REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Victim of $440K wire fraud can't blame bank for loss, judge rules
- Choice Escrow failed to take bank's advice for securing wire
transfers, court says - A federal court in Missouri has rejected an
escrow firm's attempt to blame its bank for a $440,000 cyberheist in
- Alleged fight between anti-spam group and blacklisted company
incites massive DDoS - A Netherlands-based web host has been accused
of launching distributed-denial-of-service (DDoS) attacks against an
anti-spam group that blacklisted it - a reprisal that eventually
grew to become the largest attack of its kind, affecting internet
users around the world.
- Draft of cyber bill exacerbates flaws of anti-hacking law -
Lawmakers are eyeing a draft of a cyber security bill that could
impose more severe punishment for cyber crimes under the Computer
Fraud and Abuse Act (CFAA).
- Beyond BYOD - The ever-increasing use of personal devices has
tested enterprise defenses, so plans must be created to meet the
- Roughly 20 charged in Eastern Europe with building Carberp banking
trojan - Russian authorities have nabbed a gang of about 20 people
allegedly behind the Carberp banking trojan, according to a report
in the nation's Kommersant paper.
- Deciphering cloud strategy - There are steps security pros can
take to achieve greater peace of mind with cloud implementations.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Wells Fargo warns of ongoing DDOS attacks - Some customers may
experience intermittent access, the bank said - Wells Fargo warned
on Tuesday that its website is being targeted again by a distributed
denial-of-service (DDOS) attack.
- Egyptian navy captures divers trying to cut undersea internet
cables - Telecom Egypt connections targeted for termination - A
spokesman for the Egyptian military has reported that three scuba
divers have been arrested in the Mediterranean as they tried to cut
a submarine data cable owned by local telco Telecom Egypt.
- Doctor's stolen laptop found at pawn shop; data of 652 patients
exposed - A Washington state psychologist's laptop containing the
personal health information of several hundred patients was stolen -
and later recovered in a pawn shop.
- Electronic road signs hacked in Illinois - Electronic road signs
in St. Charles, Ill. were hacked on Thursday, displaying messages
that had nothing to do with a pipeline project taking place nearby,
according to a report in St. Charles Patch.
- “Funded hacktivism” or cyber-terrorists, AmEx attackers have big
bankroll - On March 28, American Express' website went offline for
at least two hours during a distributed denial of service attack.
- Public safety personnel targeted by DoS attacks flooding phone
lines - Telephone lines for public safety and emergency
communication workers have been inundated with bogus calls, an
attack characterized by the U.S. Department of Homeland Security and
FBI as telephony denial-of-service (TDoS), which is being used to
extort money from victims.
- Bank website attacks reach new high: 249 hours offline in past six
weeks - Major U.S. bank websites have been offline a total of 249
hours in the past six weeks, perhaps the clearest indication yet
that American companies are prime targets in an unrelenting, global
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider
Operations and Controls
• Determine adequacy of the
service provider’s standards, policies and procedures relating
to internal controls, facilities management (e.g., access
requirements, sharing of facilities, etc.), security (e.g.,
systems, data, equipment, etc.), privacy protections,
maintenance of records, business resumption contingency
planning, systems development and maintenance, and employee
• Determine if the service provider provides sufficient security
precautions, including, when appropriate, firewalls, encryption,
and customer identity authentication, to protect institution
resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine
whether the audit scope, internal controls, and security
safeguards are adequate.
• Evaluate whether the institution will have complete and timely
access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that
are relevant to the services they are providing. (e.g.,
Regulation E, privacy and other consumer protection regulations,
Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance
coverage including fidelity, fire, liability, data losses from
errors and omissions, and protection of documents in transit.
• Analyze the service provider’s
most recent audited financial statements and annual report as
well as other indicators (e.g., publicly traded bond ratings),
• Consider factors such as how long the service provider has
been in business and the service provider’s market share for a
given service and how it has fluctuated.
• Consider the significance of the institution’s proposed
contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s
level of investment in technology consistent with supporting the
institution’s activities? Does the service provider have the
financial resources to invest in and support the required
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review part
two of three regarding controls to prevent and detect intrusions.
4) Attack Profile. Frequently systems are installed with more
available components and services than are required for the
performance of necessary functions. Banks maintaining unused
features may unwittingly enable network penetration by increasing
the potential vulnerabilities. To reduce the risk of intrusion,
institutions should use the minimum number of system components and
services to perform the necessary functions.
5) Modem Sweep. While access to a system is typically directed
through a firewall, sometimes modems are attached to the system
directly, perhaps without the knowledge of personnel responsible for
security. Those modems can provide an uncontrolled and unmonitored
area for attack. Modems that present such vulnerabilities should be
identified and either eliminated, or monitored and controlled.
6) Intrusion Identification. Real-time identification of an attack
is essential to minimize damage. Therefore, management should
consider the use of real-time intrusion detection software.
Generally, this software inspects for patterns or "signatures" that
represent known intrusion techniques or unusual system activities.
It may not be effective against new attack methods or modified
attack patterns. The quality of the software and sophistication of
an attack also may reduce the software's effectiveness. To identify
intrusions that escape software detection, other practices may be
necessary. For example, banks can perform visual examinations and
observations of systems and logs for unexpected or unusual
activities and behaviors as well as manual examinations of hardware.
Since intrusion detection software itself is subject to compromise,
banks should take steps to ensure the integrity of the software
before it is used.
7) Firewalls. Firewalls are an important component of network
security and can be effective in reducing the risk of a successful
attack. The effectiveness of a firewall, however, is dependent on
its design and implementation. Because misconfigurations, operating
flaws, and the means of attack may render firewalls ineffective,
management should consider additional security behind the firewall,
such as intrusion identification and encryption.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
1. To assess the quality of a financial institution's compliance
management policies and procedures for implementing the privacy
regulation, specifically ensuring consistency between what the
financial institution tells consumers in its notices about its
policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial
institution's internal controls and procedures for monitoring the
institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the
privacy regulation, specifically in meeting the following
a) Providing to customers notices of its privacy policies and
practices that are timely, accurate, clear and conspicuous, and
delivered so that each customer can reasonably be expected to
receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated third
parties, other than under an exception, after first meeting the
applicable requirements for giving consumers notice and the right to
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information
received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in the
4. To initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are deficient.