Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
against firm that lost $345k to bank trojan - Victim failed to
secure account credentials - A federal magistrate judge has ruled
against a small business that lost $345,000 in an online bank heist,
arguing that the theft largely resulted from its own failure to
secure its account credentials, according to published news reports.
for security standards, co-operation - Oh, also bigger markets for
American security products - The US Department of Commerce is
broadening its attention beyond the critical infrastructure sector,
proposing security codes of conduct for the rest of the Internet
school district hit with new Mac spying lawsuit - After settling
with another student for $175,000 last year, Lower Merion says new
suit 'solely motivated by monetary interests' - A former student at
a suburban Philadelphia high school has sued his school district for
allegedly spying on him and his family using a school-issued Mac
laptop, according to court documents.
give nod to tougher cybercrime jail terms - The new rules are part
of a European Commission proposal, adopted by the Council of the
European Union on Friday, which now goes to the European Parliament
Fined For Selling T-Mobile Customer Data - Two men have been fined a
total of more than £70,000 for illegally selling lucrative customer
data to third parties - Two former T-Mobile employees have been
fined a total of £73,700 for stealing and selling on customer data
from the company, concluding an investigation that began in 2008,
according to the Information Commissioner’s Office (ICO).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Passwords + Secret Questions = ‘Reasonable’ eBanking Security - A
closely-watched court battle over how far commercial banks need to
go to protect their customers from cyber theft is nearing an end.
Experts said the decision recommended by a magistrate last week - if
adopted by a U.S. district court in Maine - will make it more
difficult for other victim businesses to challenge the effectiveness
of security measures employed by their banks.
RSA Offers to Replace SecureID Tokens - In an acknowledgement of the
severity of its recent computer compromise, RSA Security said Monday
that it will replace Securid tokens for any customer that asks.
breach exposed data on 210,000 customers - Citigroup admitted
Wednesday that an attack on its website allowed hackers to view
customers' names, account numbers and contact information such as
email addresses for about 210,000 of its cardholders in North
police nab Pentagon hacking carding suspect - Greek police have
arrested an 18-year-old suspected of hacking into systems run by
Interpol, the FBI, and the Pentagon.
$1.5m in alleged ATM skimming spree - Feds charge men with
aggravated ID theft - Four men have been charged with stealing $1.5
million from banks by using electronic devices to secretly record
personal identification numbers as customers entered them into
automatic teller machines and other gear.
victim of "major" cyberattack, breach - The International Monetary
Fund (IMF) has suffered a major compromise, the latest incident in a
string of attacks targeting high-profile organizations.
data stolen from California medical group - The medical information
of thousands of individuals was compromised after thieves raided the
offices of California medical group HealthCare Partners.
Three Anonymous Members Allegedly Involved in Sony Hack - Spanish
authorities announced Friday they have arrested three members of the
hacking group Anonymous in connection to attacks against Sony’s
online Playstation network and other sites.
'may have hacked IMF' - Hackers who broke into the International
Monetary Fund's computer system may have been backed by a nation
state, according to security experts.
group claims it breached Senate website, publishes evidence of
break-in - A band of computer hackers who pride themselves on
attacking vulnerable networks for fun accessed a Senate server that
supports the chamber’s public website but did not breach other
files, a Capitol Hill law enforcement official said Monday.
Investigating Cyber Theft of $139,000 from Pittsford, NY - Computer
crooks stole at least $139,000 from the town coffers of Pittsford,
New York this week. The theft is the latest reminder of the widening
gap between the sophistication of organized cyber thieves and the
increasingly ineffective security measures employed by many
financial institutions across the United States.
Citigroup hackers broke in 'through the front door' using bank's
website - Hackers who stole the personal details of more than
200,000 Citigroup customers 'broke in through the front door' using
an extremely simple technique.
debit card spree getting bigger as more than 1 dozen banks, credit
unions affected - The local debit card fraud breach that was
discovered last month is much wider than first realized, striking
just about every major bank in the area and some of the biggest
credit unions across Northeast Ohio.
breach has hundreds scrambling to recover money - It has now been
confirmed thousands of dollars have been stolen from account holders
with The People's Federal Credit Union. The banking breach has many
scrambling to recover their money.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 3 of 10)
Customers may be confused about whether the financial institution or
a third party is supplying the product, service, or other website
content available through the link. The risk of customer confusion
can be affected by a number of factors:
- nature of the
third-party product or service;
- trade name of the
third party; and
- website appearance.
