REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
The Federal Financial Institutions Examination Council (FFIEC)
issued two joint statements which may be found on the FFIEC
Information Technology Handbook InfoBase under the What's New tab,
The Federal Financial Institutions Examination Council members
are issuing statements to notify financial institutions of the risks
associated with cyber-attacks on Automated Teller Machine and card
authorization systems and the continued distributed denial of
service attacks on public-facing websites.
- The FDIC, as a member of the Federal Financial Institutions
Examination Council (FFIEC), has issued the attached statement to
notify institutions of the risks associated with the continued
distributed denial of service (DDoS) attacks on public-facing Web
sites and the steps institutions are expected to take to address the
risks posed by such attacks.
alerts banks of mounting ATM attacks, DDoS threat - On Wednesday, a
financial regulator notified banks of increased threats caused by
attacks on ATMs and card authorization systems.
- Banks lob sueball at Trustwave, Target over breach -
'Round-the-clock monitoring' spun out, missed vulnerabilities - A
group of banks has filed a class action lawsuit against Target over
its recent data breach, and has named security company Trustwave as
- Trustwave responds to Target breach lawsuit, bank drops out -
Trustmark National Bank on Friday dropped out of the class-action
lawsuit it had filed jointly with Green Bank, N.A. against Target
and information security firm Trustwave.
- Will Target’s Lawsuit Finally Expose the Failings of Security
Audits? - We’ve been here before. A massive theft of bank card data
from a company triggers an equally massive deluge of lawsuits - from
banks chasing reimbursement for the cost of replacing the cards and
from customers furious that said company failed to protect their
- IRS Virtual Currency Guidance : Virtual Currency Is Treated as
Property for U.S. Federal Tax Purposes; General Rules for Property
Transactions Apply - The Internal Revenue Service today issued a
notice providing answers to frequently asked questions (FAQs) on
virtual currency, such as bitcoin. These FAQs provide basic
information on the U.S. federal tax implications of transactions in,
or transactions that use, virtual currency.
- Gov't snooping drives companies away from cloud adoption, study
finds - Organizations are less likely to adopt the cloud due to
fears of government surveillance, according to a survey conducted at
RSA Conference 2014.
- GAO - Federal Agencies Need to Enhance Responses to Data Breaches.
- GAO - IRS Needs to Improve the Reliability and Transparency of
Reported Investment Information.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- ATM malware, controlled by a text message, spews cash - The
malware can cause a cash machine to start churning out bills - A
group of enterprising cybercriminals has figured out how to get cash
from a certain type of ATM -- by text message.
- Pinterest accounts hacked, display weight loss spam and butt
pictures - Pinterest users began reporting on Thursday night that
their accounts had been hacked into and were being used to post
weight loss spam.
- Malware on Wisconsin university server storing info on 15K
students - Roughly 15,000 University of Wisconsin-Parkside
(UW-Parkside) students are being notified that their personal
information - including Social Security numbers - may have been
compromised by hackers who installed malware on a server.
- Tesla cars' weak password protocol could allow remote unlock,
locating - At Black Hat Asia 2014, a security researcher revealed
how passwords for Tesla electric car owners can be easily cracked,
allowing saboteurs to remotely locate and unlock vehicles.
- Devices stolen from Palomar Health staffer, data on 5K patients at
risk - Roughly 5,000 patients of California-based Palomar Health are
being notified that their personal information may be at risk after
an encrypted laptop and two unencrypted flash drives were stolen
from an employee's vehicle.
- In LinkedIn breach suit, judge denies company's motion to dismiss
- A federal judge ruled that a class-action lawsuit, stemming from
LinkedIn's 2012 password breach, could move forward based on claims
that the company misrepresented its security practices.
