REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- U.S. companies seek cyber experts for top jobs, board seats - Some
of the largest U.S. companies are looking to hire cybersecurity
experts in newly elevated positions and bring technologists on to
their boards, a sign that corporate America is increasingly worried
about hacking threats.
Large Electric Utilities Earn High Security Scores - Critical
infrastructure is a big target for attack, but new data shows some
operators in that industry suffer fewer security incidents than
other industries. It may sound counterintuitive, but major utilities
rank as one of the most secure organizations, according to a new
Agencies Seek Better DHS Incident Response Aid - A number of large
federal agencies would like to see the Department of Homeland
Security, including its U.S. CERT unit, enhance services to help
them address cyber-incidents, according to a Government
Accountability Office report.
GAO - Information Security: Agencies Need to Improve Cyber Incident
Response Practices -
VA Failed to Protect Critical Computer Systems, Audit Finds - In
another blow to the beleaguered Veterans Affairs Department, the VA
inspector general reported today that an audit by an outside
accounting firm revealed continuing problems protecting mission
Police in Europe arrest 11 in skimming op takedown - International
law enforcement agents arrested 11 individuals for their alleged
involvement in a organized crime group, whose illegal activities
included carding operations.
- Hackers face life sentences under planned UK law - To say the
British government is cracking down on computer hackers is an
understatement. The UK revealed plans, alluded to in Queen
Elizabeth's speech before Parliament Wednesday, to confer life
sentences on those committing the newly defined offense of “unauthorised
access to a computer,” according to a report in the Daily Mail.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Avast support forum hack snags usernames, passwords - The security
company has taken down its support forum following a hack that
compromised usernames, email addresses, and encrypted passwords.
Security vendor Avast is dealing with its own security problem.
Home Depot staffer fired, tapped 30,000 accounts, shared card data -
Home Depot, which last experienced an insider breach in February,
has fired and is prosecuting an employee who, for two weeks in May,
accessed information on more than 30,000 customer accounts.
Breach impacts customers of Precision Planting, a Monsanto
subsidiary - Farm equipment and services provider Precision
Planting, an Illinois-based subsidiary of chemical and agricultural
biotechnology corporation Monsanto, is notifying customers that
unauthorized access was gained to their personal information.
Washington AG: DSHS worker committed ID theft, stole more than $150k
- Washington's Attorney General has filed charges against Timothy
Darrell Fultz, a former state Department of Social and Health
Services employee accused of accessing state databases and stealing
$150,000 from the ClaimYourCash.org website run by Washington's
Department of Revenue.
Arkansas State Univ. notifies 50K of Social Security number breach -
At Arkansas State University (A-State), full and partial Social
Security numbers were compromised for about 50,000 early childhood
practitioners after unauthorized access was gained to databases
related to the Traveling Arkansas Professional Pathways (TAPP)
Office website HACKED: Passwords, addresses, phone numbers slurped -
Good thing you used a unique password, right? Right? British shoe
shop chain Office is the latest corp to cop to a computer security
breach - one that's leaked names, addresses, phone numbers, emails
and passwords of its customers.
- English soccer team's passport numbers exposed in sponsor photo
tweet - Members of England's football squad, vying for the World
Cup, have more to think about than just winning soccer games after a
security breach blunder exposed their passport numbers yesterday.
- U.S. military database hacks impact about 16K in South Korea -
Individuals employed by the United States military in South Korea
may have had data compromised in a hacking incident, according to a
Thursday AP report.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
the next few weeks, we will cover some of the issues discussed in
the "Risk Management Principles for Electronic Banking" published by
the Basel Committee on Bank Supervision.
Continuing technological innovation and competition among
existing banking organizations and new entrants have allowed for a
much wider array of banking products and services to become
accessible and delivered to retail and wholesale customers through
an electronic distribution channel collectively referred to as
e-banking. However, the rapid development of e-banking capabilities
carries risks as well as benefits.
