REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Four simple steps to protect the US from hackers - Companies are
spending more than ever on new security tools to protect themselves.
In fact according to Gartner, spending is set to increase by over 8%
Consumers and Mobile
Financial Services - Matthew B. Gross, Alexandra M. Rock, and
Maximilian D. Schmeiser - This report presents findings from the
Federal Reserve Board's second survey on consumers' use of mobile
financial services, conducted in November 2012.
The Federal Financial
Institutions Examination Council member agencies today announced the
addition of a new feature to the Information Technology Examination
Handbook InfoBase. This feature provides bankers, agency personnel,
and other interested parties with the ability to register and
receive notifications of additions, changes, and deletions to the
Increase in required
electronic loan data fields - Federal and state bank supervisors
today announced an increase in the number of required loan data
fields in the Interagency Loan Data Request.
- U.S. cyber plan calls for private-sector scans of Net - The U.S.
government is expanding a cybersecurity program that scans Internet
traffic headed into and out of defense contractors to include far
more of the country's private, civilian-run infrastructure.
Police arrest London man in connection with Tilon bank Trojan - MiTB
campaign hit UK last summer - London police have arrested a man in
connection with attacks carried out by the state-of-the-art Tilon
banking Trojan, it has been announced.
Cisco inadvertently weakens password encryption in its IOS operating
system - The password encryption scheme used in newer Cisco IOS
versions is weak, researchers find - The password encryption
algorithm used in some recent versions of the Cisco IOS operating
system is weaker than the algorithm it was designed to replace,
Cisco revealed earlier this week.
Oversight Committee Passes IT Reform Act, Giving CIOs Budget
Authority - The House Oversight and Government Reform Committee
unanimously passed legislation on Wednesday that would mark the most
significant reform in more than a decade to the way the government
purchases information technology.
- Luring Young Web Warriors Is Priority. It’s Also a Game. In the
eighth grade, he figured out how to write a simple script that could
switch his keyboard’s Caps Lock key on and off 6,000 times a minute.
- Former student accused of stealing identities pleads guilty - A
former student of Cal State University in San Marcos, Calif.,
pleaded guilty to wire fraud, access device fraud and unauthorized
use of a computer after being accused of stealing the identities and
passwords of 745 students to rig campus elections.
- NASA Tightens Security In Response To Insider Threat - NASA has
closed down its technical reports database and imposed tighter
restrictions on remote access to its computer systems following the
arrest of a Chinese contractor on suspicion of intellectual property
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
South Korean corporations hit by widespread attack that wiped data
and shut down systems - Researchers discovered that attackers used
data-wiping malware to cripple critical businesses throughout South
Korea, where several banks and news organizations began reporting
widespread cyber attacks.
Cyberattack on Florida election raises questions - It's a fear that
keeps cybersecurity experts up at night: an attack on an online
election system. Apparently, it's now come to pass.
- Laptop containing patient data goes missing from Mississippi
hospital - Patients of a Jackson, Miss.-based hospital may have had
their data compromised after a laptop went missing.
- South Korea data-wipe malware spread by patching system - Long
dark teatime in Seoul saga continues to unfold - South Korea's data
wiping malware that knocked out PCs at TV stations and banks earlier
this week may have been introduced through compromised corporate
- Wells Fargo site hit by denial-of-service attack - The bank's Web
site was the victim of a cyberattack yesterday, though the company
says its physical branches and ATMs weren't affected.
- Breach exposes data of 1k county workers, officials give no word
on cause - The sensitive information of current and former county
employees in Ohio was accessible to cyber intruders.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Technical and
• Assess the service provider’s
experience and ability to provide the necessary services and
supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement
the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or
partners that would be used to support the outsourced
• Evaluate the experience of the service provider in providing
services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and
work are necessary.
• Evaluate the service provider’s ability to respond to service
• Contact references and user groups to learn about the service
provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned
to support the institution.
• Perform on-site visits, where necessary, to better understand
how the service provider operates and supports its services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we start a
three part review of controls to prevent and detect intrusions.
Management should determine the controls necessary to deter, detect,
and respond to intrusions, consistent with the best practices of
information system operators. Controls may include the following:
1) Authentication. Authentication provides identification by means
of some previously agreed upon method, such as passwords and
biometrics. (A method of identifying a person's identity by
analyzing a unique physical attribute.) The means and strength of
authentication should be commensurate with the risk. For instance,
passwords should be of an appropriate length, character set, and
lifespan (The lifespan of a password is the length of time the
password allows access to the system. Generally speaking, shorter
lifespans reduce the risk of password compromises.) for the systems
being protected. Employees should be trained to recognize and
respond to fraudulent attempts to compromise the integrity of
security systems. This may include "social engineering" whereby
intruders pose as authorized users to gain access to bank systems or
2) Install and Update Systems. When a bank acquires and installs new
or upgraded systems or equipment, it should review security
parameters and settings to ensure that these are consistent with the
intrusion risk assessment plan. For example, the bank should review
user passwords and authorization levels for maintaining "separation
of duties" and "need to know" policies. Once installed, security
flaws to software and hardware should be identified and remediated
through updates or "patches." Continuous monitoring and updating is
essential to protect the bank from vulnerabilities. Information
related to vulnerabilities and patches are typically available from
the vendor, security-related web sites, and in bi-weekly National
Infrastructure Protection Center's CyberNotes.
3) Software Integrity. Copies of software and integrity checkers (An
integrity checker uses logical analysis to identify whether a file
has been changed.) are used to identify unauthorized changes to
software. Banks should ensure the security of the integrity
checklist and checking software. Where sufficient risk exists, the
checklist and software should be stored away from the network, in a
location where access is limited. Banks should also protect against
viruses and other malicious software by using automated virus
scanning software and frequently updating the signature file (The
signature file contains the information necessary to identify each
virus.) to enable identification of new viruses.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
Next week we will start covering the examination objectives.