REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Threats from the web becoming more prevalent than network worms - For the first time, enterprise networks face a greater threat from malware served from websites than worms spreading across their network, according to Microsoft's bi-annual "Security Intelligence Report," released this week. http://www.scmagazine.com/threats-from-the-web-becoming-more-prevalent-than-network-worms/article/289470/

FYI - Top Wi-Fi routers easy to hack, says study - The Wi-Fi router you use to broadcast a private wireless Internet signal in your home or office is not only easy to hack, says a report released today, but the best way to protect yourself is out of your hands. http://news.cnet.com/8301-1009_3-57579981-83/top-wi-fi-routers-easy-to-hack-says-study/

FYI - Security pros must be master negotiators to gain executive support - Professionals in charge of protecting data and limiting risks at organizations must be tactful in how they approach executives and ultimately "sell" their strategy. http://www.scmagazine.com/security-pros-must-be-master-negotiators-to-gain-executive-support/article/290272/?DCMP=EMC-SCUS_Newswire

FYI - Expect productivity gains with BYOD - Organizations on the fence about whether to embrace a bring-your-own-device (BYOD) environment can rest assured that it won't negatively affect productivity. http://www.scmagazine.com/panel-expect-productivity-gains-with-byod/article/290469/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Pirate Bay Cofounder Indicted on Hacking Charges - The Pirate Bay cofounder was indicted today on hacking charges unrelated to his one-year prison sentence for running the world’s most notorious and illicit file-sharing service. http://www.wired.com/threatlevel/2013/04/pirate-bay-co-founder-indicted/

FYI - Reddit site downed by DDoS attacks - The website for social news website Reddit experienced an outage earlier Friday after being hit with a strong distributed denial-of-service attack. http://www.scmagazine.com/reddit-site-downed-by-ddos-attacks/article/289680/?DCMP=EMC-SCUS_Newswire

FYI - DDoS attacks continue to grow in size - The average size of distributed denial-of-service (DDoS) attacks have weighed in at 20 percent higher so far this year than they did in 2012, according to statistics released Monday by security firm. http://www.scmagazine.com/ddos-attacks-continue-to-grow-in-size/article/289998/?DCMP=EMC-SCUS_Newswire

FYI - Verizon data breach report: State-sponsored attacks surge - Summary: Espionage campaigns seek data that furthers national interests, such as military or classified information, economy-boosting plans, insider information or trade secrets, and technical resources such as source code. http://www.zdnet.com/verizon-data-breach-report-state-sponsored-attacks-surge-7000014286/

FYI - Former Hostgator employee arrested, charged with rooting 2,700 servers - A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider. http://arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/

FYI - Bank Sues Cyberheist Victim to Recover Funds - A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan. http://krebsonsecurity.com/2013/04/bank-sues-cyberheist-victim-to-recover-funds/

FYI - Fake AP tweet says Obama injured in White House explosion - Phishing attacks may have enabled hackers to hijack the Twitter account of the Associated Press to post a message Tuesday that there had been explosions at the White House and that President Obama was injured.
http://www.scmagazine.com/fake-ap-tweet-says-obama-injured-in-white-house-explosion/article/290227/?DCMP=EMC-SCUS_Newswire
http://www.scmagazine.com/two-factor-authentication-may-have-done-little-to-stop-the-ap-twitter-hijack/article/290396/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Audit

The institution should generally include in the contract the types of audit reports the institution is entitled to receive (e.g., financial, internal control and security reviews). The contract can specify audit frequency, cost to the institution associated with the audits if any, as well as the rights of the institution and its agencies to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation regarding the resolution of audit
disclosed deficiencies and inspect the processing facilities and operating practices of the service provider. Management should consider, based upon the risk assessment phase, the degree to which independent internal audits completed by service provider audit staff can be used and the need for external audits and reviews (e.g., SAS 70 Type I and II reviews). (AICPA Statement of Auditing Standards 70 “Reports of Processing of Transactions by Service Organizations,” known as SAS 70 Reports, are one commonly used form of external review. Type I SAS 70 reports review the service provider’s policies and procedures. Type II SAS 70 reports provide tests of actual controls against policies and procedures.)

For services involving access to open networks, such as Internet-related services, special attention should be paid to security. The institution may wish to include contract terms requiring periodic audits to be performed by an independent party with sufficient expertise. These audits may include penetration testing, intrusion detection, and firewall configuration. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to adequately assess security without compromising the service provider’s security. It can be beneficial to both the service provider and the institution to contract for such ongoing tests on a coordinated basis given the number of institutions that may contract with the service provider and the importance of the test results to the institution.

Reports

Contractual terms should discuss the frequency and type of reports the institution will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports). Guidelines and fees for obtaining custom reports should also be discussed.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Gathering and Retaining Intrusion Information.

Particular care should be taken when gathering intrusion information. The OCC expects management to clearly assess the tradeoff between enabling an easier recovery by gathering information about an intruder and the risk that an intruder will inflict additional damage while that information is being gathered. Management should establish and communicate procedures and guidelines to employees through policies, procedures, and training. Intrusion evidence should be maintained in a fashion that enables recovery while facilitating subsequent actions by law enforcement. Legal chain of custody requirements must be considered. In general, legal chain of custody requirements address controlling and securing evidence from the time of the intrusion until it is turned over to law enforcement personnel. Chain of custody actions, and those actions that should be guarded against, should be identified and embodied in the bank's policies, procedures, and training.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1)  Summarize all findings.

2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4)  Discuss findings with management and obtain a commitment for corrective action.