The Basel Committee on Banking Supervision expects such risks to be
recognized, addressed and managed by banking institutions in a
prudent manner according to the fundamental characteristics and
challenges of e-banking services. These characteristics include the
unprecedented speed of change related to technological and customer
service innovation, the ubiquitous and global nature of open
electronic networks, the integration of e-banking applications with
legacy computer systems and the increasing dependence of banks on
third parties that provide the necessary information technology.
While not creating inherently new risks, the Committee noted that
these characteristics increased and modified some of the traditional
risks associated with banking activities, in particular strategic,
operational, legal and reputational risks, thereby influencing the
overall risk profile of banking.
Based on these conclusions, the Committee considers that while
existing risk management principles remain applicable to e-banking
activities, such principles must be tailored, adapted and, in some
cases, expanded to address the specific risk management challenges
created by the characteristics of e-banking activities. To this end,
the Committee believes that it is incumbent upon the Boards of
Directors and banks' senior management to take steps to ensure that
their institutions have reviewed and modified where necessary their
existing risk management policies and processes to cover their
current or planned e-banking activities. The Committee also believes
that the integration of e-banking applications with legacy systems
implies an integrated risk management approach for all banking
activities of a banking institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - DATA CENTER SECURITY
When selecting a site for the most important information systems
components, one major objective is to limit the risk of exposure
from internal and external sources. The selection process should
include a review of the surrounding area to determine if it is
relatively safe from exposure to fire, flood, explosion, or similar
environmental hazards. Outside intruders can be deterred through the
use of guards, fences, barriers, surveillance equipment, or other
similar devices. Since access to key information system hardware and
software should be limited, doors and windows must be secure.
Additionally, the location should not be identified or advertised by
signage or other indicators.
Detection devices, where applicable, should be utilized to prevent
theft and safeguard the equipment. They should provide continuous
coverage. Detection devices have two purposes - to alarm when a
response is necessary and to support subsequent forensics. The alarm
capability is only useful when a response will occur. Some intruder
detection devices available include:
! Switches that activate an alarm when an electrical circuit is
! Light and laser beams, ultraviolet beams and sound or vibration
detectors that are invisible to the intruder, and ultrasonic and
radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and
recording of actions.
Risks from environmental threats can be addressed somewhat through
devices such as halon gas, smoke alarms, raised flooring, heat
sensors, and the like.
Physical security devices frequently need preventive maintenance to
function properly. Maintenance logs are one control the institution
can use to determine whether the devices are appropriately
maintained. Periodic testing of the devices provides assurance that
they are operating correctly.
Security guards should be properly instructed about their duties.
The employees who access secured areas should have proper
identification and authorization to enter the area. All visitors
should sign in and wear proper IDs so that they can be identified
easily. Security guards should be trained to restrict the removal of
assets from the premises and to record the identity of anyone
removing assets. Consideration should be given to implementing a
specific and formal authorization process for the removal of
hardware and software from premises.
The following security zones should have access restricted to a need
! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library
CABINET AND VAULT SECURITY
Protective containers are designed to meet either fire-resistant or
burglar-resistant standards. Labels describing expected tolerance
levels are usually attached to safes and vault doors. An institution
should select the tolerance level based on the sensitivity and
importance of the information being protected.
Return to the top of
INTERNET PRIVACY -
continue our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
Definitions and Key Concepts
In discussing the duties and limitations imposed by the
regulations, a number of key concepts are used. These concepts
include "financial institution"; "nonpublic personal information";
"nonaffiliated third party"; the "opt out" right and the exceptions
to that right; and "consumer" and "customer." Each concept is
briefly discussed below. A more complete explanation of each appears
in the regulations.
A "financial institution" is any institution the business of
which is engaging in activities that are financial in nature or
incidental to such financial activities, as determined by section
4(k) of the Bank Holding Company Act of 1956. Financial institutions
can include banks, securities brokers and dealers, insurance
underwriters and agents, finance companies, mortgage bankers, and
Nonaffiliated Third Party:
A "nonaffiliated third party" is any person except a
financial institution's affiliate or a person employed jointly by a
financial institution and a company that is not the institution's
affiliate. An "affiliate" of a financial institution is any company
that controls, is controlled by, or is under common control with the