REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.FYI
- "Human error" contributes to nearly all cyber incidents, study
finds - Even though organizations may have all of the bells and
whistles needed in their data security arsenal, it's the human
element that continues to fuel cyber incidents occurring, according
to one recent study.
- FCC to push network providers on cybersecurity - If private
companies don't improve their security efforts, the agency will step
in with regulations, FCC Chairman Wheeler says - The U.S. Federal
Communications Commission is threatening to step in with regulations
if network providers don't take steps to improve cybersecurity.
- Bank of England plans to shove cyber-microscope up nation's
bankers - BoE and pals will use govt intelligence to stage pen-tests
at financial powerhouses - The Bank of England today announced it
plans to penetrate Blighty’s banks to test the security of their
critical computer systems.
- Local cops in 15 US states confirmed to use cell tracking devices
- Stingray use is widespread: Baltimore, Chicago, and even Anchorage
have them. A new map released Thursday by the American Civil
Liberties Union shows that fake cell towers, also known as
stingrays, are used by state and local law enforcement in 15 states.
- Target finally gets its first CISO - That it often takes a data
breach to get one is a sad reality for many companies, analyst says
- Target has hired a chief information security officer (CISO), a
move that's noteworthy mainly because it is the first time the
company has ever had anyone in this role, even though it is one of
the largest retailers in the U.S.
- Teen arrested and charged for Bell Canada hack - The Royal
Canadian Mounted Police has arrested a teenage for allegedly hacking
into the system of a third-party supplier of Bell Canada, accessing
customer data, and posting it online.
- Former Microsoft employee draws three-month prison term for
leaking code - A U.S. district court judge has sentenced a former
Microsoft employee to three months in prison for stealing company
- Ruling Raises Stakes for Cyberheist Victims - A Missouri firm that
unsuccessfully sued its bank to recover $440,000 stolen in a 2010
cyberheist may now be on the hook to cover the financial
institution’s legal fees, an appeals court has ruled. Legal experts
say the decision is likely to discourage future victims from
pursuing such cases.
- Top Canadian court: Cops need warrant to get names from ISPs -
Decision could scupper nascent cyberbullying, privacy bills -
Canadian ISPs can no longer simply hand over customer information
without a warrant after the country’s Supreme Court ruled that
internet users were entitled to a "reasonable" expectation of
- GAO - Areas for Improvement in the Federal Reserve Banks'
Information Systems Controls, GAO-14-691R -
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Credit Card Breach at P.F. Chang’s - Nationwide chain P.F. Chang’s
China Bistro said today that it is investigating claims of a data
breach involving credit and debit card data reportedly stolen from
restaurant locations nationwide.
- Feedly and Evernote struck by denial of service cyber-attacks -
The news aggregator Feedly says it has come under a "distributed
denial of service" attack from cyber criminals, which is preventing
users from accessing its service.
- Email sent to wrong address, data on more than 35K Calif. students
at risk - More than 35,000 Riverside Community College District (RCCD)
students in California are being notified that their personal
information - including Social Security numbers - was included in an
email that was sent to the wrong external email address.
- San Diego hospital breach investigation reveals second incident,
both human error - Nearly 20,000 patients of Rady Children's
Hospital (RCH) in San Diego are being notified that their personal
information was erroneously included in emails sent to job
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
While the Board of Directors has the responsibility for ensuring
that appropriate security control processes are in place for
e-banking, the substance of these processes needs special management
attention because of the enhanced security challenges posed by
e-banking. This should include establishing appropriate
authorization privileges and authentication measures, logical and
physical access controls, adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities and data integrity of transactions,
records and information. In addition, the existence of clear audit
trails for all e-banking transactions should be ensured and measures
to preserve confidentiality of key e-banking information should be
appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from
jurisdiction to jurisdiction, banks generally have a clear
responsibility to provide their customers with a level of comfort.
Regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when
using traditional banking distribution channels. To minimize legal
and reputational risk associated with e-banking activities conducted
both domestically and cross-border, banks should make adequate
disclosure of information on their web sites and take appropriate
measures to ensure adherence to customer privacy requirements
applicable in the jurisdictions to which the bank is providing
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of
Physical security for distributed IS, particularly LANs that are
usually PC - based, is slightly different than for mainframe
platforms. With a network there is often no centralized computer
room. In addition, a network often extends beyond the local
premises. There are certain components that need physical security.
These include the hardware devices and the software and data that
may be stored on the file servers, PCs, or removable media (tapes
and disks). As with more secure IS environments, physical network
security should prevent unauthorized personnel from accessing LAN
devices or the transmission of data. In the case of wire - transfer
clients, more extensive physical security is required.
Physical protection for networks as well as PCs includes power
protection, physical locks, and secure work areas enforced by
security guards and authentication technologies such as magnetic
badge readers. Physical access to the network components (i.e.,
files, applications, communications, etc.) should be limited to
those who require access to perform their jobs. Network workstations
or PCs should be password protected and monitored for workstation
Network wiring requires some form of protection since it does not
have to be physically penetrated for the data it carries to be
revealed or contaminated. Examples of controls include using a
conduit to encase the wiring, avoiding routing through publicly
accessible areas, and avoiding routing networking cables in close
proximity to power cables. The type of wiring can also provide a
degree of protection; signals over fiber, for instance, are less
susceptible to interception than signals over copper cable.
Capturing radio frequency emissions also can compromise network
security. Frequency emissions are of two types, intentional and
unintentional. Intentional emissions are those broadcast, for
instance, by a wireless network. Unintentional emissions are the
normally occurring radiation from monitors, keyboards, disk drives,
and other devices. Shielding is a primary control over emissions.
The goal of shielding is to confine a signal to a defined area. An
example of shielding is the use of foil-backed wallboard and window
treatments. Once a signal is confined to a defined area, additional
controls can be implemented in that area to further minimize the
risk that the signal will be intercepted or changed.
Return to the top of
INTERNET PRIVACY -
continue our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
Opt Out Right and Exceptions:
Consumers must be given the right to "opt out" of, or prevent, a
financial institution from disclosing nonpublic personal information
about them to a nonaffiliated third party, unless an exception to
that right applies. The exceptions are detailed in sections 13, 14,
and 15 of the regulations and described below.
As part of the opt out right, consumers must be given a reasonable
opportunity and a reasonable means to opt out. What constitutes a
reasonable opportunity to opt out depends on the circumstances
surrounding the consumer's transaction, but a consumer must be
provided a reasonable amount of time to exercise the opt out right.
For example, it would be reasonable if the financial institution
allows 30 days from the date of mailing a notice or 30 days after
customer acknowledgement of an electronic notice for an opt out
direction to be returned. What constitutes a reasonable means to
opt out may include check-off boxes, a reply form, or a
toll-free telephone number, again depending on the circumstances
surrounding the consumer's transaction. It is not reasonable to
require a consumer to write his or her own letter as the only means
to opt out.