Nature of Product or
When a financial institution provides links to third parties that
sell financial products or services, or provide information relevant
to these financial products and services, the risk is generally
greater than if third parties sell non-financial products and
services due to the greater potential for customer confusion. For
example, a link from a financial institution's website to a mortgage
bank may expose the financial institution to greater reputation risk
than a link from the financial institution to an online clothing
The risk of customer confusion with respect to links to firms
selling financial products is greater for two reasons. First,
customers are more likely to assume that the linking financial
institution is providing or endorsing financial products rather than
non-financial products. Second, products and services from certain
financial institutions often have special regulatory features and
protections, such as federal deposit insurance for qualifying
deposits. Customers may assume that these features and protections
also apply to products that are acquired through links to
third-party providers, particularly when the products are financial
When a financial institution links to a third party that is
providing financial products or services, management should consider
taking extra precautions to prevent customer confusion. For example,
a financial institution linked to a third party that offers
nondeposit investment products should take steps to prevent customer
confusion specifically with respect to whether the institution or
the third party is offering the products and services and whether
the products and services are federally insured or guaranteed by the
Financial institutions should recognize, even in the case of
non-financial products and services, that customers may have
expectations about an institution's due diligence and its selection
of third parties to which the financial institution links its
website. Should customers experience dissatisfaction as a result of
poor quality products or services, or loss as a result of their
transactions with those companies, they may consider the financial
institution responsible for the perceived deficiencies of the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Computer networks often extend connectivity far beyond the financial
institution and its data center. Networks provide system access and
connectivity between business units, affiliates, TSPs, business
partners, customers, and the public. This increased connectivity
requires additional controls to segregate and restrict access
between various groups and information users.
A typical approach to securing a large network involves dividing the
network into logical security domains. A logical security domain is
a distinct part of a network with security policies that differ from
other domains. The differences may be far broader than network
controls, encompassing personnel, host, and other issues.
Typical network controls that distinguish security domains include
access control software permissions, dedicated lines, filtering
routers, firewalls, remote-access servers, and virtual private
networks. This booklet will discuss additional access controls
within the applications and operating systems residing on the
network in other sections. Before selecting the appropriate
controls, financial institutions should map and configure the
network to identify and control all access control points. Network
configuration considerations could include the following actions:
! Identifying the various applications and user-groups accessed via
! Identifying all access points to the network including various
telecommunications channels (e.g., wireless, Ethernet, frame relay,
dedicated lines, remote dial - up access, extranets, Internet);
! Mapping the internal and external connectivity between various
! Defining minimum access requirements for network services (i.e.,
most often referenced as a network services access policy); and
! Determining the most appropriate network configuration to ensure
adequate security and performance.
With a clear understanding of network connectivity, the financial
institution can avoid introducing security vulnerabilities by
minimizing access to less - trusted domains and employing encryption
for less secure connections. Institutions can then determine the
most effective deployment of protocols, filtering routers,
firewalls, gateways, proxy servers, and/or physical isolation to
restrict access. Some applications and business processes may
require complete segregation from the corporate network (e.g., no
connectivity between corporate network and wire transfer system).
Others may restrict access by placing the services that must be
accessed by each zone in their own security domain, commonly called
a "demilitarized zone" (DMZ).
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
45. If the institution receives information from a
nonaffiliated financial institution other than under an exception in
§14 or §15, does the institution refrain from disclosing the
a. to the affiliates of the financial institution from which it
received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the same
disclosure restrictions as the recipient institution;
c. to any other person, if the disclosure would be lawful if made
directly to that person by the institution from which the recipient
institution received the information? [§11(b)(1)(iii)]