REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Hackers Compromise Database of South Koreans Who Work for the U.S.
Military - Two databases containing the personal information of
about 16,000 South Koreans employed by the United States military
have been hacked.
Get ready for car software updates - Those annoying "Update
Required" pop-ups on your smartphone and computer will soon be in
your car too.
Hacker passwords not much stronger than the average user's,
researcher finds - Hacker passwords are not all that much stronger
than those used by the average user.
New Canadian privacy commissioner comes under fire - Canada's
federal privacy commissioner has been replaced in a move that has
sparked criticism from activists, academics and political leaders.
FAA orders Boeing to protect 737s from computer hackers - The
Federal Aviation Administration is ordering Boeing to modify the
technology aboard late-model 737 aircraft to prevent computer
hackers from damaging the planes.
We “will be paying no ransom,” vows town hit by Cryptowall ransom
malware - Police computers in New Hampshire hamlet crippled by
crypto-based ransomware. The town manager of a hamlet in south
eastern New Hampshire has defied demands that he pay a ransom to
recover police department computer files taken hostage by Cryptowall,
a newer piece of malware that encrypts hard drive contents of
infected machines until victims pay for them to be decrypted.
UK Pitches Business 'Cyber Essentials' - Certification Focuses on
Establishing Basic Security Buy-In - That's the pitch to U.K.
businesses via a new program called Cyber Essentials.
- Cyber crime costs $445 billion globally, GDPs take hit - Cyber
crime and economic espionage cost the global economy more than $445
billion annually, which a report from the Center for Strategic and
International Studies, says puts cyber crime on par with the
economic impact of global drug trafficking.
- Survey respondents praise, but neglect, continuous monitoring -
Most IT security professionals surveyed in a recent study agree that
the best way to fend off the kind of data breaches that struck
Target and Michaels is through continuous monitoring of database
networks, yet only one-third say they do just that.
- Attackers attempt DDoS extortion on Feedly - Cyber criminals
attempted to extort news aggregator service Feedly on Wednesday,
asking for money in order for the attack to end a distributed
denial-of-service (DDoS) attack that hit the service.
- World Cup travelers: beware of unencrypted Brazilian Wi-Fi nets -
The last thing World Cup travelers are probably thinking about is
secure internet access in the tournament's host city, São Paulo,
Brazil. But they should be.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Highmark fires employee for mailing error, notifies thousands of
possible breach - Healthcare company Highmark is notifying about
3,675 Security Blue and Freedom Blue members that a former employee
made an error when mailing out health risk assessments, which could
have resulted in a compromise of their personal information.
Two 14-year-old students hack Bank of Montreal ATM during lunch
break - On Wednesday, two 14-year-old Canadian students spent their
lunch break hacking an ATM and notifying its owner, Bank of Montreal
Smart TVs subverted by radio attack - Millions of smart TVs can be
hijacked by burying attack code in signals broadcast to the
net-connected devices, security experts warn.
- Online gambling site hit by five-vector DDoS attack peaking at
100Gbps - On Friday, cloud-based security services provider
Incapsula fought off a 100 gigabits per second (Gbps) distributed
denial-of-service (DDoS) attack against an online gambling website
that utilized more than five DDoS attack vectors.
- Penn State Hershey employee takes data home, puts 1,801 patients
at risk - About 1,800 patients of Penn State Hershey Medical Center
are being notified that their information had the potential to be
compromised because a clinical laboratory technician had been
working with the data from home, outside the secured Penn State
- P.F. Chang's customer card data possibly exposed - Global
restaurant brand P.F. Chang's China Bistro is investigating a
possible data breach that could have exposed thousands of diners'
credit and debit card data.
- College of the Desert breach impacts 1,900 current and former
staffers - About 1,900 current and former employees with
California-based College of the Desert had personal information -
including Social Security numbers - exposed in a spreadsheet that a
worker attached to an email, without authorization, and sent to
about 78 staffers.
- Stolen thumb drive contained five years of data on nearly 34K
Calif. patients - Nearly 34,000 patients who received X-ray services
at California-based Redwood Regional Medical Group are being
notified that their personal information was on a thumb drive that
was stolen from an employee's locker.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
Because the Board of Directors and senior management are responsible
for developing the institution's business strategy and establishing
an effective management oversight over risks, they are expected to
take an explicit, informed and documented strategic decision as to
whether and how the bank is to provide e-banking services. The
initial decision should include the specific accountabilities,
policies and controls to address risks, including those arising in a
cross-border context. Effective management oversight is expected to
encompass the review and approval of the key aspects of the bank's
security control process, such as the development and maintenance of
a security control infrastructure that properly safeguards e-banking
systems and data from both internal and external threats. It also
should include a comprehensive process for managing risks associated
with increased complexity of and increasing reliance on outsourcing
relationships and third-party dependencies to perform critical
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS
(Part 1 of 2)
Hardware and software located in a user department are often less
secure than that located in a computer room. Distributed hardware
and software environments (e.g., local area networks or LANs) that
offer a full range of applications for small financial institutions
as well as larger organizations are commonly housed throughout the
organization, without special environmental controls or raised
flooring. In such situations, physical security precautions are
often less sophisticated than those found in large data centers, and
overall building security becomes more important. Internal control
procedures are necessary for all hardware and software deployed in
distributed, and less secure, environments. The level of security
surrounding any IS hardware and software should depend on the
sensitivity of the data that can be accessed, the significance of
applications processed, the cost of the equipment, and the
availability of backup equipment.
Because of their portability and location in distributed
environments, PCs often are prime targets for theft and misuse. The
location of PCs and the sensitivity of the data and systems they
access determine the extent of physical security required. For PCs
in unrestricted areas such as a branch lobby, a counter or divider
may provide the only barrier to public access. In these cases,
institutions should consider securing PCs to workstations, locking
or removing disk drives, and using screensaver passwords or
automatic timeouts. Employees also should have only the access to
PCs and data they need to perform their job. The sensitivity of the
data processed or accessed by the computer usually dictates the
level of control required. The effectiveness of security measures
depends on employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However, as
with larger systems, PCs are sensitive to environmental factors such
as smoke, dust, heat, humidity, food particles, and liquids. Because
they are not usually located within a secure area, policies should
be adapted to provide protection from ordinary contaminants.
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause equipment
damage or loss of data. PCs in environments that generate static
electricity are susceptible to static electrical discharges that can
cause damage to PC components or memory.
Return to the top of
INTERNET PRIVACY -
continue our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer in
connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.