|
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
FYI
- Hackers more aggressive in attacking customer accounts - A survey
of large financial institutions shows they faced more attacks by
hackers to take over customer banking accounts last year than in the
two previous years, and about a third of these attacks succeeded.
http://www.computerworld.com/s/article/9228139/Banks_Hackers_more_aggressive_in_attacking_customer_accounts?taxonomyId=17
FYI
- LinkedIn sued over exposure of poorly secured passwords - A
class-action lawsuit has been filed against LinkedIn over the June 6
data breach that resulted in the theft of nearly 6.5 million
passwords.
http://www.scmagazine.com/linkedin-sued-over-exposure-of-poorly-secured-passwords/article/246625/?DCMP=EMC-SCUS_Newswire
FYI
- Germany confirms existence of operational cyberwarfare unit -
German authorities confirmed Tuesday in a parliamentary document
that their military possesses a top secret cyberwarfare unit which
is already operational, but gave no details of how big it is or what
kind of attacks it could conduct.
http://www.stripes.com/news/germany-confirms-existence-of-operational-cyberwarfare-unit-1.179655
FYI
- New Grad Looking For a Job? Pentagon Contractors Post Openings For
Black-Hat Hackers -
http://www.forbes.com/sites/andygreenberg/2012/06/15/new-grad-looking-for-a-job-pentagon-contractors-post-openings-for-black-hat-hackers-2/
FYI
- Policy would require agencies to scan for network threats every 72
hours and begin patching holes - The Homeland Security Department
later this month will present to federal computer contractors and
remote cloud suppliers standards for finding and fixing cyber
threats within 72 hours, DHS officials announced on Thursday.
http://www.nextgov.com/cloud-computing/2012/06/policy-would-require-agencies-patch-cybersecurity-holes-within-72-hours-discovery/56271/
FYI
- N.H. insurance firm had no idea it was working with breached
vendor - A now-defunct, third-party vendor for Primex, which
provides insurance to schools and governments in New Hampshire, lost
an external hard drive and backup tape containing the personal
information of thousands of people.
http://www.scmagazine.com/nh-insurance-firm-had-no-idea-it-was-working-with-breached-vendor/article/245965/?DCMP=EMC-SCUS_Newswire
FYI
- The real impact of the leaked password attacks - The recent
attacks that leaked millions of passwords from LinkedIn and eHarmony
accounts is almost becoming a daily news event for those of us who
monitor the security field.
http://www.scmagazine.com/the-real-impact-of-the-leaked-password-attacks/article/245950/?DCMP=EMC-SCUS_Newswire
FYI
- Insider threat: The game has changed - Give me a couple of minutes
and I'll slip through your virtual private network (VPN), bypass
your firewall, blind your intrusion prevention system and negate
your disk encryption.
http://www.scmagazine.com/insider-threat-the-game-has-changed/article/245759/?DCMP=EMC-SCUS_Newswire
FYI
- Post-hack, companies fire back with their own attacks - According
to a new report, some companies that have fallen victim to hacking
attacks have gone as far as hiring security firms to hack back. U.S.
companies are being targeted by hackers at an alarming rate. And
according to a new report, they're tired of doing nothing in
retaliation.
http://news.cnet.com/8301-1009_3-57455030-83/post-hack-companies-fire-back-with-their-own-attacks/
FYI
- SMB cloud security spending to continue growth - Security spending
among small and midsize businesses (SMBs) is expected to grow over
the next four years, especially in the area of cloud
implementations.
http://www.scmagazine.com/smb-cloud-security-spending-to-continue-growth/article/246622/?DCMP=EMC-SCUS_Newswire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- UK LulzSec suspect charged with hacking in US - A British man
suspected of being part of the Lulz Security hacking group has been
formally charged in the US.
http://www.bbc.co.uk/news/technology-18439217
FYI
- Merchant information may have been stolen from Global Payments -
Hackers might have stolen the personal information of individuals
who applied for a merchant account with card payment processor
Global Payments.
http://www.computerworld.com/s/article/9228041/Merchant_information_may_have_been_stolen_from_Global_Payments?taxonomyId=17
FYI
- FTC Fines Spokeo $800K for Peddling False Employee Background
Check Info - Spokeo, an online data broker, has agreed to pay an
$800,000 fine to the Federal Communications Commission to settle
charges it peddled inaccurate information about job applicants and
violated consumer protection laws.
http://www.wired.com/threatlevel/2012/06/spokeo-fined-800k/
FYI
- Feds Bust Credit Card Fraud Ring - A Dutch man accused of running
an underground website devoted to the buying and selling of debit
and credit card data appeared in a Seattle federal courtroom Monday,
where he plead not guilty to a 14-count indictment accusing him of
crimes such as access device fraud, bank fraud, and aggravated
identity theft.
