REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Government Employees Cause Nearly 60% of Public Sector Cyber
Incidents - About 58 percent of cyber incidents reported in the
public sector were caused by government employees, according to an
annual data breach report compiled by Verizon.
- Bank of
England to helm pen-testing effort for UK's finance sector - The
Bank of England, which helped oversee a cyber readiness exercise
last year for London's finance sector, now plans to lead a
large-scale penetration testing effort, according to reports.
Breach report dishes recommendations for authentication changes -
For enterprises building a large part of their authentication
strategy on passwords, this year's Verizon Data Breach
Investigations Report has a clear message: Cut it out!
warn health care sector of looming cyber attacks - The FBI has sent
a private industry notification (PIN) to health care providers
warning them that the security systems they have in place are behind
those of other sectors, making them prime targets for cyber attacks.
Insanely Easy to Hack Hospital Equipment - When Scott Erven was
given free rein to roam through all of the medical equipment used at
a large chain of Midwest health care facilities, he knew he would
find security problems–but he wasn’t prepared for just how bad it
Secretary of State website breach cost Oregonians $176,662 -
Taxpayers in Oregon were on the hook for about $176,662 to cover
costs associated with a February breach of the Secretary of State's
website, according to a story in The Oregonian.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
airport staff dash to replace passcodes after security cock-up -
Haneda employee drops key codes ahead of Obama visit - The dangers
of writing passwords down on paper were laid bare in the Japanese
airport of Haneda this week after a member of staff managed to lose
a note containing key security codes ahead of US president Barack
Obama’s arrival today.
imposes stricter email rules to stem spoofing attack - AOL instructs
mailbox providers to reject any email allegedly associated with an
AOL domain that didn't originate from an AOL server.
Health Plan data stolen, 8,830 members impacted -
Massachusetts-based Tufts Health Plan is notifying roughly 8,830
current and former Tufts Medicare Preferred members that their
personal information - including Social Security numbers - was
- Data on
nearly 10K Snelling Staffing employees made available online - The
personal information - including Social Security numbers - of almost
10,000 current and former employees of Texas-based Snelling Staffing
was made available on the internet by a former employee that made an
error when setting up a cloud-based server at home.
million records stolen in Q1 breaches - Nearly 200 million records -
or 93,000 records per hour - were stolen between January and March
of 2014, an increase of 233 percent over the same quarter last year,
according to the recently released SafeNet Breach Level Index.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Host-Versus Network-Based Vulnerability Assessment Tools
As in intrusion detection systems, which are discussed later in this
appendix, there are generally two types of vulnerability assessment
tools: host-based and network-based. Another category is
sometimes used for products that assess vulnerabilities of specific
applications (application-based) on a host. A host is
generally a single computer or workstation that can be connected to
a computer network. Host-based tools assess the
vulnerabilities of specific hosts. They usually reside on
servers, but can be placed on specific desktop computers, routers,
or even firewalls.
Network-based vulnerability assessment tools generally reside on the
network, specifically analyzing the network to determine if it is
vulnerable to known attacks. Both host- and network-based
products offer valuable features, and the risk assessment process
should help an institution determine which is best for its needs.
Information systems personnel should understand the types of tools
available, how they operate, where they are located, and the output
generated from the tools.
Host-based vulnerability assessment tools are effective at
identifying security risks that result from internal misuse or
hackers using a compromised system. They can detect holes that
would allow access to a system such as unauthorized modems, easily
guessed passwords, and unchanged vendor default passwords. The
tools can detect system vulnerabilities such as poor virus
protection capabilities; identify hosts that are configured
improperly; and provide basic information such as user log-on hours,
password/account expiration settings, and users with dial-in access.
The tools may also provide a periodic check to confirm that various
security policies are being followed. For instance, they can
check user permissions to access files and directories, and identify
files and directories without ownership.
Network-based vulnerability assessment tools are more effective than
host-based at detecting network attacks such as denial of service
and Internet Protocol (IP) spoofing. Network tools can detect
unauthorized systems on a network or insecure connections to
business partners. Running a host-based scan does not consume
network overhead, but can consume processing time and available
storage on the host. Conversely, frequently running a
network-based scan as part of daily operations increases network
traffic during the scan. This may cause inadvertent network
problems such as router crashes.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on
the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)
Additional operating system access controls include the following
! Ensure system administrators and security professionals have
adequate expertise to securely configure and manage the operating
! Ensure effective authentication methods are used to restrict
system access to both users and applications.
! Activate and utilize operating system security and logging
capabilities and supplement with additional security software where
supported by the risk assessment process.
! Restrict operating system access to specific terminals in
physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals
residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with
data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions,
where feasible, and at a minimum require strong authentication and
encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating
systems and grant only the minimum level of access required to
perform routine responsibilities.
! Segregate operating system access, where possible, to limit full
or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time
! Update operating systems with security patches and using
appropriate change control mechanisms.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
SUBPART C - Exception to Opt Out Requirements for Service
Providers and Joint Marketing
47. If the institution discloses nonpublic personal
information to a nonaffiliated third party without permitting the
consumer to opt out, do the opt out requirements of §7 and §10, and
the revised notice requirements in §8, not apply because:
a. the institution disclosed the information to a
nonaffiliated third party who performs services for or functions on
behalf of the institution (including joint marketing of financial
products and services offered pursuant to a joint agreement as
defined in paragraph (b) of §13); [§13(a)(1)]
b. the institution has provided consumers with the initial
notice; [§13(a)(1)(i)] and
c. the institution has entered into a contract with that party
prohibiting the party from disclosing or using the information
except to carry out the purposes for which the information was
disclosed, including use under an exception in §14 or §15 in the
ordinary course of business to carry out those purposes?