REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The Federal Financial Institutions Examination Council (FFIEC) issued two joint statements which may be found on the FFIEC Information Technology Handbook InfoBase under the What's New tab, http://ithandbook.ffiec.gov/what%27s-new.aspx.

FYI - The Federal Financial Institutions Examination Council members are issuing statements to notify financial institutions of the risks associated with cyber-attacks on Automated Teller Machine and card authorization systems and the continued distributed denial of service attacks on public-facing websites. 
Press Release: www.ffiec.gov/press/pr040214.htm
Press Release: www.fdic.gov/news/news/financial/2014/fil14010.html
Press Release: www.ncua.gov/News/Pages/NW20140402FFIECJointStatement.aspx
Press Release: http://www.occ.treas.gov/news-issuances/bulletins/2014/bulletin-2014-13.html

FYI - The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), has issued the attached statement to notify institutions of the risks associated with the continued distributed denial of service (DDoS) attacks on public-facing Web sites and the steps institutions are expected to take to address the risks posed by such attacks.
Press Release: www.fdic.gov/news/news/financial/2014/fil14011.html
Press Release:  http://www.occ.treas.gov/news-issuances/bulletins/2014/bulletin-2014-14.html  

FYI - Regulator alerts banks of mounting ATM attacks, DDoS threat - On Wednesday, a financial regulator notified banks of increased threats caused by attacks on ATMs and card authorization systems. http://www.scmagazine.com/regulator-alerts-banks-of-mounting-atm-attacks-ddos-threat/article/341279/

FYI - Banks lob sueball at Trustwave, Target over breach - 'Round-the-clock monitoring' spun out, missed vulnerabilities - A group of banks has filed a class action lawsuit against Target over its recent data breach, and has named security company Trustwave as a co-defendant. http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target/
http://www.computerworld.com/s/article/9247309/Bank_abandons_place_in_class_action_suit_against_Target_Trustwave

FYI - Trustwave responds to Target breach lawsuit, bank drops out - Trustmark National Bank on Friday dropped out of the class-action lawsuit it had filed jointly with Green Bank, N.A. against Target and information security firm Trustwave. http://www.scmagazine.com/trustwave-responds-to-target-breach-lawsuit-bank-drops-out/article/340430/

FYI - Will Target’s Lawsuit Finally Expose the Failings of Security Audits? - We’ve been here before. A massive theft of bank card data from a company triggers an equally massive deluge of lawsuits - from banks chasing reimbursement for the cost of replacing the cards and from customers furious that said company failed to protect their data. http://www.wired.com/2014/03/trustwave-target-audit/

FYI - IRS Virtual Currency Guidance : Virtual Currency Is Treated as Property for U.S. Federal Tax Purposes; General Rules for Property Transactions Apply - The Internal Revenue Service today issued a notice providing answers to frequently asked questions (FAQs) on virtual currency, such as bitcoin. These FAQs provide basic information on the U.S. federal tax implications of transactions in, or transactions that use, virtual currency. http://www.irs.gov/uac/Newsroom/IRS-Virtual-Currency-Guidance

FYI - Gov't snooping drives companies away from cloud adoption, study finds - Organizations are less likely to adopt the cloud due to fears of government surveillance, according to a survey conducted at RSA Conference 2014. http://www.scmagazine.com/govt-snooping-drives-companies-away-from-cloud-adoption-study-finds/article/340207/

FYI - GAO - Federal Agencies Need to Enhance Responses to Data Breaches. http://www.gao.gov/products/GAO-14-487T

FYI - GAO - IRS Needs to Improve the Reliability and Transparency of Reported Investment Information.  http://www.gao.gov/products/GAO-14-298

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - ATM malware, controlled by a text message, spews cash - The malware can cause a cash machine to start churning out bills - A group of enterprising cybercriminals has figured out how to get cash from a certain type of ATM -- by text message. http://www.computerworld.com/s/article/9247158/ATM_malware_controlled_by_a_text_message_spews_cash

FYI - Pinterest accounts hacked, display weight loss spam and butt pictures - Pinterest users began reporting on Thursday night that their accounts had been hacked into and were being used to post weight loss spam. http://www.scmagazine.com/pinterest-accounts-hacked-display-weight-loss-spam-and-butt-pictures/article/340296/

FYI - Malware on Wisconsin university server storing info on 15K students - Roughly 15,000 University of Wisconsin-Parkside (UW-Parkside) students are being notified that their personal information - including Social Security numbers - may have been compromised by hackers who installed malware on a server. http://www.scmagazine.com/malware-on-wisconsin-university-server-storing-info-on-15k-students/article/340208/

FYI - Tesla cars' weak password protocol could allow remote unlock, locating - At Black Hat Asia 2014, a security researcher revealed how passwords for Tesla electric car owners can be easily cracked, allowing saboteurs to remotely locate and unlock vehicles. http://www.scmagazine.com/tesla-cars-weak-password-protocol-could-allow-remote-unlock-locating/article/340520/

FYI - Devices stolen from Palomar Health staffer, data on 5K patients at risk - Roughly 5,000 patients of California-based Palomar Health are being notified that their personal information may be at risk after an encrypted laptop and two unencrypted flash drives were stolen from an employee's vehicle. http://www.scmagazine.com/devices-stolen-from-palomar-health-staffer-data-on-5k-patients-at-risk/article/340423/

FYI - In LinkedIn breach suit, judge denies company's motion to dismiss - A federal judge ruled that a class-action lawsuit, stemming from LinkedIn's 2012 password breach, could move forward based on claims that the company misrepresented its security practices. http://www.scmagazine.com/in-linkedin-breach-suit-judge-denies-companys-motion-to-dismiss/article/340814/

FYI - Anonymous DDoS attack dismantles Albuquerque Police website - The hacktivist collective Anonymous organized a distributed denial-of-service (DDoS) attack this weekend that made good on the group's promise to shut down the Albuquerque Police Department's website. http://www.scmagazine.com/anonymous-ddos-attack-dismantles-albuquerque-police-website/article/340805/

FYI - Medical staffers fall for phishing emails, data on 8,300 compromised - About 8,300 patients of Washington-based Franciscan Medical Group (FMG) are being notified that their personal information may have been compromised after nearly 20 employees responded to information requests in phishing emails purporting to come from FMG's parent company, Catholic Health Initiatives. http://www.scmagazine.com/medical-staffers-fall-for-phishing-emails-data-on-8300-compromised/article/340590/

FYI - Database of more than 150K Boxee.tv accounts posted on Tor Network - Information on 158,128 Boxee.tv accounts has been discovered on the anonymous Tor Network, according to Risk Based Security, a Virginia company. http://www.scmagazine.com/database-of-more-than-150k-boxeetv-accounts-posted-on-tor-network/article/341034/

FYI - Unauthorized access gained to about 800 JSTOR accounts - Digital library JSTOR is notifying approximately 800 users that their personal information may be at risk after their MyJSTOR accounts were accessed by an unauthorized third party. http://www.scmagazine.com/unauthorized-access-gained-to-about-800-jstor-accounts/article/340956/

FYI - Theft of computers from Texas nonprofit risks data on nearly 3,000 - Texas-based EveryChild, Inc. is notifying nearly 3,000 families that personal information - including Social Security numbers - may be at risk after computers were stolen from the nonprofit's offices. http://www.scmagazine.com/theft-of-computers-from-texas-nonprofit-risks-data-on-nearly-3000/article/341234/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include:

1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process.

2) Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings. 

3) Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have "no need to know."

4) Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 1 of 3)

A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:

! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
! Contingency planning.

Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

43.  Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)