Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter
is available for the Android smart phones and tablets. Go
to the Market Store and search for yennik.
- Fake SSL Certificate Incident Highlights Flaws in DNS - Security
industry professionals should be focusing on the vulnerabilities
inherent in the DNS infrastructure and not that Comodo Security
incorrectly issued certificates.
Rise in federal cyberattacks partly due to better monitoring - The
number of cyber incidents affecting U.S. federal agencies shot up 39
percent in 2010, according to a new report from the Office of
Management and Budget (OMB), but experts said the increase is partly
a reflection of improved discovery capabilities within government.
PM's dept vows to block Hotmail, Gmail - The department which houses
Prime Minister Julia Gillard and the Cabinet yesterday signalled it
would bow to a request from the Federal Auditor-General and block
access to public email services such as Hotmail and Gmail from 1
July, with the auditor seeing the platforms as an inherent security
Survey shows we're too lazy about mobile phone security - A new
survey shows U.S. consumers are shockingly lax about basic security
on their mobile phones.
- Corporate data is new target of cybercrime - Cybercrime
Intellectual Property Internal Threats Hackers Hacking
CompanyMcAfeeCybercriminals have shifted their efforts from
targeting individuals' personal information to the intellectual
capital of global corporations, according to a report released
Monday by McAfee and defense contractor Science Applications
International Corp. (SAIC).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- BP "leaks" data of 13,000 Gulf oil spill victims - A BP employee
lost a laptop containing the personal information of thousands of
Louisiana residents who filed compensation claims after last year's
devastating oil spill in the Gulf of Mexico.
EU admits deep impact cyberattack in run-up to key summit - Internal
docs suggest longer-term problem - The EU has admitted to having
been hit by a deep, penetrating cyber-attack.
Student used spyware to steal passwords, change grades is expected
to be sentenced to a month in prison for altering his school record
- A former high school senior from Orange County, California, has
pleaded guilty to charges that he installed spyware on school
computers in order to boost his grades.
TripAdvisor users may receive more spam due to breach - Travel
website TripAdvisor on Thursday warned users to expect more spam
after hackers stole a portion of its 20 million member database.
MySQL Web site falls victim to SQL injection attack - Oracle's
MySQL.com customer Web site was compromised over the weekend by a
pair of hackers who publicly posted usernames, and in some cases
passwords, of the site's users.
Hackers target business secrets - Intellectual property and business
secrets are fast becoming a target for cyber thieves, a study
Restaurant group settles privacy case for $110,000 - The Briar Group
LLC, which runs Ned Devine's, the Green Briar, The Lenox, and other
popular restaurants, has agreed to pay $110,000 to resolve
allegations that the Boston chain failed to take reasonable steps to
protect diners' personal information and put at risk the information
on tens of thousands of credit and debit cards.
Second-hand phones often contain personal data - Second-hand mobile
phones often contain personal data, despite the attempts of owners
to wipe devices before selling them on, according to data protection
company CPP. Just over half of second-hand mobiles and SIM cards
sold online - some 54 percent - contained sensitive personal data, a
study commissioned by CPP found.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Security and Confidentiality
The contract should address the service provider’s
responsibility for security and confidentiality of the institution’s
resources (e.g., information, hardware). The agreement should
prohibit the service provider and its agents from using or
disclosing the institution’s information, except as necessary to or
consistent with providing the contracted services, to protect
against unauthorized use (e.g., disclosure of information to
institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s
customers, the institution should notify the service provider to
assess the applicability of the privacy regulations. Institutions
should require the service provider to fully disclose breaches in
security resulting in unauthorized intrusions into the service
provider that may materially affect the institution or its
customers. The service provider should report to the institution
when material intrusions occur, the effect on the institution, and
corrective action to respond to the intrusion.
Consideration should be given to contract provisions addressing
control over operations such as:
• Internal controls to be
maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and
the institution’s approval rights
regarding material changes to services, systems, controls, key
project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial
functions, such as payments
processing and any extensions of credit on behalf of the
• Insurance coverage to be maintained by the service provider.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Token Systems (1 of 2)
Token systems typically authenticate the token and assume that the
user who was issued the token is the one requesting access. One
example is a token that generates dynamic passwords every X seconds.
When prompted for a password, the user enters the password generated
by the token. The token's password - generating system is identical
and synchronized to that in the system, allowing the system to
recognize the password as valid. The strength of this system of
authentication rests in the frequent changing of the password and
the inability of an attacker to guess the seed and password at any
point in time.
Another example of a token system uses a challenge/response
mechanism. In this case, the user identifies him/herself to the
system, and the system returns a code to enter into the password -
generating token. The token and the system use identical logic and
initial starting points to separately calculate a new password. The
user enters that password into the system. If the system's
calculated password matches that entered by the user, the user is
authenticated. The strengths of this system are the frequency of
password change and the difficulty in guessing the challenge, seed,
Other token methods involve multi - factor authentication, or the
use of more than one authentication method. For instance, an ATM
card is a token. The magnetic strip on the back of the card contains
a code that is recognized in the authentication process. However,
the user is not authenticated until he or she also provides a PIN,
or shared secret. This method is two - factor, using both something
the user has and something the user knows. Two - factor
authentication is generally stronger than single - factor
authentication. This method can allow the institution to
authenticate the user as well as the token.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
34. Does the institution deliver a
revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a
nonaffiliated third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of
nonaffiliated third party; [§8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer
to a nonaffiliated third party, if that former customer has not had
the opportunity to exercise an opt out right regarding that
(Note: a revised
notice is not required if the institution adequately described the
nonaffiliated third party or information to be disclosed in the
prior privacy notice. [§8(b)(2)])