- Anonymous DDoS attack dismantles Albuquerque Police website - The
hacktivist collective Anonymous organized a distributed
denial-of-service (DDoS) attack this weekend that made good on the
group's promise to shut down the Albuquerque Police Department's
- Medical staffers fall for phishing emails, data on 8,300
compromised - About 8,300 patients of Washington-based Franciscan
Medical Group (FMG) are being notified that their personal
information may have been compromised after nearly 20 employees
responded to information requests in phishing emails purporting to
come from FMG's parent company, Catholic Health Initiatives.
- Database of more than 150K Boxee.tv accounts posted on Tor Network
- Information on 158,128 Boxee.tv accounts has been discovered on
the anonymous Tor Network, according to Risk Based Security, a
- Unauthorized access gained to about 800 JSTOR accounts - Digital
library JSTOR is notifying approximately 800 users that their
personal information may be at risk after their MyJSTOR accounts
were accessed by an unauthorized third party.
- Theft of computers from Texas nonprofit risks data on nearly 3,000
- Texas-based EveryChild, Inc. is notifying nearly 3,000 families
that personal information - including Social Security numbers - may
be at risk after computers were stolen from the nonprofit's offices.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
When assessing information security products, management should be
aware that many products offer a combination of risk assessment
features, and can cover single or multiple operating systems.
Several organizations provide independent assessments and
certifications of the adequacy of computer security products (e.g.,
firewalls). While the underlying product may be certified, banks
should realize that the manner in which the products are configured
and ultimately used is an integral part of the products'
effectiveness. If relying on the certification, banks should
understand the certification process used by the organization
certifying the security product. Other examples of items to consider
in the risk assessment process include:
1) Identifying mission-critical information systems, and determining
the effectiveness of current information security programs. For
example, a vulnerability might involve critical systems that are not
reasonably isolated from the Internet and external access via modem.
Having up-to-date inventory listings of hardware and software, as
well as system topologies, is important in this process.
2) Assessing the importance and sensitivity of information and the
likelihood of outside break-ins (e.g., by hackers) and insider
misuse of information. For example, if a large depositor list were
made public, that disclosure could expose the bank to reputational
risk and the potential loss of deposits. Further, the institution
could be harmed if human resource data (e.g., salaries and personnel
files) were made public. The assessment should identify systems that
allow the transfer of funds, other assets, or sensitive
data/confidential information, and review the appropriateness of
access controls and other security policy settings.
3) Assessing the risks posed by electronic connections with business
partners. The other entity may have poor access controls that could
potentially lead to an indirect compromise of the bank's system.
Another example involves vendors that may be allowed to access the
bank's system without proper security safeguards, such as firewalls.
This could result in open access to critical information that the
vendor may have "no need to know."
4) Determining legal implications and contingent liability concerns
associated with any of the above. For example, if hackers
successfully access a bank's system and use it to subsequently
attack others, the bank may be liable for damages incurred by the
party that is attacked.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 1 of 3)
A firewall policy states management's expectations for how the
firewall should function and is a component of the overall security
policy. It should establish rules for traffic coming into and going
out of the security domain and how the firewall will be managed and
updated. Therefore, it is a type of security policy for the
firewall, and forms the basis for the firewall rules. The firewall
selection and the firewall policy should stem from the ongoing
security risk assessment process. Accordingly, management needs to
update the firewall policy as the institution's security needs and
the risks change. At a minimum, the policy should address:
! Firewall topology and
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all
traffic not expressly allowed is denied, detailing which
applications can traverse the firewall and under what exact
circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the
firewall's effectiveness, and
! Contingency planning.
Financial institutions should also appropriately train and manage
their staffs to ensure the firewall policy is implemented properly.
Alternatively, institutions can outsource the firewall management,
while ensuring that the outsourcer complies with the institution's
specific firewall policy.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
43. Does the institution allow the consumer to select certain
nonpublic personal information or certain nonaffiliated third
parties with respect to which the consumer wishes to opt out?
(Note: an institution may allow partial opt outs
in addition to, but may not allow them instead of, a comprehensive