REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Technology is not the only answer when it comes to security - In
the midst of these heady times of rapid change and advancement,
there is a growing consensus that it is time to take a step back and
reassess the bigger picture.
- U.S. Promises Not to Sue Companies for Discussing Hacks - The
Justice Department and the Federal Trade Commission issued a formal
policy statement Thursday, assuring businesses that they will not
face federal lawsuits for sharing information with each other about
attacks on their computer systems.
- Pentagon to triple its security workforce by 2016 - Defense
Secretary Chuck Hagel announced Pentagon efforts to strengthen its
U.S. Cyber Command in coming years. By 2016, the Fort Meade,
Md.-based military command expects to triple its security staff to
6,000 people, he said.
Only three of 43 police forces able to tackle cybercrime challenges
- Her Majesty's Inspectorate of Constabulary (HMIC) warned in its
Strategic Policing Requirement report that despite heavy investment
and development strategies set by the government, digital issues
continue to baffle police.
Judge denies Wyndham motion challenging FTC authority - On Monday, a
U.S. District Court denied (PDF) Wyndham Worldwide's motion to
dismiss FTC claims accusing the hotelier of “unfair” and “deceptive”
practices related to its failure to adequately secure consumer data.
Bank of America target of class-action suit for 2012 breach - Bank
of America was hit with a class action suit in California earlier
this week charging that the company is liable for identity theft and
fraud in the aftermath of a 2012 data breach, according to documents
filed in the California Superior Court, County of Los Angeles, and
reported on by Law360.
- Kentucky becomes 47th state to pass data breach notification laws
- Gov. Steve Beshear signed a bill on Thursday that means data
breaches can no longer go unreported in Kentucky.
- Texas man receives 14 more charges for brute-force attack - A
Texas man who attempted to access the Hidalgo County server received
additional charges this past week.
- U.S. rallied 120 nations in response to 2012 cyberattack on
American banks - In the spring of 2012, some of the largest banks in
the United States were coming under attack, with hackers
commandeering servers around the world to direct a barrage of
Internet traffic toward the banks’ Web sites.
- UK cosmetic surgery group extorted by hacker that stole data on
500K - Individuals that submitted inquiries on the Harley Medical
Group (HMG) website may have had their personal information stolen
by an attacker that hoped to extort the UK-based cosmetic surgery
company for money.
- Data on 55,000 VFW members impacted by attacker seeking military
intel - About 55,000 members of the Veterans of Foreign Wars of the
United States (VFW) may have had personal information – including
Social Security numbers – compromised after an unauthorized party
gained access to a VFW web server using a remote access trojan and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Latest UMD 'intrusion' linked to IT worker exposing security issues,
account shows - A software engineer revealed that the FBI raided his
home after his attempts to expose a security issue impacting the
University of Maryland's systems.
80,000 Employees of Federal Contractors Compromised in Cyberattack -
Personal information of about 80,000 employees of federal
contractors was compromised in a cyberattack last month, including
credit card details of as many as 25,000, a business research and
Card skimming device found on NYC subway station machine - A card
skimming device and camera were found at a New York City subway
station last night after an astute commuter notified Metropolitan
Transportation Authority (MTA) officials.
More than 1,400 medical records compromised in Texas breach -
Unauthorized access was gained to the Electronic Health Record (EHR)
system used by Texas-based Lubbock Cardiology Clinic (LCC), which
resulted in the compromise of more than 1,400 medical records.
- American Funds urges password change to counter 'Heartbleed' bug -
American Funds, the No. 3 U.S. mutual fund family, advised some
customers to change user names and passwords on Wednesday as the
number of companies and people affected by the notorious
"Heartbleed" bug grows.
- Heartbleed bug: Check which sites have been patched - We compiled
a list of the top 100 sites across the Web, and checked to see if
the Heartbleed bug was patched. - he Heartbleed bug is serious.
Disclosed less than two days ago, the Heartbleed bug has sent sites
and services across the Internet into patch mode.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Hackers may use "social engineering" a scheme using social
techniques to obtain technical information required to access a
system. A hacker may claim to be someone authorized to access the
system such as an employee or a certain vendor or contractor. The
hacker may then attempt to get a real employee to reveal user names
or passwords, or even set up new computer accounts. Another threat
involves the practice of "war-dialing" in which hackers use a
program that automatically dials telephone numbers and searches for
modem lines that bypass network firewalls and other security
measures. A few other common forms of system attack include:
Denial of service (system failure), which is any action
preventing a system from operating as intended. It may be the
unauthorized destruction, modification, or delay of service. For
example, in an "SYN Flood" attack, a system can be flooded with
requests to establish a connection, leaving the system with more
open connections than it can support. Then, legitimate users of the
system being attacked are not allowed to connect until the open
connections are closed or can time out.
Internet Protocol (IP) spoofing, which allows an intruder via
the Internet to effectively impersonate a local system's IP address
in an attempt to gain access to that system. If other local systems
perform session authentication based on a connections IP address,
those systems may misinterpret incoming connections from the
intruder as originating from a local trusted host and not require a
Trojan horses, which are programs that contain additional
(hidden) functions that usually allow malicious or unintended
activities. A Trojan horse program generally performs unintended
functions that may include replacing programs, or collecting,
falsifying, or destroying data. Trojan horses can be attached to
e-mails and may create a "back door" that allows unrestricted access
to a system. The programs may automatically exclude logging and
other information that would allow the intruder to be traced.
Viruses, which are computer programs that may be embedded in
other code and can self-replicate. Once active, they may take
unwanted and unexpected actions that can result in either
nondestructive or destructive outcomes in the host computer
programs. The virus program may also move into multiple platforms,
data files, or devices on a system and spread through multiple
systems in a network. Virus programs may be contained in an e-mail
attachment and become active when the attachment is opened.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 3 of 3)
Financial institutions can reduce their vulnerability to these
attacks somewhat through network configuration and design, sound
implementation of its firewall architecture that includes multiple
filter points, active firewall monitoring and management, and
integrated intrusion detection. In most cases, additional access
controls within the operating system or application will provide an
additional means of defense.
Given the importance of firewalls as a means of access control, good
! Hardening the firewall by removing all unnecessary services and
appropriately patching, enhancing, and maintaining all software on
the firewall unit;
! Restricting network mapping capabilities through the firewall,
primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not
! Using NAT and split DNS (domain name service) to hide internal
system names and addresses from external networks (split DNS uses
two domain name servers, one to communicate outside the network, and
the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the
firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the
firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and
strong authentication, only accessing the firewall from secure
devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
45. If the institution receives information from a
nonaffiliated financial institution other than under an exception in
§14 or §15, does the institution refrain from disclosing the
a. to the affiliates of the financial institution from which it
received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the same
disclosure restrictions as the recipient institution;
c. to any other person, if the disclosure would be lawful if made
directly to that person by the institution from which the recipient
institution received the information? [§11(b)(1)(iii)]