REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- China, U.S. agree to work together on cyber security - China and
the United States plan to erect a cyber security working group in
light of continued worries over the former's alleged cyber espionage
activities, according to reports.
Hay Maker Seeks Cyberheist Bale Out - An Oregon agricultural
products company is suing its bank to recover nearly a
quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is
the latest in a series of legal challenges seeking to hold financial
institutions more accountable for costly corporate account takeovers
tied to cybercrime.
U.S. Air Force designates six cybertools as weapons - Six cybertools
have been designated as weapons by the U.S. Air Force, allowing the
programs to better compete for increasingly scarce Pentagon funding,
an Air Force official said on Monday.
Privacy protections booted from CISPA data-sharing bill - A
controversial data-sharing bill won the approval of a key
congressional committee today without privacy amendments, raising
concerns that the National Security Agency and other spy agencies
will gain broad access to Americans' personal information.
How South Korea Traced Hacker To Pyongyang - A hacker's technical
blunder allowed South Korean investigators to trace back recent
attacks against the country's banks and broadcasters to an IP
address located in North Korea's capital, Pyongyang.
Judge rules hospital can ask ISP for help in ID'ing alleged hackers
- A New Jersey hospital can now pursue a subpoena that would require
an internet service provider (ISP) to hand over information
potentially identifying at least one person accused of hacking into
its email server.
NYC students, hackers train for cybersecurity jobs - Every week, a
group of teenagers and 20-somethings dressed in hoodies gets
together in a tiny room on a college campus and plug in their
laptops. They turn up pulsing electronic funk music, order pizza and
begin furiously hacking into computer networks.
GAO - Information Technology: Consistently Applying Best Practices
Could Help IRS Improve the Reliability of Reported Cost and Schedule
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Researcher hacks aircraft controls with Android smartphone - A
presentation at the Hack In The Box security summit in Amsterdam has
demonstrated that it's possible to take control of aircraft flight
systems and communications using an Android smartphone and some
specialized attack code.
No, That German Hacker Probably Can't Hijack an Airplane with
Software - An alarming dispatch from the Hack In The Box security
conference in Amsterdam arrived on Wednesday: a hacker says he's
found a way to take over airplane controls.
Gaming Company Certificates Stolen and Used to Attack Activists,
Others - A rash of breaches at companies that develop online
videogames has resulted in digital certificates being stolen from
the companies and used in attacks targeting other industries and
Man traces stolen laptop to Iran, blogs photos of new owners - A
stolen MacBook apparently goes on an epic journey from London to
Iran, sending back goofy images of the new owners to the theft
victim. A riveting story, unless it's a publicity stunt.
Wide-scale attack against WordPress blogs reported - Hackers may be
building a more powerful botnet for subsequent, larger attacks -
Unidentified hackers are said to have have launched a large-scale
attack against WordPress blogs and any hosts using weak passwords
are urged to update them immediately.
Schnucks supermarket chain struggled to find breach that exposed
2.4M cards - Company's experience highlights growing sophistication
of attacks, analysts say - The Schnucks supermarket chain struggled
for two weeks to find the source of a breach after being alerted to
a possible leak of credit card info by its card processing company.
During that time, Schnucks apparently continued exposing the debit
and credit card data of people who shopped at its stores.
Review: Lessons Learned Could Enhance Continuing Reviews and
Activities under Amended Consent Orders, GAO-13-550T, April 17.
"Syrian Electronic Army" defaces NPR website, Twitter accounts - The
main website of NPR and its blog devoted to breaking news were
hacked Monday night. Members of the "Syrian Electronic Army (SEA)"
took credit for the hijackings.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Security and Confidentiality
The contract should address the service provider’s
responsibility for security and confidentiality of the institution’s
resources (e.g., information, hardware). The agreement should
prohibit the service provider and its agents from using or
disclosing the institution’s information, except as necessary to or
consistent with providing the contracted services, to protect
against unauthorized use (e.g., disclosure of information to
institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s
customers, the institution should notify the service provider to
assess the applicability of the privacy regulations. Institutions
should require the service provider to fully disclose breaches in
security resulting in unauthorized intrusions into the service
provider that may materially affect the institution or its
customers. The service provider should report to the institution
when material intrusions occur, the effect on the institution, and
corrective action to respond to the intrusion.
Consideration should be given to contract provisions addressing
control over operations such as:
Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and
the institution’s approval rights
regarding material changes to services, systems, controls, key
project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial
functions, such as payments
processing and any extensions of credit on behalf of the
• Insurance coverage to be maintained by the service provider.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
Intrusion Response Policies and Procedures.
Management should establish, document, and review the policies and
procedures that guide the bank's response to information system
intrusions. The review should take place at least annually, with
more frequent reviews if the risk exposure warrants them.
Policies and procedures should address the following:
1. The priority and sequence of actions to respond to an intrusion.
Actions should address the containment and elimination of an
intrusion and system restoration. Among other issues, containment
actions include a determination of which business processes must
remain operational, which systems may be disconnected as a
precaution, and how to address authentication compromises (e.g.,
revealed passwords) across multiple systems.
2. Gathering and retaining intrusion information, as discussed
3. The employee's authority to act, whether by request or by
pre-approval, and the process for escalating the intrusion response
to progressively higher degrees of intensity and senior management
4. Availability of necessary resources to respond to intrusions.
Management should ensure that contact information is available for
those that are responsible for responding to intrusions.
5. System restoration tools and techniques, including the
elimination of the intruder's means of entry and back doors, and the
restoration of data and systems to the pre-intrusion state.
6. Notification and reporting to operators of other affected
systems, users, regulators, incident response organizations, and law
enforcement. Guidelines for filing a Suspicious Activity Report for
suspected computer related crimes are discussed below, and in OCC
Advisory Letter 97-9, "Reporting Computer Related Crimes" (November
7. Periodic testing, as discussed below.
8. Staff training resources and requirements.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify which module(s)
of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is applicable.
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and controls,
including review of new products and services and controls over
servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including the
use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training program;
5) Suitability of the compliance audit program for ensuring that:
a) the procedures address all regulatory provisions as
b) the work is accurate and comprehensive with respect to the
institution's information sharing practices;
c) the frequency is appropriate;
d) conclusions are appropriately reached and presented to
e) steps are taken to correct deficiencies and to follow-up on
previously identified deficiencies; and
6) Knowledge level of management and personnel.