Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Max security inmates help lock down prison network - With 23 hours
a day to test the system, inmates serve as a red team - When the
Colorado Department of Corrections designed a high-speed network to
deliver services to the cells of prisoners who are locked up for
most of the day, they needed to make sure it was secure.
- Risky mobile behaviors routine in business - Like it or not, iPads,
iPhones and Android devices are making their way into enterprises,
and while a vast majority of organizations have policies around
mobile device use, risky behaviors are still commonplace, according
to a report released Tuesday.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Banking breach has hundreds scrambling to recover money - It has
now been confirmed thousands of dollars have been stolen from
account holders with The People's Federal Credit Union. The banking
breach has many scrambling to recover their money.
- New hack on Comodo reseller exposes private data - And then there
were four - Yet another official reseller of SSL certificate
authority Comodo has suffered a security breach that allowed
attackers to gain unauthorized access to data.
- Lockheed Martin acknowledges 'significant' cyberattack - Lockheed
Martin Saturday night acknowledged that it its information systems
network had been the target of a "significant and tenacious attack,"
but said that its security team detected the intrusion "almost
immediately and took aggressive actions to protect all systems and
- PBS Hacked, Claims 'Tupac Alive' In New Zealand - A report is
spreading quickly on Facebook and Twitter that famed rapper Tupac
Shakur is shockingly "alive and well" in New Zealand, 15 years after
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We begin this week reviewing
the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part 1 of 10)
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking relationships
are exposed to several risks associated with the use of this
technology. The most significant risks are reputation risk and
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in
distinguishing whether the financial institution or the linked
third party is offering products and services;
dissatisfaction with the quality of products or services
obtained from a third party; and
- customer confusion as
to whether certain regulatory protections apply to third-party
products or services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -We
continue our series on the FFIEC interagency Information Security
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses,
Attacks, and Offsetting Controls (Part 2 of 2)
Social engineering involves an attacker obtaining
authenticators by simply asking for them. For instance, the attacker
may masquerade as a legitimate user who needs a password reset, or a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive, or using
other interpersonal skills, the attackers encourage a legitimate
user or other authorized person to give them authentication
credentials. Controls against these attacks involve strong
identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be captured
by hardware - or software - based keystroke capture mechanisms. PKI
private keys could be captured or reverse - engineered from their
tokens. Protection against these attacks primarily consists of
physically securing the client systems, and, if a shared secret is
used, changing the secret on a frequency commensurate with risk.
While physically securing the client system is possible within areas
under the financial institution's control, client systems outside
the institution may not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records the
authentication as it is communicated between a client and the
financial institution system, then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
is an attacker's use of an authenticated user's session to
communicate with system components. Controls against hijacking
include encryption of the user's session and the use of encrypted
cookies or other devices to authenticate each communication between
the client and the server.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
43. Does the institution allow the consumer to select certain
nonpublic personal information or certain nonaffiliated third
parties with respect to which the consumer wishes to opt out?
(Note: an institution may allow partial opt outs
in addition to, but may not allow them instead of, a comprehensive