conversation on the bus.
- Study Confirms The Government Produces The Buggiest Software -
Humans aren’t generally very good at writing secure code. But it
seems they’re even worse at it when they’re an employee of a
government bureaucracy or hired as unaccountable federal
- GCHQ-backed competition names Cyber Security Champion - A
19-year-old university student has been named the UK's "Cyber
Security Champion" following a competition sponsored by the
intelligence agency GCHQ and several leading tech firms.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Digital Playground hacked to expose card numbers - Another web
site has fallen victim to hackers. Online intruders from a group
calling itself The Consortium claimed this week to have invaded
- Source code of Symantec Antivirus posted on the net - As expected,
hackers have released the source code of Norton Antivirus 2006 on
the net. According to the page on The Pirate Bay where the 1.1GB
file has been posted as a torrent, the hackers go by the name of
AntiSec and sympathise with the Anonymous hacker group.
- Cops nab mobile net workmen for snarfing punters' data - Gang
allegedly tracked and sold Koreans' info - Police in South Korea
have arrested five men working as sub-contractors for the country’s
two biggest mobile companies.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Risk management challenges
The Electronic Banking Group (EBG) noted that the fundamental
characteristics of e-banking (and e-commerce more generally) posed a
number of risk management challenges:
The speed of change
relating to technological and customer service innovation in
e-banking is unprecedented. Historically, new banking applications
were implemented over relatively long periods of time and only after
in-depth testing. Today, however, banks are experiencing competitive
pressure to roll out new business applications in very compressed
time frames - often only a few months from concept to production.
This competition intensifies the management challenge to ensure that
adequate strategic assessment, risk analysis and security reviews
are conducted prior to implementing new e-banking applications.
web sites and associated retail and wholesale business applications
are typically integrated as much as possible with legacy computer
systems to allow more straight-through processing of electronic
transactions. Such straight-through automated processing reduces
opportunities for human error and fraud inherent in manual
processes, but it also increases dependence on sound systems design
and architecture as well as system interoperability and operational
E-banking increases banks'
dependence on information technology, thereby increasing the
technical complexity of many operational and security issues and
furthering a trend towards more partnerships, alliances and
outsourcing arrangements with third parties, many of whom are
unregulated. This development has been leading to the creation of
new business models involving banks and non-bank entities, such as
Internet service providers, telecommunication companies and other
4) The Internet is ubiquitous and global by nature. It is an open
network accessible from anywhere in the world by unknown parties,
with routing of messages through unknown locations and via fast
evolving wireless devices. Therefore, it significantly magnifies the
importance of security controls, customer authentication techniques,
data protection, audit trail procedures, and customer privacy
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND
Financial institutions should protect the confidentiality of
information about their customers and organization. A breach in
confidentiality could disclose competitive information, increase
fraud risk, damage the institution's reputation, violate customer
privacy and associated rights, and violate regulatory requirements.
Confidentiality agreements put all parties on notice that the
financial institution owns its information, expects strict
confidentiality, and prohibits information sharing outside of that
required for legitimate business needs. Management should obtain
signed confidentiality agreements before granting new employees and
contractors access to information technology systems.
Job descriptions, employment agreements, and policy awareness
acknowledgements increase accountability for security. Management
can communicate general and specific security roles and
responsibilities for all employees within their job descriptions.
Management should expect all employees, officers, and contractors to
comply with security and acceptable use policies and protect the
institution's assets, including information. The job descriptions
for security personnel should describe the systems and processes
they will protect and the control processes for which they are
responsible. Management can take similar steps to ensure contractors
and consultants understand their security responsibilities as well.
Financial institutions need to educate users regarding their
security roles and responsibilities. Training should support
security awareness and should strengthen compliance with the
security policy. Ultimately, the behavior and priorities of senior
management heavily influence the level of employee awareness and
policy compliance, so training and the commitment to security should
start with senior management. Training materials would typically
review the acceptable - use policy and include issues like desktop
security, log - on requirements, password administration guidelines,
etc. Training should also address social engineering, and the
policies and procedures that protect against social engineering
attacks. Many institutions integrate a signed security awareness
agreement along with periodic training and refresher courses.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6. Does the institution provide an annual privacy notice to each
customer whose loan the institution owns the right to service?