REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Why Cyber Jobs Need a Career Path - There’s a myth circulating in
the race to recruit and train up cybersecurity professionals that
even those without a technical background can become a cyber
- Target Could Face Federal Charges for Failing to Protect Customer
Data From Hackers - It's unclear whether the FTC has issued any
subpoenas or other formal demands for information. The FTC declined
to comment on whether it has launched a formal investigation.
Many Organizations Don't Go Public With Data Breaches Or Share Intel
- There are likely many more breached retailers than Target, Neiman
Marcus, Michaels, and Sally Beauty either unaware that they have
been hit or not yet ready to go public.
Soon-to-be Facebook intern wins UK Cyber Security Challenge -
Cambridge student protects Blighty from virtual attack from
Churchill War Rooms - A 19-year-old student was crowned the UK Cyber
Security Champion after beating all comers over the course of a
year-long competition that tested computer defence skills.
- Banks file class-action against Target and Trustwave over massive
breach - Banks impacted in the late-2013 breach of Target have
banded together to file a class-action against the retail giant, as
well as against Trustwave, a Chicago-based security firm said in the
lawsuit to have failed to bring Target's systems up to industry
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UMCP reports another cybersecurity breach -The University of
Maryland, College Park suffered a second cyberattack on the heels of
the recent theft of personal data for hundreds of thousands of
students, staff and alumni, university officials announced Thursday.
- Auburn University server hacked, data on nearly 14,000 at risk -
Over a four-week span, an unidentified hacker could have accessed a
compromised Auburn University College of Business server that
contained personal information - including Social Security numbers –
on close to 14,000 current and former students, faculty and staff.
- University of Maryland breached again - The University of
Maryland's computer network was breached earlier this week for the
second time this year. The most recent attack affected one
university staff member's personal information.
- Employee with Minnesota-based insurer risks data of 38K members -
Roughly 38,000 members of Minnesota-based HealthPartners may have
personal information at risk after an employee brought home
electronic files containing the data, showed the files to a family
member for help with formatting, and transferred the files to their
own devices, between 2008 and 2010.
- Credit Card Breach at California DMV - The California Department
of Motor Vehicles appears to have suffered a wide-ranging credit
card data breach involving online payments for DMV-related services,
according to banks in California and elsewhere that received alerts
this week about compromised cards that all had been previously used
online at the California DMV.
- About 55K in San Francisco impacted in theft of Sutherland
computers - The San Francisco Department of Public Health (DPH) is
warning more than 55,000 patients served in DPH facilities that
their personal information may have been compromised in a Feb. 5
breach of Sutherland Healthcare Solutions (SHS), a billing and
collections services provider.
1,000 UK HealthCare patients impacted by stolen laptop -A password
protected laptop stolen from Talyst, a provider of pharmacy billing
management services, has resulted in the compromise of personal
information for more than 1,000 patients of University of Kentucky
Maryland hackers used trojan to steal IT credentials, access
database - University of Maryland President Wallace Loh appeared
before Senate members to testify on the occurrences leading up to
obtains credentials of nearly 100K users of Cerberus app - Nearly
100,000 users of Android anti-theft app Cerberus must reset their
encrypted passwords after an attacker was able to gain unauthorized
access to their credentials.
Data on all
Utah-based Sorenson employees compromised in vendor attack - All
employees with Utah-based Sorenson Communications, and a branch
named CaptionCall, are being notified that their personal
information - including Social Security numbers - may have been
compromised after the data was accessed in an attack on an unnamed
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Performing the Risk Assessment and Determining Vulnerabilities
Performing a sound risk assessment is critical to establishing an
effective information security program. The risk assessment provides
a framework for establishing policy guidelines and identifying the
risk assessment tools and practices that may be appropriate for an
institution. Banks still should have a written information security
policy, sound security policy guidelines, and well-designed system
architecture, as well as provide for physical security, employee
education, and testing, as part of an effective program.
When institutions contract with third-party providers for
information system services, they should have a sound oversight
program. At a minimum, the security-related clauses of a written
contract should define the responsibilities of both parties with
respect to data confidentiality, system security, and notification
procedures in the event of data or system compromise. The
institution needs to conduct a sufficient analysis of the provider's
security program, including how the provider uses available risk
assessment tools and practices. Institutions also should obtain
copies of independent penetration tests run against the provider's
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Services and Configuration
Firewalls may provide some additional services:
! Network address translation (NAT) - NAT readdresses outbound
packets to mask the internal IP addresses of the network. Untrusted
networks see a different host IP address from the actual internal
address. NAT allows an institution to hide the topology and address
schemes of its trusted network from untrusted networks.
! Dynamic host configuration protocol (DHCP) - DHCP assigns IP
addresses to machines that will be subject to the security controls
of the firewall.
! Virtual Private Network (VPN) gateways - A VPN gateway provides an
encrypted tunnel between a remote external gateway and the internal
network. Placing VPN capability on the firewall and the remote
gateway protects information from disclosure between the gateways
but not from the gateway to the terminating machines. Placement on
the firewall, however, allows the firewall to inspect the traffic
and perform access control, logging, and malicious code scanning.
One common firewall implementation in financial institutions hosting
Internet applications is a DMZ, which is a neutral Internet
accessible zone typically separated by two firewalls. One firewall
is between the institution's private network and the DMZ and then
another firewall is between the DMZ and the outside public network.
The DMZ constitutes one logical security domain, the outside public
network is another security domain, and the institution's internal
network may be composed of one or more additional logical security
domains. An adequate and effectively managed firewall can ensure
that an institution's computer systems are not directly accessible
to any on the Internet.
Financial institutions have a variety of firewall options from which
to choose depending on the extent of Internet access and the
complexity of their network. Considerations include the ease of
firewall administration, degree of firewall monitoring support
through automated logging and log analysis, and the capability to
provide alerts for abnormal activity.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
42. Does the institution provide the consumer with a reasonable
opportunity to opt out such as by:
a. mailing the notices required by §10 and allowing the consumer to
respond by toll-free telephone number, return mail, or other
reasonable means (see question 22) within 30 days from the date
b. where the consumer opens an on-line account with the institution
and agrees to receive the notices required by §10 electronically,
allowing the consumer to opt out by any reasonable means (see
question 22) within 30 days from consumer acknowledgement of receipt
of the notice in conjunction with opening the account;
c. for isolated transactions, providing the notices required by §10
at the time of the transaction and requesting that the consumer
decide, as a necessary part of the transaction, whether to opt out
before the completion of the transaction? [§10(a)(3)(iii)]