Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Security education: We're doing it wrong - Have you ever had one
of those moments where you read something that makes you smack
yourself in the forehead because it points out how you've been
looking sideways at a thing for all these years?
- Google Shows Data Center Security Following Facebook Open Compute
- Google provides a sneak peek at its Moncks Corner, S.C., data
center's security practices, showing both the physical and virtual
security measures used to protect user data.
- iPhone Software Tracks Location Of Users - Apple's iOS 4 operating
system collects information about where iPhone users travel, two
programmers revealed at the Where 2.0 conference.
- Feds to Supreme Court: Allow Warrantless GPS Monitoring - The
Obama administration is urging the Supreme Court to allow the
government, without a court warrant, to affix GPS devices on
suspects’ vehicles to track their every move.
- Seattle Police Say 'wardrivers' Are Hitting Small Businesses -
Seattle police are investigating a group of criminals who they say
have been cruising around town in a black Mercedes stealing credit
card data by tapping into wireless networks belonging to area
- Schmidt says cyber progress being made quietly behind the scenes -
Howard Schmidt isn't interested in measuring the progress the Obama
administration is making in securing federal computer systems by the
number of policies or initiatives it announces.
- Covert hard drive fragmentation embeds a spy's secrets - GOOD news
for spies. There is now a way to hide data on a hard drive without
using encryption. Instead of using a cipher to scramble text, the
method involves manipulating the location of data fragments.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- US Man Pleads Guilty to $36.6 Million Worth of ID Theft - A
Georgia man connected to US$36.6 million in credit card fraud
pleaded guilty Thursday to trafficking in counterfeit credit cards
and aggravated identity theft, the U.S. Department of Justice said.
- Texas fires two tech chiefs over breach - Data of 3.2M people was
inadvertently posted on a publicly accessible Web site - The Texas
State Comptroller's office has fired its heads of information
security and of innovation and technology following an inadvertent
data leak that exposed Social Security numbers and other personal
information on over 3.2 million people in the state.
- Engineer who sued Cisco arrested for hacking it - Collusion
between Cisco and prosecutors alleged - A former Cisco engineer was
arrested for allegedly hacking into the company's network 18 months
after he waged a civil lawsuit accusing Cisco of monopolizing the
business of servicing and maintaining its networking gear, according
to a report citing a Canadian arrest warrant issue in the case.
- More breaches but less data lost. Huh?! - Verizon's Data Breach
Investigations Report for last year is a bit of a head scratcher. It
shows that while the number of data breaches from cyber attacks
rose, the amount of compromised records lost has fallen.
- Hacker pleads after busted with 675K stolen cards - A Georgia man
has pleaded guilty to fraud and identity theft after authorities
found him in possession of more than 675,000 credit card numbers,
some of which he obtained by hacking into business networks.
- Oak Ridge still without Internet access due to malware attack -
Technicians trying to identify and clean up the infection - Internet
access to the Energy Department’s Oak Ridge National Laboratory
remains shut down for a second week as technicians work to identity,
isolate and clean up malicious code delivered to the lab’s network
through a successful spear phishing attack.
- PlayStation outage caused by hacking attack - Sony has confirmed
that a hacking attack was to blame for its PlayStation Network being
- Hackers breach security vendor's defences - Ashampoo informs 14
million customers. German software developer Ashampoo has informed
its 14 million customers that hackers gained access to its customer
database in an embarrassing security breach.
- FBI warns of millions lost in fraudulent transfers to China - The
FBI is asking U.S. banks to be on the lookout for large wire
transfers being sent to accounts registered to companies located in
Chinese port cities near the Russian border.
- PlayStation Network hacked, data on millions at risk - Sony may
have sustained the largest cyber intrusion since the Heartland
Payment Systems breach, disclosing Tuesday that its PlayStation
Network (PSN) was hacked to steal sensitive information belonging to
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The institution should consider including in the contract a
provision for a dispute resolution process that attempts to resolve
problems in an expeditious manner as well as provide for
continuation of services during the dispute resolution period.
Indemnification provisions generally require the financial
institution to hold the service provider harmless from liability for
the negligence of the institution, and vice versa. These provisions
should be reviewed to reduce the likelihood of potential situations
in which the institution may be liable for claims arising as a
result of the negligence of the service provider.
Limitation of Liability
Some service provider standard contracts may contain clauses
limiting the amount of liability that can be incurred by the service
provider. If the institution is considering such a contract,
consideration should be given to whether the damage limitation bears
an adequate relationship to the amount of loss the financial
institution might reasonably experience as a result of the service
provider’s failure to perform its obligations.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Public Key Infrastructure (Part 3
When utilizing PKI policies and controls, financial institutions
need to consider the following:
! Defining within the certificate issuance policy the methods of
initial verification that are appropriate for different types of
certificate applicants and the controls for issuing digital
certificates and key pairs;
! Selecting an appropriate certificate validity period to minimize
transactional and reputation risk exposure - expiration provides an
opportunity to evaluate the continuing adequacy of key lengths and
encryption algorithms, which can be changed as needed before issuing
a new certificate;
! Ensuring that the digital certificate is valid by such means as
checking a certificate revocation list before accepting transactions
accompanied by a certificate;
! Defining the circumstances for authorizing a certificate's
revocation, such as the compromise of a user's private key or the
closure of user accounts;
! Updating the database of revoked certificates frequently, ideally
in real - time mode;
! Employing stringent measures to protect the root key including
limited physical access to CA facilities, tamper - resistant
security modules, dual control over private keys and the process of
signing certificates, as well as the storage of original and back -
up keys on computers that do not connect with outside networks;
! Requiring regular independent audits to ensure controls are in
place, public and private key lengths remain appropriate,
cryptographic modules conform to industry standards, and procedures
are followed to safeguard the CA system;
! Recording in a secure audit log all significant events performed
by the CA system, including the use of the root key, where each
entry is time/date stamped and signed;
! Regularly reviewing exception reports and system activity by the
CA's employees to detect malfunctions and unauthorized activities;
! Ensuring the institution's certificates and authentication systems
comply with widely accepted PKI standards to retain the flexibility
to participate in ventures that require the acceptance of the
financial institution's certificates by other CAs.
The encryption components of PKI are addressed more fully under
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
38. For customers only, does the institution ensure that the
initial, annual, and revised notices may be retained or obtained
later by the customer in writing, or if the customer agrees,