REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Programming languages can't have copyright protection, EU court
rules - Europe's top court ruled Wednesday that the functionality of
a computer program and the programming language it is written in
cannot be protected by copyright.
Furious judge decries "blizzard" of copyright troll lawsuits -
Courts around the country are being flooded with mass copyright
- Jetting off abroad? Pack protection ... for your Wi-Fi - Feds warn
of malware attacks on hotel net surfers - A US government agency is
warning travellers to be wary of malware that installs itself via
pop-up browser windows on hotel internet connections.
- Queen's Speech gives details on surveillance plans - The Queen has
confirmed that "vital communications data" will potentially be
accessed, "subject to scrutiny of draft clauses".
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attack takes Soca crime agency website down - The website of the
UK's Serious Organised Crime Agency (Soca) has been taken offline
following a cyber-attack. Soca confirmed to the BBC that soca.gov.uk
had suffered a Distributed Denial of Service (DDoS) attack.
Hackers have breached top secret MoD systems, cyber-security chief
admits - Major General Jonathan Shaw says 'it was a surprise to
people quite how vulnerable we are - Computer hackers have managed
to breach some of the top secret systems within the Ministry of
Defence, the military's head of cyber-security has revealed.
Global Payments Data Breach Exposes Card Payments Vulnerability -
Cardholders around the world received a shock late last week when
Global Payments Inc. announced a breach in its card data processing
Personal data of welfare workers posted online - The personal
information of employees of the Florida Department of Children and
Families (DCF) was breached.
- The Pirate Bay hits out at DDoS attacks on ISPs - File-sharing
website The Pirate Bay has called distributed denial of service (DDoS)
and similar attacks "forms of censorship".
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight - Principle 3: The
Board of Directors and senior management should establish a
comprehensive and ongoing due diligence and oversight process for
managing the bank's outsourcing relationships and other third-party
dependencies supporting e-banking.
Increased reliance upon partners and third party service providers
to perform critical e-banking functions lessens bank management's
direct control. Accordingly, a comprehensive process for managing
the risks associated with outsourcing and other third-party
dependencies is necessary. This process should encompass the
third-party activities of partners and service providers, including
the sub-contracting of outsourced activities that may have a
material impact on the bank.
Historically, outsourcing was often limited to a single service
provider for a given functionality. However, in recent years, banks'
outsourcing relationships have increased in scale and complexity as
a direct result of advances in information technology and the
emergence of e-banking. Adding to the complexity is the fact that
outsourced e-banking services can be sub-contracted to additional
service providers and/or conducted in a foreign country. Further, as
e-banking applications and services have become more technologically
advanced and have grown in strategic importance, certain e-banking
functional areas are dependent upon a small number of specialized
third-party vendors and service providers. These developments may
lead to increased risk concentrations that warrant attention both
from an individual bank as well as a systemic industry standpoint.
Together, these factors underscore the need for a comprehensive and
ongoing evaluation of outsourcing relationships and other external
dependencies, including the associated implications for the bank's
risk profile and risk management oversight abilities. Board and
senior management oversight of outsourcing relationships and
third-party dependencies should specifically focus on ensuring that:
1) The bank fully understands the risks associated with entering
into an outsourcing or partnership arrangement for its e-banking
systems or applications.
2) An appropriate due diligence review of the competency and
financial viability of any third-party service provider or partner
is conducted prior to entering into any contract for e-banking
3) The contractual accountability of all parties to the outsourcing
or partnership relationship is clearly defined. For instance,
responsibilities for providing information to and receiving
information from the service provider should be clearly defined.
4) All outsourced e-banking systems and operations are subject to
risk management, security and privacy policies that meet the bank's
5) Periodic independent internal and/or external audits are
conducted of outsourced operations to at least the same scope
required if such operations were conducted in-house.
This is the last of three principles regarding Board and Management
Oversight. Next week we will begin the series on the principles of
security controls, which include Authentication, Non-repudiation,
Data and transaction integrity, Segregation of duties, Authorization
controls, Maintenance of audit trails, and Confidentiality of key
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
Automated intrusion detection systems (IDS) use one of two
methodologies, signature and heuristics. An IDS can target either
network traffic or a host. The signature-based methodology is
generally used on network traffic. An IDS that uses a
signature-based methodology reads network packets and compares the
content of the packets against signatures, or unique
characteristics, of known attacks and known anomalous network
traffic. When a match is recognized between current readings and a
signature, the IDS generates an alert.
A general weakness in the signature-based detection method is that a
signature must exist for an alert to be generated. Attacks that
generate different signatures from what the institution includes in
its IDS will not be detected. This problem can be particularly acute
if the institution does not continually update its signatures to
reflect lessons learned from attacks on itself and others, as well
as developments in attack tool technologies. It can also pose
problems when the signatures only address known attacks, rather than
both known attacks and anomalous traffic. Another general weakness
is in the capacity of the IDS to read traffic. If the IDS falls
behind in reading network traffic, traffic may be allowed to bypass
the IDS. That traffic may contain attacks that would otherwise cause
the IDS to issue an alert.
Proper placement of network IDS is a strategic decision determined
by the information the institution is trying to obtain. Placement
outside the firewall will deliver IDS alarms related to all attacks,
even those that are blocked by the firewall. With this information,
an institution can develop a picture of potential adversaries and
their expertise based on the probes they issue against the network.
Because the placement is meant to gain intelligence on attackers
rather than to alert on attacks, tuning generally makes the IDS less
sensitive than if it is placed inside the firewall. An IDS outside
the firewall will generally alert on the greatest number of
unsuccessful attacks. IDS monitoring behind the firewall is meant to
detect and alert on hostile intrusions. Multiple IDS units can be
used, with placement determined by the expected attack paths to
sensitive data. Generally speaking, the closer the IDS is to
sensitive data, the more important the tuning, monitoring, and
response to IDS alerts. The National Institute of Standards and
Technology (NIST) recommends network intrusion detection systems "at
any location where network traffic from external entities is allowed
to enter controlled or private networks."
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
14. Does the institution describe the following about its policies
and practices with respect to protecting the confidentiality and
security of nonpublic personal information:
a. who is authorized to have access to the information; and
b. whether security practices and policies are in place to ensure
the confidentiality of the information in accordance with the
institution's policy? [§6(c)(6)(ii)]
(Note: the institution is not required to describe technical
information about the safeguards used in this respect.)