REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- With Plan X, Pentagon seeks to spread U.S. military might to
cyberspace - The Pentagon is turning to the private sector,
universities and even computer-game companies as part of an
ambitious effort to develop technologies to improve its cyberwarfare
capabilities, launch effective attacks and withstand the likely
- Cyber Security Expert James R. Woodhill to Testify on Commercial
Account Cyber-Theft Before House Committee - Nationally recognized
cyber security expert and civic leader in the campaign against cyber
theft, James R. Woodhill will testify about the growing epidemic of
on-line financial transaction theft from prominent American
- Backdoor in chip used by military: Blame software, not China - The
recent discovery by British researchers of an intentionally placed
backdoor in U.S. chips used in defense and industrial systems set
off a brief frenzy of finger-pointing toward China, with claims that
Chinese manufacturers were prepping the chips for a series of
Stuxnet-type attacks on U.S. systems.
- No More Dot-Mil Accounts on Dating Sites - The Pentagon this month
plans to distribute a new policy on personal social media use that
tells troops to hide certain identifying information when
interacting online, Defense Department officials tell Nextgov.
- Google to 'warn' users on search in China - Google has fired a new
salvo in a censorship battle with Beijing by adding a feature that
warns users in China who enter search keywords that might produce
blocked results and suggests they try other terms.
- New Jersey Assembly passes bill requiring deletion of copier data
- The New Jersey Assembly has passed a bill that would require the
deletion of all data from digital copiers and scanners.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- A Massive Web of Fake Identities and Websites Controlled Flame
Malware - The attackers behind the complex Flame cyberespionage
toolkit, believed to be a state-sponsored operation, used an
extensive list of fake identities to register at least 86 domains,
which they used as part of their command-and-control center,
according to researchers at Russia-based antivirus firm Kaspersky
- LinkedIn confirms that posted passwords are of its members - One
of the largest social networks on the web has confirmed that
passwords of its users have been stolen.
- eHarmony may have suffered same fate as LinkedIn - Joining
LinkedIn, dating website eHarmony said Wednesday that it is
investigating the possible theft of its members' passwords.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 3: Banks should ensure that appropriate measures
are in place to promote adequate segregation of duties within
e-banking systems, databases and applications.
Segregation of duties is a basic internal control measure
designed to reduce the risk of fraud in operational processes and
systems and ensure that transactions and company assets are properly
authorized, recorded and safeguarded. Segregation of duties is
critical to ensuring the accuracy and integrity of data and is used
to prevent the perpetration of fraud by an individual. If duties are
adequately separated, fraud can only be committed through collusion.
E-banking services may necessitate modifying the ways in which
segregation of duties are established and maintained because
transactions take place over electronic systems where identities can
be more readily masked or faked. In addition, operational and
transaction-based functions have in many cases become more
compressed and integrated in e-banking applications. Therefore, the
controls traditionally required to maintain segregation of duties
need to be reviewed and adapted to ensure an appropriate level of
control is maintained. Because access to poorly secured databases
can be more easily gained through internal or external networks,
strict authorization and identification procedures, safe and sound
architecture of the straight-through processes, and adequate audit
trails should be emphasized.
Common practices used to establish and maintain segregation of
duties within an e-banking environment include the following:
1) Transaction processes and systems should be designed to ensure
that no single employee/outsourced service provider could enter,
authorize and complete a transaction.
2) Segregation should be maintained between those initiating static
data (including web page content) and those responsible for
verifying its integrity.
3) E-banking systems should be tested to ensure that segregation of
duties cannot be bypassed.
4) Segregation should be maintained between those developing and
those administrating e-banking systems.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A honeypot is a network device that the institution uses to
attract attackers to a harmless and monitored area of the network.
Honeypots have three key advantages over network and host IDS
systems. Since the honeypot's only function is to be attacked, any
network traffic to or from the honeypot potentially signals an
intrusion. Monitoring that traffic is simpler than monitoring all
traffic passing a network IDS. Honeypots also collect very little
data, and all of that data is highly relevant. Network IDS systems
gather vast amounts of traffic which must be analyzed, sometimes
manually, to generate a complete picture of an attack. Finally,
unlike IDS, a honeypot does not pass packets without inspection when
under a heavy traffic load.
Honeypots have two key disadvantages. They are ineffective unless
they are attacked. Consequently, organizations that use honeypots
for detection usually make the honeypot look attractive to an
attacker. Attractiveness may be in the name of the device, its
apparent capabilities, or in its connectivity. Since honeypots are
ineffective unless they are attacked, they are typically used to
supplement other intrusion detection capabilities.
Honeypots also introduce the risk of being compromised without
triggering an alarm, then becoming staging grounds for attacks on
other devices. The level of risk is dependent on the degree of
monitoring, capabilities of the honeypot, and its connectivity. For
instance, a honeypot that is not rigorously monitored, that has
excellent connectivity to the rest of the institution's network, and
that has varied and easy - to - compromise services presents a high
risk to the confidentiality, integrity, and availability of the
institution's systems and data. On the other hand, a honeypot that
is rigorously monitored and whose sole capability is to log
connections and issue bogus responses to the attacker, while
signaling outside the system to the administrator, demonstrates much
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in its privacy policies, reserves the
right to disclose nonpublic personal information to nonaffiliated
third parties in the future, does the privacy notice include, as
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]