REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- National Security-Related Agencies Need to Better Address Risks -
Reliance on a global supply chain introduces multiple risks to
federal information systems. These risks include threats posed by
actors - such as foreign intelligence services or counterfeiters.
- Hacktivists 'steal more than criminals' - Hacktivists
stole more data from large corporations than cybercriminals in 2011,
according to a study of significant security incidents.
New counterterrorism guidelines permit data on U.S. citizens to be
held longer - The Obama administration has approved guidelines that
allow counterterrorism officials to lengthen the period of time they
retain information about U.S. residents, even if they have no known
connection to terrorism.
- Microsoft zaps Zeus command centers used in bank fraud - Microsoft
has cast a big blow to one of the most pernicious trojans in
existence, responsible for stealing tens of millions of dollars
through the keystroke logging of online banking credentials, usually
belonging to small and midsize businesses.
- Additional Efforts Needed by National Security-Related Agencies to
Address Risks - on a global supply chain introduces multiple risks
to federal information systems and underscores the importance of
threat assessments and mitigation.
- Rejected telco drew US worry for spying - The Chinese telco banned
from bidding on the National Broadband Network on the advice of ASIO
is being investigated by the US house intelligence committee amid
concerns it is an arm of Beijing's cyber-espionage effort.
- Senators want ruling on whether Facebook password requests are
illegal - Two US Senators asked the Department of Justice and Equal
Employment Opportunity Commission to start an investigation into
whether employers asking job applicants for usernames and passwords
violates federal law.
- Why won’t wireless companies help stop cell phone thefts? - Police
say there’s a simple way they could halt epidemic of often violent
crime - Violent robberies of iPhones and other smartphones:
Authorities say there’s a solution, but the wireless companies won’t
do their part to help.
- More Work Remains to Implement Necessary Management Controls - has
made progress in implementing prior GAO recommendations on
modernizing its IT environment; however more actions are needed. In
2009, GAO reported that HUD lacked key IT management controls; which
are essential to achieving successful outcomes.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Univ. of Tampa says student info was exposed for 8 months -
Accidental online leak involved more than 6,800 students; another
22K may also be affected - An in-class project on advanced search
techniques led to the discovery of a major data breach at the
University of Tampa (UT) in Florida earlier this month.
- Barclaycard pay-by-bonk fraud risk exposes Amazon's security - NFC
cards savaged in privates' slurp probe - Channel 4 News has found
out that pay-by-wave phones are compatible with pay-by-wave cards,
and wants something done about it, but it's web bazaar Amazon that's
lacking basic security.
- Chinese hacker arrested for leaking 6 million logins - Forget the
attacks that have compromised thousands of accounts. This Chinese
hacker managed to steal and leak the data belonging to 6 million
users, before he was arrested of course.
- Foreign spies 'penetrate' US military networks - Foreign spies
should be assumed to have penetrated the computer networks of the US
military, American politicians have been told.
- LulzSec redux dumps data after raiding military dating site -
Hackers calling themselves "LulzSec Reborn" have claimed
responsibility for two breaches that resulted in the dumping of
- RockYou to pay FTC $250K after breach of 32M passwords - RockYou,
a company that makes games and other applications for use on social
networking sites, must pay $250,000 following a settlement with the
Federal Trade Commission over a massive 2009 breach.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Risk management principles (Part 2 of 2)
The Committee recognizes that banks will need to develop risk
management processes appropriate for their individual risk profile,
operational structure and corporate governance culture, as well as
in conformance with the specific risk management requirements and
policies set forth by the bank supervisors in their particular
jurisdiction(s). Further, the numerous e-banking risk management
practices identified in this Report, while representative of current
industry sound practice, should not be considered to be
all-inclusive or definitive, since many security controls and other
risk management techniques continue to evolve rapidly to keep pace
with new technologies and business applications.
This Report does not attempt to dictate specific technical solutions
to address particular risks or set technical standards relating to
e-banking. Technical issues will need to be addressed on an on-going
basis by both banking institutions and various standards-setting
bodies as technology evolves. Further, as the industry continues to
address e-banking technical issues, including security challenges, a
variety of innovative and cost efficient risk management solutions
are likely to emerge. These solutions are also likely to address
issues related to the fact that banks differ in size, complexity and
risk management culture and that jurisdictions differ in their legal
and regulatory frameworks.
For these reasons, the Committee does not believe that a "one size
fits all" approach to e-banking risk management is appropriate, and
it encourages the exchange of good practices and standards to
address the additional risk dimensions posed by the e-banking
delivery channel. In keeping with this supervisory philosophy, the
risk management principles and sound practices identified in this
Report are expected to be used as tools by national supervisors and
implemented with adaptations to reflect specific national
requirements where necessary, to help promote safe and secure
e-banking activities and operations.
The Committee recognizes that each bank's risk profile is different
and requires a risk mitigation approach appropriate for the scale of
the e-banking operations, the materiality of the risks present, and
the willingness and ability of the institution to manage these
risks. These differences imply that the risk management principles
presented in this Report are intended to be flexible enough to be
implemented by all relevant institutions across jurisdictions.
National supervisors will assess the materiality of the risks
related to e-banking activities present at a given bank and whether,
and to what extent, the risk management principles for e-banking
have been adequately met by the bank's risk management framework.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
ELECTRONIC AND PAPER - BASED MEDIA HANDLING
Financial institutions need appropriate disposal procedures for both
electronic and paper based media. Policies should prohibit employees
from discarding sensitive media along with regular garbage to avoid
accidental disclosure. Many institutions shred paper - based media
on site and others use collection and disposal services to ensure
the media is rendered unreadable and unreconstructable before
disposal. Institutions that contract with third parties should use
care in selecting vendors to ensure adequate employee background
checks, controls, and experience.
Computer - based media presents unique disposal problems. Residual
data frequently remains on media after erasure. Since that data can
be recovered, additional disposal techniques should be applied to
sensitive data. Physical destruction of the media, for instance by
subjecting a compact disk to microwaves, can make the data
unrecoverable. Additionally, data can sometimes be destroyed after
overwriting. Overwriting may be preferred when the media will be re
- used. Institutions should base their disposal policies on the
sensitivity of the information contained on the media and, through
policies, procedures, and training, ensure that the actions taken to
securely dispose of computer-based media adequately protect the data
from the risks of reconstruction. Where practical, management should
log the disposal of sensitive media, especially computer - based
Financial institutions should maintain the security of media while
in transit or when shared with third parties. Policies should
! Restrictions on the carriers used and procedures to verify the
identity of couriers,
! Requirements for appropriate packaging to protect the media from
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving
! Use of nondisclosure agreements between couriers and third
Financial institutions should address the security of their back -
up tapes at all times, including when the tapes are in transit from
the data center to off - site storage.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy
Notice (Part 2 of 2)
8) Do the initial, annual, and revised privacy notices include each
of the following, as applicable: (Part 2 of 2)
e) if the institution discloses nonpublic personal information to a
nonaffiliated third party under §13, and no exception under §14 or
§15 applies, a separate statement of the categories of information
the institution discloses and the categories of third parties with
whom the institution has contracted; [§6(a)(5)]
f) an explanation of the opt out right, including the method(s) of
opt out that the consumer can use at the time of the notice;
g) any disclosures that the institution makes under §603(d)(2)(A)(iii)
of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]
h) the institution's policies and practices with respect to
protecting the confidentiality and security of nonpublic personal
information; [§6(a)(8)] and
i) a general statement--with no specific reference to the
exceptions or to the third parties--that the institution makes
disclosures to other nonaffiliated third parties as permitted by
law? [§6(a)(9), (b)]