REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

Heartbleed Bug - Financial institutions that outsource its Internet banking and bill pay should contact the vendor to ensure that the proper fixes have been installed for the "Heartbleed Bug."  In addition, you should made a comment in your IT Steering Committee minutes of your vendor management proactive actions.

FYI - FDIC Urges Financial Institutions to Utilize Available Cyber Resources - The Federal Deposit Insurance Corporation today urges financial institutions to actively utilize available resources to identify and help mitigate potential cyber-related risks. It is important for financial institutions of all sizes to be aware of the constantly emerging cyber threats and government-sponsored resources available to help identify these threats on a real-time basis. www.fdic.gov/news/news/press/2014/pr14028.html

FYI - Technology Outsourcing: Informational Tools for Community Bankers - The three attached FDIC Technology Outsourcing documents are being re-issued as an informational resource to community banks on how to select service providers, draft contract terms, and oversee multiple service providers when outsourcing for technology products and services. www.fdic.gov/news/news/financial/2014/fil14013.pdf

FYI - The Right Stuff: Staffing Your Corporate SOC - Building a Security Operations Center (SOC) from scratch or revamping an underperforming one is a daunting leadership challenge. If a cyber adversary gets past your SOC analysts, there is nobody else in the organization who can find them. http://www.darkreading.com/operations/careers-and-people/the-right-stuff-staffing-your-corporate-soc/d/d-id/1127873

FYI - Smaller banks warned of hackers raising ATM withdrawal limits - A US federal agency warns of 'unlimited operations' where payment card limits are raised by attackers - Smaller financial institutions have been warned to look out for attacks that aim to increase the withdrawal limit on customer payment cards for fraud purposes. http://www.computerworld.co.nz/article/542008/smaller_banks_warned_hackers_raising_atm_withdrawal_limits/

FYI - Japanese bank beats XP deadline, moves 30,000 terminals to Windows 8 - One Japanese banking group has beat Microsoft's April 8 support deadline for Windows XP but millions - potentially hundreds of millions - remain on the ageing OS. http://www.zdnet.com/japanese-bank-beats-xp-deadline-moves-30000-terminals-to-windows-8-7000027964/

FYI - Government breaches at all-time high, press blunder under-reports by millions - This is one of those articles that spoils your faith in mankind. Not only are government security incidents fully into holy-cow territory, the press is reporting numbers three magnitudes too low because someone misread a chart and everyone else copied that report. http://www.zdnet.com/government-breaches-at-all-time-high-press-blunder-under-reports-by-millions-7000028113/

FYI - DHS Prepares Overhaul of Internal Security Operations - The Homeland Security Department late Thursday announced future plans to overhaul an organization that defends DHS’ own internal networks. http://www.nextgov.com/cio-briefing/2014/04/dhs-prepares-overhaul-internal-security-operations/81937/

FYI - Dutch government pays millions to extend Microsoft XP support - The government of the Netherlands has struck a multimillion Euro deal with Microsoft to secure continued support for its Windows XP systems, according to a report published on 4 April in Dutch News. http://www.zdnet.com/dutch-government-pays-millions-to-extend-microsoft-xp-support-7000028116/

FYI - How a website flaw turned 22,000 visitors into a botnet of DDoS zombies - Everyday browsers are unwittingly conscripted into powerful attack platform. Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic. http://arstechnica.com/security/2014/04/how-a-website-flaw-turned-22000-visitors-into-a-botnet-of-ddos-zombies/

FYI - Data breaches up 62 percent in 2013 - If 2011 was the “Year of the Data Breach,” then 2013 was the “Year of the Mega Data Breach,” after a 62 percent increase in the number of breaches logged, according to the "Internet Security Threat Report 2014" from Symantec. http://www.scmagazine.com/report-data-breaches-up-62-percent-in-2013/article/342006/

FYI - Study reveals only 56 percent of employees get awareness training - Companies aren't doing enough to raise the security awareness of their employees, with 56 percent of corporate employees in a survey by Enterprise Management Associates (EMA) saying they have not undergone security or policy awareness training through their companies. http://www.scmagazine.com/study-reveals-only-56-percent-of-employees-get-awareness-training/article/342029/

