REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Everything Can Be Hacked, It’s Just a Matter of Time Until Things Get More Serious - Everyone who uses the Internet knows by now that websites can be hacked. However, over the past period, security researchers have demonstrated that any device or machine that’s powered by a piece of software can also be hacked. http://news.softpedia.com/news/Everything-Can-Be-Hacked-It-s-Just-a-Matter-of-Time-Until-Things-Get-More-Serious-440322.shtml

FYI - Doc operates on server, costs hospitals $4.8M - New York Presbyterian and Columbia University Medical Center settle with HHS to end probe into 2010 patient data leak - An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian (NYP) Hospital and Columbia University (CU) Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). http://www.computerworld.com/s/article/9248205/IT_malpractice_Doc_operates_on_server_costs_hospitals_4.8M?taxonomyId=17

FYI - Former NSA Chief Defends Stockpiling Software Flaws for Spying - The NSA has never said much about the open secret that it collects and sometimes even pays for information about hackable flaws in commonly used software. http://www.wired.com/2014/05/alexander-defends-use-of-zero-days/

FYI - LA air traffic meltdown: System simply 'RAN OUT OF MEMORY' - Maybe a reboot will fix it. Maybe a reboot will fix it. Maybe a reboot will fix it. Ma - A computer crash that caused the collapse of a $2.4bn air traffic control system may have been caused by a simple lack of memory, insiders close to the cock-up alleged today. http://www.theregister.co.uk/2014/05/12/los_angeles_air_traffic_control_crash_caused_memory_shortage_u_2_spyplane_cia/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal 1.3 million Orange customers' personal data - Hackers have stolen the personal data of 1.3 million customers from the French branch of mobile network operator and internet service provider Orange. http://www.bbc.com/news/technology-27322946

FYI - Network Admin Allegedly Hacked Navy - While on an Aircraft Carrier - A former systems administrator on a Navy nuclear aircraft carrier has been charged with conspiring to hack into government systems during a digital joy ride that spanned several months in 2012. http://www.wired.com/2014/05/navy-sysadmin-hacking/

FYI - WooThemes users notified of payment card breach, 300 reports of fraud - After about 300 cases of payment card fraud were reported within a few days, WooThemes, a provider of WordPress themes, began notifying users that three modified files were discovered on its server and that payment card data may have been intercepted during the checkout process. http://www.scmagazine.com/woothemes-users-notified-of-payment-card-breach-300-reports-of-fraud/article/346302/

FYI - Hackers nab data on 1.3M Orange telco customers - French telecommunications group Orange said Wednesday that a breach last month resulted in the theft of the personal information of 1.3 million of its customers, including phone numbers, dates of birth, and email addresses. http://www.cnet.com/news/hackers-steal-personal-info-of-1-3m-orange-telco-customers/

FYI - Bitly to implement two-factor authentication following breach - After announcing that user account information may have been compromised by hackers, link-shortening service Bitly has decided to go the two-factor authentication route. http://www.scmagazine.com/bitly-to-implement-two-factor-authentication-following-breach/article/346618/

FYI - UPMC sued after compromise of 27,000 employees' information - An attorney, others from his law practice and another Pittsburgh-based law firm are suing the University of Pittsburgh Medical Center (UPMC) following the compromise of at least 27,000 workers' personal and financial information. http://www.scmagazine.com/upmc-sued-after-compromise-of-27000-employees-information/article/346616/

FYI - Second Affinity Gaming card breach did not involve casino, ATM transactions - Further investigation into the second Affinity Gaming payment card breach to be announced in six months has revealed that only hotel, retail, and food and beverage transactions were potentially affected - not casino gaming or ATM transactions, according to a Thursday update. http://www.scmagazine.com/second-affinity-gaming-card-breach-did-not-involve-casino-atm-transactions/article/346597/

FYI - About 50K transactions, other data, compromised in three-month breach - Arizona-based Gingerbread Shed Corporation is notifying customers that an unauthorized individual gained access to its systems for roughly three months and may have compromised about 50,000 transactions, as well as other data. http://www.scmagazine.com/about-50k-transactions-other-data-compromised-in-three-month-breach/article/346703/

FYI - U.S. Postal Service target of card skimming attack - The United States Postal Service (USPS) is the latest target of a card skimming scheme that has affected at least 13 states and the District of Columbia. http://www.scmagazine.com/us-postal-service-target-of-card-skimming-attack/article/346966/

FYI - Storage devices stolen from Entercom Portland employee, 13K affected - Entercom Portland, the Oregon-based branch of the national radio broadcasting corporation, is notifying about 13,000 individuals that their personal information may have been compromised after storage devices containing the data were stolen from an employee's vehicle. http://www.scmagazine.com/storage-devices-stolen-from-entercom-portland-employee-13k-affected/article/346897/

FYI - Keylogger malware found on three UC Irvine health center computers - More than 1,800 University of California (UC), Irvine, students, as well as nearly two-dozen non-students, are being notified that they may have had unencrypted personal information compromised after keylogger malware was discovered to have been on three Student Health Center (SHC) computers for about six weeks. http://www.scmagazine.com/keylogger-malware-found-on-three-uc-irvine-health-center-computers/article/347204/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

PENETRATION ANALYSIS (Part 2 of 2)

A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:

1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.

2) If using internal testers, the independence of the testers from system administrators.

3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.

4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)

Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:

! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49.  If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a.  required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or

b.  required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]

  1.  carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§14(b)(2)(i)]
  2.  administer or service benefits or claims; [§14(b)(2)(ii)]
  3.  confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [§14(b)(2)(iii)]
  4.  accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
  5.  underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§14(b)(2)(v)] or
  6.  in connection with:
      i.  the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
      ii.  the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
      iii.  the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]