REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Threats from the web becoming more prevalent than network worms -
For the first time, enterprise networks face a greater threat from
malware served from websites than worms spreading across their
network, according to Microsoft's bi-annual "Security Intelligence
Report," released this week.
- Top Wi-Fi routers easy to hack, says study - The Wi-Fi router you
use to broadcast a private wireless Internet signal in your home or
office is not only easy to hack, says a report released today, but
the best way to protect yourself is out of your hands.
- Security pros must be master negotiators to gain executive support
- Professionals in charge of protecting data and limiting risks at
organizations must be tactful in how they approach executives and
ultimately "sell" their strategy.
- Expect productivity gains with BYOD - Organizations on the fence
about whether to embrace a bring-your-own-device (BYOD) environment
can rest assured that it won't negatively affect productivity.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Pirate Bay Cofounder Indicted on Hacking Charges - The Pirate Bay
cofounder was indicted today on hacking charges unrelated to his
one-year prison sentence for running the world’s most notorious and
illicit file-sharing service.
- Reddit site downed by DDoS attacks - The website for social news
website Reddit experienced an outage earlier Friday after being hit
with a strong distributed denial-of-service attack.
- DDoS attacks continue to grow in size - The average size of
distributed denial-of-service (DDoS) attacks have weighed in at 20
percent higher so far this year than they did in 2012, according to
statistics released Monday by security firm.
- Verizon data breach report: State-sponsored attacks surge -
Summary: Espionage campaigns seek data that furthers national
interests, such as military or classified information,
economy-boosting plans, insider information or trade secrets, and
technical resources such as source code.
- Former Hostgator employee arrested, charged with rooting 2,700
servers - A former employee of Hostgator has been arrested and
charged with installing a backdoor that gave him almost unfettered
control over more than 2,700 servers belonging to the widely used
Web hosting provider.
- Bank Sues Cyberheist Victim to Recover Funds - A bank that gave a
business customer a short term loan to cover $336,000 stolen in a
2012 cyberheist is now suing that customer to recover the fronted
funds, after the victim company refused to repay or even acknowledge
- Fake AP tweet says Obama injured in White House explosion -
Phishing attacks may have enabled hackers to hijack the Twitter
account of the Associated Press to post a message Tuesday that there
had been explosions at the White House and that President Obama was
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The institution should generally include in the contract the types
of audit reports the institution is entitled to receive (e.g.,
financial, internal control and security reviews). The contract can
specify audit frequency, cost to the institution associated with the
audits if any, as well as the rights of the institution and its
agencies to obtain the results of the audits in a timely manner. The
contract may also specify rights to obtain documentation regarding
the resolution of audit
disclosed deficiencies and inspect the processing facilities and
operating practices of the service provider. Management should
consider, based upon the risk assessment phase, the degree to which
independent internal audits completed by service provider audit
staff can be used and the need for external audits and reviews
(e.g., SAS 70 Type I and II reviews). (AICPA Statement of Auditing
Standards 70 “Reports of Processing of Transactions by Service
Organizations,” known as SAS 70 Reports, are one commonly used form
of external review. Type I SAS 70 reports review the service
provider’s policies and procedures. Type II SAS 70 reports provide
tests of actual controls against policies and procedures.)
For services involving access to open networks, such as
Internet-related services, special attention should be paid to
security. The institution may wish to include contract terms
requiring periodic audits to be performed by an independent party
with sufficient expertise. These audits may include penetration
testing, intrusion detection, and firewall configuration. The
institution should receive sufficiently detailed reports on the
findings of these ongoing audits to adequately assess security
without compromising the service provider’s security. It can be
beneficial to both the service provider and the institution to
contract for such ongoing tests on a coordinated basis given the
number of institutions that may contract with the service provider
and the importance of the test results to the institution.
Contractual terms should discuss the frequency and type of reports
the institution will receive (e.g., performance reports, control
audits, financial statements, security, and business resumption
testing reports). Guidelines and fees for obtaining custom reports
should also be discussed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review
of the OCC Bulletin about Infrastructure Threats and Intrusion
Risks. This week we review Gathering and Retaining Intrusion
Particular care should be taken when gathering intrusion
information. The OCC expects management to clearly assess the
tradeoff between enabling an easier recovery by gathering
information about an intruder and the risk that an intruder will
inflict additional damage while that information is being gathered.
Management should establish and communicate procedures and
guidelines to employees through policies, procedures, and training.
Intrusion evidence should be maintained in a fashion that enables
recovery while facilitating subsequent actions by law enforcement.
Legal chain of custody requirements must be considered. In general,
legal chain of custody requirements address controlling and securing
evidence from the time of the intrusion until it is turned over to
law enforcement personnel. Chain of custody actions, and those
actions that should be guarded against, should be identified and
embodied in the bank's policies, procedures, and training.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Examination Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses in
the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment for