Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter
is available for the Android smart phones and tablets. Go
to the Market Store and search for yennik.
- NASA Servers At High Risk Of Cyber Attack - Auditors were able to
pull encryption keys, passwords, and user account information over
the Internet from systems that help control spacecraft and process
critical data. The network NASA uses to control the International
Space Station and Hubble Telescope has unpatched vulnerabilities
that could be exploited over the Internet, NASA's inspector general
warned in a new report.
FBI asks public to break a code, help solve a murder - An
interesting request for help has been made public yesterday by the
FBI: "Cryptanalists, help solve an open murder case".
Appeals Court Strengthens Warrantless Searches at Border - The
authorities may seize laptops, cameras and other digital devices at
the U.S. border without a warrant, and scour through them for days
hundreds of miles away, a federal appeals court ruled.
Lawsuit claims fired data center worker wiped out TV show - The
creators of "Zodiac Island" say they lost an entire season of their
syndicated children's television show after a former employee at
their Internet service provider wiped out more than 300GB of video
- T.J.Maxx hacker says feds gave him the OK - The hacker who pleaded
guilty to leading one of the largest cases of credit card theft in
the U.S., is asking a judge to toss out the pleas, arguing that they
were part of his assignments as a paid government informant.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
A slew of banks, retailers affected by Epsilon email breach - Three
days after an email service provider notified clients that its
systems were compromised, affected businesses continue to emerge.
Bank Customers Warned After Breach at Epsilon Marketing Firm - JP
Morgan Chase and the Kroger supermarket chain are warning customers
that their names and e-mail addresses may have fallen into the wrong
hands after someone broke into computer systems at e-mail marketing
- NSA to Investigate Nasdaq Hack - The National Security Agency has
been called in to help investigate recent hack attacks against the
company that runs the Nasdaq stock market, according to a news
- Mystery hack pwns Australian government - Email cache apparently
flashed - Parliamentary computers of the Australian prime minister,
Julia Gillard, and other ministers may have been hacked, according
to Australian media reports.
- Failure to encrypt portable devices inexcusable, say analysts -
Breaches such as the one involving BP oil spill claimants show why
encrypting data on portable devices is a no-brainer - The continuing
failure of many enterprises to encrypt sensitive data stored on
laptops and other mobile devices is inexcusable, analysts said
following BP's disclosure this week of a potential data compromise
involving a lost laptop.
- Comodo hacker claims another certificate authority - The hacker
who claimed credit for breaking into systems belonging to digital
certificate vendor Comodo said he has compromised another
certificate authority, along with two more Comodo partners, a move
that could further undermine trust in the system used to secure
websites on the Internet.
- EU parliament suspends webmail after cyber-attack - More than kids
playing around - The European Parliament network has fallen under
cyber-attack, leading to a suspension of webmail and other security
- Sensitive data goes missing from Illinois childcare agency -
Maryville Academy, a Des Plaines, Ill.-based social service agency
that serves abused children, revealed late last week that three
computer files containing personal and medical information of
thousands of children have gone missing.
- Former Gucci insider charged with hacking network - A former
network engineer at Gucci has been charged with hacking into the
company's network, deleting data and shutting down servers and
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The institution should generally include in the contract the types
of audit reports the institution is entitled to receive (e.g.,
financial, internal control and security reviews). The contract can
specify audit frequency, cost to the institution associated with the
audits if any, as well as the rights of the institution and its
agencies to obtain the results of the audits in a timely manner. The
contract may also specify rights to obtain documentation regarding
the resolution of audit
disclosed deficiencies and inspect the processing facilities and
operating practices of the service provider. Management should
consider, based upon the risk assessment phase, the degree to which
independent internal audits completed by service provider audit
staff can be used and the need for external audits and reviews
(e.g., SAS 70 Type I and II reviews). (AICPA
Statement of Auditing Standards 70 “Reports of Processing of
Transactions by Service Organizations,” known as SAS 70 Reports, are
one commonly used form of external review. Type I SAS 70 reports
review the service provider’s policies and procedures. Type II SAS
70 reports provide tests of actual controls against policies and
For services involving access to open networks, such as
Internet-related services, special attention should be paid to
security. The institution may wish to include contract terms
requiring periodic audits to be performed by an independent party
with sufficient expertise. These audits may include penetration
testing, intrusion detection, and firewall configuration. The
institution should receive sufficiently detailed reports on the
findings of these ongoing audits to adequately assess security
without compromising the service provider’s security. It can be
beneficial to both the service provider and the institution to
contract for such ongoing tests on a coordinated basis given the
number of institutions that may contract with the service provider
and the importance of the test results to the institution.
Contractual terms should discuss the frequency and type of reports
the institution will receive (e.g., performance reports, control
audits, financial statements, security, and business resumption
testing reports). Guidelines and fees for obtaining custom reports
should also be discussed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Token Systems (2 of 2)
Weaknesses in token systems relate to theft of the token, ease in
guessing any password generating algorithm within the token, ease of
successfully forging any authentication credential that unlocks the
token, and reverse engineering, or cloning, of the token. Each of
these weaknesses can be addressed through additional control
mechanisms. Token theft generally is protected against by policies
that require prompt reporting and cancellation of the token's
ability to allow access to the system. Additionally, the impact of
token theft is reduced when the token is used in multi - factor
authentication; for instance, the password from the token is paired
with a password known only by the user and the system. This pairing
reduces the risk posed by token loss, while increasing the strength
of the authentication mechanism. Forged credentials are protected
against by the same methods that protect credentials in non - token
systems. Protection against reverse engineering requires physical
and logical security in token design. For instance, token designers
can increase the difficulty of opening a token without causing
irreparable damage, or obtaining information from the token either
by passive scanning or active input/output.
Token systems can also incorporate public key infrastructure, and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
35. Does the institution deliver
the privacy and opt out notices, including the short-form notice, so
that the consumer can reasonably be expected to receive actual
notice in writing or, if the consumer agrees, electronically?