REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
50 Years - This weekend I
celebrate 50 years in the community banking industry. The vast majority
of my time has been spent as a bank examiner or an independent bank
auditor where I have specialized in IT security for financial
institutions. I have been fortunate to have worked with
some extremely intelligent auditors and bankers who have been my mentors
over these 50 years. They know who they are, and I wish to
thank them for helping me to become the very best in my profession. R.
- Power utilities claim 'daily' and 'constant' cyberattacks, says
report - A report out of Congress outlines the increased hacks on
power grid computer systems, noting that one utility faces 10,000
attempted cyberattacks per month.
Commission offers suggestions for stemming online spy threat from
China - A new report recommends a sliding scale of actions to stop
Chinese adversaries from stealing American intellectual property –
and legalizing “counterattacks” was among the more extreme measures
Slowed by Debate and Uncertainty, New Rules Green Light Response to
Cyber Attacks - After three years of grueling internal debate, the
chairman of the Joint Chiefs is poised to approve new rules
empowering commanders to counter direct cyberattacks with offensive
efforts of their own - without White House approval.
Iran fingered for attacks on US power firms - Increased levels of
online activity have US spooks alert, just a little alarmed -
Iranian hackers are launching state-sanctioned attacks on US energy
firms and hope to sabotage critical infrastructure by targeting
industrial control systems, according to American officials.
Confidential report lists U.S. weapons system designs compromised by
Chinese cyberspies - Designs for many of the nation’s most sensitive
advanced weapons systems have been compromised by Chinese hackers,
according to a report prepared for the Pentagon and to officials
from government and the defense industry.
Clearwire to pull Huawei from network - Chinese vendor caught in
takeover crossfire - US mobile carrier Clearwire is getting ready to
draw-down the Huawei kit in its network, in an apparent response to
the never-ending story that the vendor is a threat to US national
"Beta Bot" marks the latest banking malware to hit the online
underground - Fraudsters are shopping around malware that's been
repurposed to carry out financial fraud and provide root access to
Wyndham Hotels court battle over FTC data security authority heats
up again - The Federal Trade Commission (FTC) has filed fresh
documents asking a U.S. District Court in New Jersey to reject a
hotel chain's motion to dismiss a complaint filed against it
following multiple data breaches.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
NC Fuel Distributor Hit by $800,000 Cyberheist - A fuel distribution
firm in North Carolina lost more than $800,000 in a cyberheist
earlier this month. Had the victim company or its bank detected the
unauthorized activity sooner, the loss would have been far less. But
both parties failed to notice the attackers coming and going for
five days before being notified by a reporter.
FBI Arrests NYPD Detective On Hacking Charges - Detective accused of
hiring hackers to obtain webmail access credentials for 30 targets,
accessing federal crime-information database without authorization.
The Department of Justice Tuesday announced the arrest of New York
City Police Department detective on computer hacking charges.
Reporters use Google, find breach, get branded as “hackers” - Call
it security through absurdity: a pair of telecom firms have branded
reporters for Scripps News as "hackers" after they discovered the
personal data of over 170,000 customers - including social security
numbers and other identifying data that could be used for identity
theft - sitting on a publicly accessible server.
Sky apps defaced by Syrian Electronic Army hackers - Several of
Sky's Android apps have been removed from the Google Play store
after they were targeted by the Syrian Electronic Army hacking
collective. It follows an attack which saw the logos of six of the
UK broadcaster's apps replaced by that of the SEA.
Hospital posts personal patient information on public website - The
personal information of patients Sonoma Valley Hospital in
California was exposed online after a hospital employee accidentally
uploaded the data to the hospital's public website.
Hackers may have had access to resort's credit card system for eight
months - The financial information of guests at Callaway Gardens was
stolen by thieves who implanted malware on the Pine Mountain, Ga.
resort's credit and debit card systems.
- Chinese hackers reportedly accessed U.S. weapons designs - More
than two dozen advanced weapons systems are said to have been
accessed. Documents obtained by the Washington Post do not indicate
whether the breaches occurred on government or contractor networks.
- Drupal breach compromises nearly one million accounts - Hackers
ransacked the servers of Drupal.org, an open source content
management platform, to plunder the sensitive information of nearly
one million accounts.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced
Due Diligence in Selecting a Service Provider - Oversight of
Some of the oversight activities management should consider in
administering the service provider relationship are categorized and
listed below. The degree of oversight activities will vary depending
upon the nature of the services outsourced. Institutions should
consider the extent to which the service provider conducts similar
oversight activities for any of its significant supporting agents
(i.e., subcontractors, support vendors, and other parties) and the
extent to which the institution may need to perform oversight
activities on the service provider’s significant supporting agents.
Monitor Financial Condition and Operations
• Evaluate the service
provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to
subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews)
as well as regulatory examination reports if available, and
evaluate the adequacy of the service providers’ systems and
controls including resource availability, security, integrity,
• Follow up on any deficiencies noted in the audits and reviews
of the service provider.
• Periodically review the service provider’s policies relating
to internal controls, security, systems development and
maintenance, and back up and contingency planning to ensure they
meet the institution’s minimum guidelines, contract
requirements, and are consistent with the current market and
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel
allocated to the institution.
• Review and monitor the service provider’s insurance policies
for effective coverage.
• Perform on-site inspections in conjunction with some of the
reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client
Some services provided to insured
depository institutions by service providers are examined by the
FFIEC member agencies. Regulatory examination reports, which are
only available to clients/customers of the service provider, may
contain information regarding a service provider’s operations.
However, regulatory reports are not a substitute for a financial
institution’s due diligence in oversight of the service provider.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
Action Summary - Financial institutions should implement an ongoing
security process, and assign clear and appropriate roles and
responsibilities to the board of directors, management, and
The security process is the method an organization uses to implement
and achieve its security objectives. The process is designed to
identify, measure, manage and control the risks to system and data
availability, integrity, and confidentiality, and ensure
accountability for system actions. The process includes five areas
that serve as the framework for this booklet:
Information Security Risk Assessment - A process to identify
threats, vulnerabilities, attacks, probabilities of occurrence, and
2) Information Security Strategy - A plan to mitigate risk that
integrates technology, policies, procedures and training. The plan
should be reviewed and approved by the board of directors.
3) Security Controls Implementation - The acquisition and operation
of technology, the specific assignment of duties and
responsibilities to managers and staff, the deployment of risk -
appropriate controls, and assurance that management and staff
understand their responsibilities and have the knowledge, skills,
and motivation necessary to fulfill their duties.
4) Security Testing - The use of various methodologies to gain
assurance that risks are appropriately assessed and mitigated. These
testing methodologies should verify that significant controls are
effective and performing as intended.
5) Monitoring and Updating - The process of continuously gathering
and analyzing information regarding new threats and vulnerabilities,
actual attacks on the institution or others combined with the
effectiveness of the existing security controls. This information is
used to update the risk assessment, strategy, and controls.
Monitoring and updating makes the process continuous instead of a
one - time event.
Security risk variables include threats, vulnerabilities, attack
techniques, the expected frequency of attacks, financial institution
operations and technology, and the financial institution's defensive
posture. All of these variables change constantly. Therefore, an
institution's management of the risks requires an ongoing process.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual privacy
notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
consumer records where available, determine if the institution has
adequate procedures in place to provide notices to consumers, as
appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)).