REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- New EU cybersecurity law avoids making big Internet companies
report breaches - Breach rule extends only to companies that own,
operate or provide technology for critical infrastructure
facilities. Europe on Thursday approved a new cybersecurity law, but
held back from requiring Internet giants such as Google, Amazon,
Ebay and Skype, to report security incidents.
MasterCard, Visa to push EMV; NRF calls for use of PINs - A
MasterCard and Visa alliance aimed at migrating the U.S. payment
system to EMV drew criticism from a major retailer group. Soon after
MasterCard and Visa announced a partnership to enhance payment
security by accelerating the adoption of EMV chip technology, the
National Retail Federation (NRF) took their plans to task.
Google is encrypting search globally. That’s bad for the NSA and
China’s censors. - Google has begun routinely encrypting Web
searches conducted in China, posing a bold new challenge to that
nation’s powerful system for censoring the Internet and tracking
what individual users are viewing online.
No employees fell for failed Army phishing test - A U.S. Army combat
commander seeking to test employee awareness of phishing emails
failed badly when he sent one out on his own and caused mass
confusion - but no staffers actually fell for the fake scam, making
it something of a success.
Morrisons staffer arrested for stealing payroll data on 100K
employees - A Morrisons employee was arrested in Leeds and remains
in custody, just days after the UK supermarket chain announced it
suspected an insider took payroll data on about 100,000 employees
and leaked it online and to a local newspaper.
Critical Stuxnet-level vulnerabilities discovered in UK power plants
- Security researchers have discovered three critical
vulnerabilities in a popular industrial control system used by more
than 7,600 power, chemical and petrochemical plants across the
Court approves first-of-its-kind data breach settlement - AvMed
agrees to set aside $3 million for breach victims, whether they
suffered direct harm or not - Courts have generally tended to
dismiss consumer class-action lawsuits filed against companies that
suffer data breaches if victims can't show that the the breach
directly caused a financial hit.
Men from Ukraine, New York Charged in International Cybercrime
Scheme - Federal prosecutors on Monday announced the indictment of
three men they accuse of being members of an international
cybercrime ring that tried to steal at least $15 million by hacking
into U.S. customer accounts at 14 financial institutions and the
Department of Defense's payroll service.
Miss Teen USA hacker sentenced to 18 months in federal prison - A
20-year-old California college student who hacked into at least 150
online accounts, including those of a former Miss Teen USA, was
sentenced to 18 months in federal prison earlier this week.
- Breaches, malware to cost $491 billion in 2014, study says - The
cost of a data breach or malware infection extends well beyond the
dollars spent on responding and addressing security issues -
productivity takes a big hit as enterprises and consumers spend
countless hours dealing with the threats.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target
Blew It - The biggest retail hack in U.S. history wasn’t
particularly inventive, nor did it appear destined for success. In
the days prior to Thanksgiving 2013, someone installed malware in
Target’s (TGT) security and payments system designed to steal every
credit card used at the company’s 1,797 U.S. stores.
Insider suspected of stealing payroll data on 100K Morrisons
staffers - An insider is suspected of taking payroll data on about
100,000 employees of UK supermarket chain Morrisons, and leaking it
online and to a local newspaper, Mail Online reported on Friday.
CD in refurbished drive contained unencrypted info on 15K NYC
transit workers - Roughly 15,000 active, retired, former, and
deceased New York City transit workers may have personal information
- including Social Security numbers - at risk after the unencrypted
data was discovered on a CD inside a refurbished CD drive.
Sally Beauty changes tune, says customer data was accessed in breach
- after initially finding “no evidence” that customer card data was
taken after a breach, Sally Beauty has now confirmed that fewer than
25,000 records containing card data were illegally accessed by
Virus compromises sensitive info on 5,400 Colorado hospital patients
- Social Security numbers and payment card data is among the
personal information that may have been compromised for about 5,400
patients of Colorado-based Valley View Hospital after a computer
virus was identified on some hospital computers.
DDoS attacks against NATO likely DNS amplification or NTP
reflection, expert suggests - A distributed denial-of-service (DDoS)
attack carried out against various NATO websites on Sunday was
likely a Domain Name Server (DNS) amplification attack or a Network
Time Protocol (NTP) reflection attack – or possibly some combination
of both – according to a DDoS expert.
Dave & Buster's Waitress Arrested in Alleged Skimming Plot - Police
say customers at the restaurant in Westbury on Long Island may have
been victims - A waitress at a Dave & Buster's restaurant on Long
Island has been arrested along with three alleged accomplices,
accused of stealing customers' credit card information with a
Maryland nonprofit breached, nearly 10K impacted, suspect identified
- Nearly 10,000 clients of Maryland-based Service Coordination Inc.
(SCI) – a nonprofit organization that supports intellectually and
developmentally disabled people – may have personal information at
risk after an individual gained unauthorized access to SCI computer
- Hacked EA Games server puts Apple IDs and card data at risk -
Apple ID accounts, payment card data and other personal information
are at risk for victims of a fairly convincing phishing scam being
hosted on a compromised EA Games server, according to UK-based
internet security company Netcraft.
- Personal info ends up online, nearly 9,000 Ohio patients affected
- A file containing personal information – including Social Security
numbers and payment card data – on almost 9,000 patients of
HealthSource of Ohio (HSO) was viewed 47 times in the roughly
five-week span it was made available on the internet.
- IRS staffer uses drive at home, risks unencrypted data on 20K
workers - The personal information - including Social Security
numbers - of 20,000 current and former U.S. Internal Revenue Service
(IRS) workers may be at risk after an employee took home a thumb
drive that contained the unencrypted data and plugged it into an
unsecured home network.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review
of the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
A thorough and proactive risk assessment is the first step in
establishing a sound security program. This is the ongoing process
of evaluating threats and vulnerabilities, and establishing an
appropriate risk management program to mitigate potential monetary
losses and harm to an institution's reputation. Threats have the
potential to harm an institution, while vulnerabilities are
weaknesses that can be exploited.
The extent of the information security program should be
commensurate with the degree of risk associated with the
institution's systems, networks, and information assets. For
example, compared to an information-only Web site, institutions
offering transactional Internet banking activities are exposed to
greater risks. Further, real-time funds transfers generally pose
greater risks than delayed or batch-processed transactions because
the items are processed immediately. The extent to which an
institution contracts with third-party vendors will also affect the
nature of the risk assessment program.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Application - Level Firewalls
Application-level firewalls perform application-level screening,
typically including the filtering capabilities of packet filter
firewalls with additional validation of the packet content based on
the application. Application-level firewalls capture and compare
packets to state information in the connection tables. Unlike a
packet filter firewall, an application-level firewall continues to
examine each packet after the initial connection is established for
specific application or services such as telnet, FTP, HTTP, SMTP,
etc. The application-level firewall can provide additional screening
of the packet payload for commands, protocols, packet length,
authorization, content, or invalid headers. Application-level
firewalls provide the strongest level of security, but are slower
and require greater expertise to administer properly.
The primary disadvantages of application - level firewalls are:
! The time required to read and interpret each packet slows network
traffic. Traffic of certain types may have to be split off before
the application level firewall and passed through different access
! Any particular firewall may provide only limited support for new
network applications and protocols. They also simply may allow
traffic from those applications and protocols to go through the
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice;
c. it has given the consumer a reasonable opportunity to opt out
before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)])