REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

50 Years - This weekend I celebrate 50 years in the community banking industry.  The vast majority of my time has been spent as a bank examiner or an independent bank auditor where I have specialized in IT security for financial institutions.  I have been fortunate to have worked with some extremely intelligent auditors and bankers who have been my mentors over these 50 years.  They know who they are, and I wish to thank them for helping me to become the very best in my profession.  R. Kinney Williams

FYI - Power utilities claim 'daily' and 'constant' cyberattacks, says report - A report out of Congress outlines the increased hacks on power grid computer systems, noting that one utility faces 10,000 attempted cyberattacks per month. http://news.cnet.com/8301-1009_3-57585618-83/power-utilities-claim-daily-and-constant-cyberattacks-says-report/

FYI - Commission offers suggestions for stemming online spy threat from China - A new report recommends a sliding scale of actions to stop Chinese adversaries from stealing American intellectual property – and legalizing “counterattacks” was among the more extreme measures proposed. http://www.scmagazine.com/commission-offers-suggestions-for-stemming-online-spy-threat-from-china/article/294494/

FYI - Slowed by Debate and Uncertainty, New Rules Green Light Response to Cyber Attacks - After three years of grueling internal debate, the chairman of the Joint Chiefs is poised to approve new rules empowering commanders to counter direct cyberattacks with offensive efforts of their own - without White House approval. http://www.defensenews.com/article/20130527/DEFREG02/305270014/Slowed-by-Debate-Uncertainty-New-Rules-Green-Light-Response-Cyber-Attacks

FYI - Iran fingered for attacks on US power firms - Increased levels of online activity have US spooks alert, just a little alarmed - Iranian hackers are launching state-sanctioned attacks on US energy firms and hope to sabotage critical infrastructure by targeting industrial control systems, according to American officials. http://www.theregister.co.uk/2013/05/27/iran_payback_stuxnet_ics_attacks/

FYI - Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies - Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared for the Pentagon and to officials from government and the defense industry. http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html

FYI - Clearwire to pull Huawei from network - Chinese vendor caught in takeover crossfire - US mobile carrier Clearwire is getting ready to draw-down the Huawei kit in its network, in an apparent response to the never-ending story that the vendor is a threat to US national security. http://www.theregister.co.uk/2013/05/27/clearwire_to_pull_huawei_from_network/

FYI - "Beta Bot" marks the latest banking malware to hit the online underground - Fraudsters are shopping around malware that's been repurposed to carry out financial fraud and provide root access to infected machines. http://www.scmagazine.com/beta-bot-marks-the-latest-banking-malware-to-hit-the-online-underground/article/295408/?DCMP=EMC-SCUS_Newswire

FYI - Wyndham Hotels court battle over FTC data security authority heats up again - The Federal Trade Commission (FTC) has filed fresh documents asking a U.S. District Court in New Jersey to reject a hotel chain's motion to dismiss a complaint filed against it following multiple data breaches. http://www.scmagazine.com/wyndham-hotels-court-battle-over-ftc-data-security-authority-heats-up-again/article/295397/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - NC Fuel Distributor Hit by $800,000 Cyberheist - A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter. http://krebsonsecurity.com/2013/05/nc-fuel-distributor-hit-by-800000-cyberheist/

FYI - FBI Arrests NYPD Detective On Hacking Charges - Detective accused of hiring hackers to obtain webmail access credentials for 30 targets, accessing federal crime-information database without authorization. The Department of Justice Tuesday announced the arrest of New York City Police Department detective on computer hacking charges. http://www.informationweek.com/security/attacks/fbi-arrests-nypd-detective-on-hacking-ch/240155332

FYI - Reporters use Google, find breach, get branded as “hackers” - Call it security through absurdity: a pair of telecom firms have branded reporters for Scripps News as "hackers" after they discovered the personal data of over 170,000 customers - including social security numbers and other identifying data that could be used for identity theft - sitting on a publicly accessible server. http://arstechnica.com/security/2013/05/reporters-use-google-find-breach-get-branded-as-hackers/

FYI - Sky apps defaced by Syrian Electronic Army hackers - Several of Sky's Android apps have been removed from the Google Play store after they were targeted by the Syrian Electronic Army hacking collective. It follows an attack which saw the logos of six of the UK broadcaster's apps replaced by that of the SEA. http://www.bbc.co.uk/news/technology-22679099

FYI - Hospital posts personal patient information on public website - The personal information of patients Sonoma Valley Hospital in California was exposed online after a hospital employee accidentally uploaded the data to the hospital's public website. http://www.scmagazine.com//hospital-posts-personal-patient-information-on-public-website/article/295190/?DCMP=EMC-SCUS_Newswire

FYI - Hackers may have had access to resort's credit card system for eight months - The financial information of guests at Callaway Gardens was stolen by thieves who implanted malware on the Pine Mountain, Ga. resort's credit and debit card systems. http://www.scmagazine.com/hackers-may-have-had-access-to-resorts-credit-card-system-for-eight-months/article/295395/?DCMP=EMC-SCUS_Newswire

FYI - Chinese hackers reportedly accessed U.S. weapons designs - More than two dozen advanced weapons systems are said to have been accessed. Documents obtained by the Washington Post do not indicate whether the breaches occurred on government or contractor networks. http://news.cnet.com/8301-1009_3-57586355-83/chinese-hackers-reportedly-accessed-u.s-weapons-designs/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - Drupal breach compromises nearly one million accounts - Hackers ransacked the servers of Drupal.org, an open source content management platform, to plunder the sensitive information of nearly one million accounts. http://www.scmagazine.com/drupal-breach-compromises-nearly-one-million-accounts/article/295556/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Some of the oversight activities management should consider in administering the service provider relationship are categorized and listed below. The degree of oversight activities will vary depending upon the nature of the services outsourced. Institutions should consider the extent to which the service provider conducts similar oversight activities for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties) and the extent to which the institution may need to perform oversight activities on the service provider’s significant supporting agents.

Monitor Financial Condition and Operations

• Evaluate the service provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers’ systems and controls including resource availability, security, integrity, and confidentiality.
• Follow up on any deficiencies noted in the audits and reviews of the service provider.
• Periodically review the service provider’s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution’s minimum guidelines, contract requirements, and are consistent with the current market and technological environment.
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel allocated to the institution.
• Review and monitor the service provider’s insurance policies for effective coverage.
• Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client institutions.

Some services provided to insured depository institutions by service providers are examined by the FFIEC member agencies. Regulatory examination reports, which are only available to clients/customers of the service provider, may contain information regarding a service provider’s operations. However, regulatory reports are not a substitute for a financial institution’s due diligence in oversight of the service provider.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

SECURITY PROCESS 

Action Summary - Financial institutions should implement an ongoing security process, and assign clear and appropriate roles and responsibilities to the board of directors, management, and employees.

OVERVIEW

The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions. The process includes five areas that serve as the framework for this booklet:

1)  Information Security Risk Assessment - A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.

2)  Information Security Strategy - A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.

3)  Security Controls Implementation - The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk - appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.

4)  Security Testing - The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.

5)  Monitoring and Updating - The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one - time event.

Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution's defensive posture. All of these variables change constantly. Therefore, an institution's management of the risks requires an ongoing process.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1)); 

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§§6, 13).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§4(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)), and accessibility of or ability to retain the notice (§9(e)).