http://www.informationweek.com/news/security/attacks/240001930
FYI
- iTunes vulnerability may enable remote code execution -
Researchers have unveiled a flaw in iTunes that could allow cyber
criminals to execute remote code on target machines.
http://www.scmagazine.com/itunes-vulnerability-may-enable-remote-code-execution/article/246207/?DCMP=EMC-SCUS_Newswire
FYI
- Laptop with public employee data stolen in New Mexico - The
personal data of members, former members and beneficiaries of the
Public Employees Retirement Association (PERA) in Santa Fe, N.M. may
be at risk after a laptop was stolen from a car.
http://www.scmagazine.com/laptop-with-public-employee-data-stolen-in-new-mexico/article/246427/?DCMP=EMC-SCUS_Newswire
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Principle 5: Banks should ensure that appropriate measures are in
place to protect the data integrity of e-banking transactions,
records and information.
Data integrity refers to the assurance that information that is
in-transit or in storage is not altered without authorization.
Failure to maintain the data integrity of transactions, records and
information can expose banks to financial losses as well as to
substantial legal and reputational risk.
The inherent nature of straight-through processes for e-banking may
make programming errors or fraudulent activities more difficult to
detect at an early stage. Therefore, it is important that banks
implement straight-through processing in a manner that ensures
safety and soundness and data integrity.
As e-banking is transacted over public networks, transactions are
exposed to the added threat of data corruption, fraud and the
tampering of records. Accordingly, banks should ensure that
appropriate measures are in place to ascertain the accuracy,
completeness and reliability of e-banking transactions, records and
information that is either transmitted over Internet, resident on
internal bank databases, or transmitted/stored by third-party
service providers on behalf of the bank. Common practices used to
maintain data integrity within an e-banking environment include the
following:
1) E-banking transactions should be conducted in a manner that
makes them highly resistant to tampering throughout the entire
process.
2) E-banking records should be stored, accessed and modified in a
manner that makes them highly resistant to tampering.
3) E-banking transaction and record-keeping processes should be
designed in a manner as to make it virtually impossible to
circumvent detection of unauthorized changes.
4) Adequate change control policies, including monitoring and
testing procedures, should be in place to protect against any
e-banking system changes that may erroneously or unintentionally
compromise controls or data reliability.
5) Any tampering with e-banking transactions or records should be
detected by transaction processing, monitoring and record keeping
functions.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 1 of 2)
Intrusion detection by itself does not mitigate risks of an
intrusion. Risk mitigation only occurs through an effective and
timely response. The goal of the response is to minimize damage to
the institution and its customers through containment of the
intrusion, and restoration of systems.
The response primarily involves people rather then technologies. The
quality of intrusion response is a function of the institution's
culture, policies and procedures, and training.
Preparation determines the success of any intrusion response.
Preparation involves defining the policies and procedures that guide
the response, assigning responsibilities to individuals and
providing appropriate training, formalizing information flows, and
selecting, installing, and understanding the tools used in the
response effort. Key considerations that directly affect the
institution's policies and procedures include the following:
! How to balance concerns regarding availability, confidentiality,
and integrity, for devices and data of different sensitivities. This
consideration is a key driver for a containment strategy and may
involve legal and liability considerations. An institution may
decide that some systems must be disconnected or shut down at the
first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response
activities, and how to ensure the proper personnel are available and
notified.
! How to control the frequently powerful intrusion identification
and response tools.
! When to involve outside experts and how to ensure the proper
expertise will be available when needed. This consideration
addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators,
customers, and law enforcement. This consideration drives certain
monitoring decisions, decisions regarding evidence-gathering and
preservation, and communications considerations.
! Which personnel have authority to perform what actions in
containment of the intrusion and restoration of the systems. This
consideration affects the internal communications strategy, the
commitment of personnel, and procedures that escalate involvement
and decisionswithin the organization.
! How and what to communicate outside the organization, whether to
law enforcement, customers, service providers, potential victims,
and others. This consideration drives the communication strategy,
and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions
taken.
! What criteria must be met before compromised services, equipment
and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve
the institution's security.
! How and when to prepare and file a Suspicious Activities Report
(SAR).
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
20. Does the opt out notice
state:
a. that the institution discloses or reserves the right to disclose
nonpublic personal information about the consumer to a nonaffiliated
third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure;
[§7(a)(1)(ii)] and
c. a reasonable means by which the consumer may opt out?
[§7(a)(1)(iii)] |
