REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Organizations in dark as employees party on with BYOD -
Organizations know that employees’ personal mobile devices are
sometimes getting onto their networks, but the extent of the problem
could be worse than they thought.
- UK hacker jailed for nicking PayPal, banking data from MILLIONS -
But York-based cybercrook only made £2.4k, court hears - A UK
cybercrook has been jailed for 26 months following his conviction
for stealing millions of banking and PayPal identities, the
Southwark Crown court confirmed to the Reg.
- Weak passwords render major power supplier vulnerable to hackers,
audit finds - A federal utility in the Pacific Northwest that powers
30 percent of the region, including key military installations, is
vulnerable to computer breaches, according to an internal Energy
- VA Ramps Up Security Training - Will Deny Network Access to Those
Lacking Updated Education - The Department of Veterans Affairs is
ramping up its privacy and security training efforts and plans to
eventually deny network access to those who have not had training
within the past year.
- GAO - Federal Reserve Banks: Areas for Improvement in Information
- Are security basics getting lost under the cover of cloud and
mobile? - Few would argue that the major themes at the recently
wrapped RSA Conference 2012 in San Francisco were cloud, mobile and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Sky News admits hacking emails of 'canoe man' John Darwin - Sky
News has admitted senior executives authorised a journalist to hack
into the emails of John Darwin, the "canoe man" accused of faking
his own death in 2002. The broadcaster revealed a member of staff
was cleared to carry out the hacking, a breach of the Computer
Misuse Act, on two separate occasions that it believed were "in the
- Accused LulzSec member pleads guilty to hacking Sony - Accused
LulzSec hacker pleaded guilty today in a federal court in Los
Angeles, California, to felony charges associated with the breach of
Sony Pictures Entertainment that occurred in mid-2011.
- Hackers Access Medicaid Records - Claims for Utah Patients
Accessed - Hackers, believed to be from Eastern Europe, recently
accessed 24,000 Medicaid claims for Utah patients.
- Commerce agency still offline 12 weeks after virus hits - What
would you do without Google, or some other search engine, always
ready to find what you need on the Internet? How could you do your
job without e-mail and the attachments it carries?
- New security flaws detected in mobile devices - Those cool mobile
devices beloved by consumers carry deep-rooted security flaws that
are only now being discovered and addressed.
- Intel engineer turned chip spy pleads guilty - The roadmap to jail
- A former Intel engineer who worked on the company's Itanium
processors for servers and who is accused of stealing documents
relating to future processor designs and chip fabrication processes
has pleaded guilty to the charges.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
The Board of Directors and senior management are responsible for
developing the banking institution's business strategy. An explicit
strategic decision should be made as to whether the Board wishes the
bank to provide e-banking transactional services before beginning to
offer such services. Specifically, the Board should ensure that
e-banking plans are clearly integrated within corporate strategic
goals, a risk analysis is performed of the proposed e-banking
activities, appropriate risk mitigation and monitoring processes are
established for identified risks, and ongoing reviews are conducted
to evaluate the results of e-banking activities against the
institution's business plans and objectives.
In addition, the Board and senior management should ensure that the
operational and security risk dimensions of the institution's
e-banking business strategies are appropriately considered and
addressed. The provision of financial services over the Internet may
significantly modify and/or even increase traditional banking risks
(e.g. strategic, reputational, operational, credit and liquidity
risk). Steps should therefore be taken to ensure that the bank's
existing risk management processes, security control processes, due
diligence and oversight processes for outsourcing relationships are
appropriately evaluated and modified to accommodate e-banking
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
LOGGING AND DATA COLLECTION (Part 2 of 2)
When evaluating whether and what data to log,
institutions should consider the importance of the related system or
information, the importance of monitoring the access controls, the
value of logged data in restoring a compromised system, and the
means to effectively analyze the data. Generally, logs should
capture source identification information; session ID; terminal ID;
and the date, time, and the nature of the access attempt, service
request, or process. Many hardware and software products come with
logging disabled and may have inadequate log analysis and reporting
capabilities. Institutions may have to enable the logging
capabilities and then verify that logging remains enabled after
rebooting. In some cases, additional software will provide the only
means to analyze the log files effectively.
Many products such as firewall and intrusion detection software can
simplify the security monitoring by automating the analysis of the
logs and alerting the appropriate personnel of suspicious activity.
Log files are critical to the successful investigation and
prosecution of security incidents and can potentially contain
sensitive information. Intruders will often attempt to conceal any
unauthorized access by editing or deleting log files. Therefore,
institutions should strictly control and monitor access to log
files. Some considerations for securing the integrity of log files
! Encrypting log files that contain sensitive data or that are
transmitting over the network,
! Ensuring adequate storage capacity to avoid gaps in data
! Securing backup and disposal of log files,
! Logging the data to a separate, isolated computer,
! Logging the data to write - only media like a write - once/read -
many (WORM) disk or drive,
! Utilizing centralized logging, such as the UNIX "SYSLOG" utility,
! Setting logging parameters to disallow any modification to
previously written data.
The financial institution should have an effective means of tracing
a security event through their system. Synchronized time stamps on
network devices may be necessary to gather consistent logs and a
consistent audit trail. Additionally, logs should be available, when
needed, for incident detection, analysis and response.
When using logs to support personnel actions, management should
consult with counsel about whether the logs are sufficiently
reliable to support the action.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
10) Does the institution list the following categories of nonpublic
personal information that it discloses, as applicable, and a few
examples of each, or alternatively state that it reserves the right
to disclose all the nonpublic personal information that it collects:
a) information from the consumer;
b) information about the consumer's transactions with the
institution or its affiliates;
c) information about the consumer's transactions with nonaffiliated
third parties; and
d) information from a consumer reporting agency? [§6(c)(2)]