FYI - JPMorgan Chase CEO details company's cyber threats in annual letter - JPMorgan Chase & Co.'s CEO addressed the “increasingly complex and more dangerous” attacks the financial institution faces in his annual letter to shareholders yesterday. http://www.scmagazine.com/jpmorgan-chase-ceo-details-companys-cyber-threats-in-annual-letter/article/342171/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - U.S. States Investigating Breach at Experian - An exclusive KrebsOnSecurity investigation detailing how a unit of credit bureau Experian ended up selling consumer records to an identity theft service in the cybercrime underground has prompted a multi-state investigation by several attorneys general, according to wire reports.
http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/
http://www.scmagazine.com/connecticut-illinois-to-investigate-massive-breach-at-experian-co/article/341461/

FYI - Drives containing info on 2,500 stolen from Michigan health department - The Michigan Department of Community Health (MDCH) is notifying more than 2,500 individuals that their personal information – including Social Security numbers – may have been compromised after an encrypted laptop and an unencrypted flash drive were stolen from the office a State Long Term Care (LTC) employee. http://www.scmagazine.com/drives-containing-info-on-2500-stolen-from-michigan-health-department/article/341415/

FYI - Malware on Kaiser Permanente server since 2011 impacts 5,100 members - Health services provider Kaiser Permanente is notifying roughly 5,100 members living in the Northern California region, mostly in the Bay Area, that their personal information may be at risk after malware was discovered on a server used by the Kaiser Permanente Northern California Division of Research. http://www.scmagazine.com/malware-on-kaiser-permanente-server-since-2011-impacts-5100-members/article/341333/

FYI - Another 170K L.A. county health clients impacted in Sutherland breach - The number of Los Angeles County Department of Health Services clients impacted in the February theft of eight computers from the offices of Sutherland Healthcare Solutions (SHS), a billing and collections services provider for Los Angeles County, has skyrocketed to 338,700. http://www.scmagazine.com/another-170k-la-county-health-clients-impacted-in-sutherland-breach/article/341579/

FYI - Chicago doctor's email account accessed, held info on 1,200 patients - More than 1,200 patients of Chicago-based Midwest Orthopaedics at Rush (MOR) may have had personal information compromised after an unknown individual gained unauthorized access to a doctor's personal email account, which contained the data. http://www.scmagazine.com/chicago-doctors-email-account-accessed-held-info-on-1200-patients/article/341746/

FYI - GovWin IQ hacked, payment card data of 25,000 Deltek customers at risk - An attacker, who hacked into the GovWin IQ system run by Virginia-based enterprise software and information solutions provider Deltek, compromised credentials and ultimately put information on roughly 80,000 customers at risk, including payment card data for about 25,000 of those individuals. http://www.scmagazine.com/govwin-iq-hacked-payment-card-data-of-25000-deltek-customers-at-risk/article/342005/

FYI - Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug' - In the hours immediately following the grand disclosure of the Heartbleed Bug, a critical vulnerability in widely used versions of the OpenSSL library, most affected organizations worked feverishly to plug the hole that could result in decryption of communications that use SSL/TLS encryption. http://www.scmagazine.com/vulnerable-organizations-respond-to-encryption-breaking-heartbleed-bug/article/342035/

FYI - Breach impacts thousands in Bibb County that applied for gov't jobs - In Georgia, thousands of Bibb County individuals that applied for jobs with the government throughout the past four years may have had personal information - including Social Security numbers - compromised after the data was exposed in a website breach. http://www.scmagazine.com/breach-impacts-thousands-in-bibb-county-that-applied-for-govt-jobs/article/342198/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Potential Threats To Consider

Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat.

Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information.

Systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential e-mail, or initiate unauthorized e-mails or transactions.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 2 of 3)

Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:

! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or software;
! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and
! Attacks against machines and communications used for remote administration.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

44.  If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])