REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- In new attack on mobile handsets, fraudsters target
one-time-passwords - security for mobile handsets keeps improving.
But then, mobile threats to those handsets keep improving as well.
FBI Can’t Crack Android Pattern-Screen Lock - Pattern-screen locks
on Android phones are secure, apparently so much so that they have
stumped the Federal Bureau of Investigation.
Secure access, authorization among areas still lacking at IRS - The
Internal Revenue Service is again taking fire from a government
watchdog. On Friday, the U.S. Government Accountability Office
released a fifth consecutive annual report to chronicle security
shortfalls at the nation's tax collector. The agency's trouble with
GAO dates back to at least 2005.
- Brit LulzSec suspect charged over NHS, plod web attacks - Tabloid
rag and top spooks also among alleged targets - An alleged member of
hacker group LulzSec appeared in a London court on Friday charged
with conspiracy over cyber-attacks against websites maintained by
the CIA and the UK's Serious Organised Crime Agency.
- Data breach costs drop for first time in study - Despite 2011
bringing no slowdown to breaches, the price of each incident
- Malicious Android application loots bank login data - The banking
credentials of Android device users are being threatened by a new,
self-updating trojan that poses as a one-time password application (OTP).
- IBM X-Force reports that mobile threats are increasing - Mobile
device vulnerabilities are at the forefront of cyber criminal
trends, according to the annual "IBM X-Force Trend and Risk Report"
(PDF) released on Thursday.
- The state of BYOD (Bring-your-own-device) - The number of personal
mobile devices connecting to the corporate network has more than
doubled in the past two years - with nearly half of those devices
storing sensitive data, according to a survey from CheckPoint
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Tennessee insurer to pay $1.5 million for breach-related violations
- BlueCross BlueShield agrees to pay HHS for HIPAA violations tied
to 2009 breach that exposed data on 1 million members - A 2009 data
breach that has already cost BlueCross BlueShield of Tennessee
nearly $17 million got a little more expensive Tuesday.
FBI says $700K charged in Anonymous' Stratfor attack - During the
court case the Antisec hacker busted for stealing data in the
Stratfor breach--the FBI says charges made with stolen credit card
information equals $700,000.
- Exploit for gaping Microsoft RDP hole may have gotten help - The
security researcher who discovered the dangerous and "wormable"
Windows Remote Desktop Protocol (RDP) vulnerability patched earlier
this week now believes that Microsoft may have accidentally leaked
proof-of-concept exploit code that fell into the hands of Chinese
- Police arrest online banking fraudster - Victims had accounts
compromised over 18-month period - The Metropolitan Police Service's
Police Central e-Crime Unit (PCeU) has arrested a man for committing
online banking fraud.
- University of Tampa sustains breach of Social Security numbers -
Thousands of University of Tampa (UT) students, faculty and staff
have become candidates for identity theft after students and IT
personnel discovered publicly available files on the internet
containing personal information.
- Michigan union employees' data exposed - The personal information
of more than 1,000 public employees of Wayne County, Mich., was
exposed when a spreadsheet containing their data was inadvertently
attached to an email blast.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Risk management principles (Part 1 of 2)
Based on the early work of the Electronic Banking Group EBG, the
Committee concluded that, while traditional banking risk management
principles are applicable to e-banking activities, the complex
characteristics of the Internet delivery channel dictate that the
application of these principles must be tailored to fit many online
banking activities and their attendant risk management challenges.
To this end, the Committee believes that it is incumbent upon the
Boards of Directors and banks' senior management to take steps to
ensure that their institutions have reviewed and modified where
necessary their existing risk management policies and processes to
cover their current or planned e-banking activities. Further, as the
Committee believes that banks should adopt an integrated risk
management approach for all banking activities, it is critical that
the risk management oversight afforded e-banking activities becomes
an integral part of the banking institution's overall risk
To facilitate these developments, the Committee asked the EBG to
identify the key risk management principles that would help banking
institutions expand their existing risk oversight policies and
processes to cover their e-banking activities and, in turn, promote
the safe and sound electronic delivery of banking products and
These Risk Management Principles for Electronic Banking, which are
identified in this Report, are not put forth as absolute
requirements or even "best practice" but rather as guidance to
promote safe and sound e-banking activities. The Committee believes
that setting detailed risk management requirements in the area of
e-banking might be counter-productive, if only because these would
be likely to become rapidly outdated by the speed of change related
to technological and product innovation. Therefore the principles
included in the present Report express supervisory expectations
related to the overall objective of banking supervision to ensure
safety and soundness in the financial system rather than stringent
The Committee is of the view that such supervisory expectations
should be tailored and adapted to the e-banking distribution channel
but not be fundamentally different to those applied to banking
activities delivered through other distribution channels.
Consequently, the principles presented below are largely derived and
adapted from supervisory principles that have already been expressed
by the Committee or national supervisors over a number of years. In
some areas, such as the management of outsourcing relationships,
security controls and legal and reputational risk management, the
characteristics and implications of the Internet distribution
channel introduce a need for more detailed principles than those
expressed to date.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
ELECTRONIC AND PAPER - BASED MEDIA HANDLING
Sensitive information is frequently contained on media such as paper
documents, output reports, back-up tapes, disks, cassettes, optical
storage, test data, and system documentation. Protection of that
data requires protection of the media. The theft, destruction, or
Information Security other loss of the media could result in the
exposure of corporate secrets, breaches in customer confidentiality,
alteration of data, and the disruption of business activities. The
policies and procedures necessary to protect media may need revision
as new data storage technologies are contemplated for use and new
methods of attack are developed. The sensitivity of the data (as
reflected in the data classification) dictates the extent of
procedures and controls required. Many institutions find it easier
to store and dispose of all media consistently without having to
segregate out the most sensitive information. This approach also can
help reduce the likelihood that someone could infer sensitive
information by aggregating a large amount of less sensitive
information. Management must address three components to secure
media properly: handling and storage, disposal, and transit.
HANDLING AND STORAGE
IT management should ensure secure storage of media from
unauthorized access. Controls could include physical and
environmental controls including fire and flood protection, limited
access (e.g., physical locks, keypad, passwords, biometrics),
labeling, and logged access. Management should establish access
controls to limit access to media, while ensuring all employees have
authorization to access the minimum level of data required to
perform their responsibilities. More sensitive media like system
documentation, application source code, and production transaction
data should have more extensive controls to guard against alteration
(e.g., integrity checkers, cryptographic hashes). Furthermore,
policies should minimize the distribution of sensitive media,
including the printouts of sensitive information. Periodically, the
security staff, audit staff, and data owners should review
authorization levels and distribution lists to ensure they remain
appropriate and current.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
(Part 1 of 2)
8) Do the initial, annual, and revised privacy notices include each
of the following, as applicable: (Part 1 of 2)
a) the categories of nonpublic personal information that the
institution collects; [§6(a)(1)]
b) the categories of nonpublic personal information that the
institution discloses; [§6(a)(2)]
c) the categories of affiliates and nonaffiliated third parties to
whom the institution discloses nonpublic personal information, other
than parties to whom information is disclosed under an exception in
§14 or §15; [§6(a)(3)]
d) the categories of nonpublic personal information disclosed about
former customers, and the categories of affiliates and nonaffiliated
third parties to whom the institution discloses that information,
other than those parties to whom the institution discloses
information under an exception in §14 or §15; [§6(a)(4)]