Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Security concerns of computer automation and control: Where to
start? - In today's industrial networks, supervisory control and
data acquisition (SCADA) and distributed control systems (DCS)
control many government infrastructures, which in turn impact many
- Con artists pose as security companies in growing scam - Scareware
has taken on a human face. Criminals posing as computer security
engineers are having success in calling victims at home and stealing
their money, according to a survey.
- Met arrest alleged Lulz hacker - Essex boy picked up - Th Met's
e-Crime unit has arrested a 19-year old alleged hacker in Essex on
suspicion of involvement with network attacks and denial of service
- Chinese Weapon Systems Vulnerable To SCADA Hack - Hackers could
potentially gain control of Chinese weapon systems, US Homeland
Security has warned.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Comerica Bank ordered to pay after customer hacked - A Michigan
court has ruled that Comerica Bank is liable for a US$560,000
cyberheist, saying the bank should have done a better job to spot
millions of dollars in fraudulent transactions after one of the
bank's customers was tricked in a phishing attack two years ago.
- Citi Credit Card Hack Bigger Than Originally Disclosed - Citigroup
has been forced to reveal that a recent hack of its network exposed
the financial data of more than 360,000 customers, a much higher
number than the bank originally disclosed.
- ADP Statement on Security Breach Investigation - Automatic Data
Processing, Inc., today announced that it is investigating and
taking measures to address the impact of a system intrusion that
occurred with one client at Workscape, a recently acquired benefits
administration provider. The intrusion, which occurred on a
non-payroll legacy platform that is no longer sold by ADP's benefits
administration business, was detected by the ADP security team
during routine system monitoring.
- LulzSec Claims Credit For CIA Site Takedown - The hacking group
said it rendered the CIA's public website inaccessible and launched
phone DDoS attacks on FBI's Detroit office and other groups
suggested by followers. The hacking group LulzSec, aka the Lulz
Boat, on Wednesday claimed to have rendered the CIA's public website
- NHS laptop loss could put millions of records at risk - A laptop
containing unnamed patient information has gone missing from a
subsidiary of the NHS North Central London health authority, putting
the privacy of patients at risk.
- Hacker Gets 2 Yrs. for Stealing $275K from MN Co. - Hacker was
sentenced to two years in prison for hacking in to the computer
networks of a subsidiary of Digital River and transferring about
$275,000 to his bank account.
- Bitcoin market flash-crash and database leak from Mt.Gox - Itís
been a rough weekend for Bitcoin. First, new Bitcoin malware hit the
Web last Friday which attempts to steal a Bitcoin userís wallet and
email it to an email address.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a third-party's
website depends on several factors. These factors include the nature
of the products and services provided on the third-party's website,
and the nature of the institution's business relationship with the
third party. This is particularly true with respect to compensation
arrangements for links. For example, a financial institution that
receives payment for offering advertisement-related weblinks to a
settlement service provider's website should carefully consider the
prohibition against kickbacks, unearned fees, and compensated
referrals under the Real Estate Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as reputation
risk if linked third parties offer less security and privacy
protection than the financial institution. Third-party sites may
have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Protocols and Ports (Part 1 of 3)
Network communications rely on software protocols to ensure the
proper flow of information. A protocol is a set of rules that allows
communication between two points in a telecommunications connection.
Different types of networks use different protocols. The Internet
and most intranets and extranets, however, are based on the TCP/IP
layered model of protocols. That model has four layers, and
different protocols within each layer. The layers, from bottom to
top, are the network access layer, the Internet layer, the
host-to-host layer, and the application layer. Vulnerabilities and
corresponding attack strategies exist at each layer. This becomes an
important consideration in evaluating the necessary controls.
Hardware and software can use the protocols to restrict network
access. Likewise, attackers can use weaknesses in the protocols to
The primary TCP/IP protocols are the Internet protocol (IP) and the
transmission control protocol (TCP). IP is used to route messages
between devices on a network, and operates at the Internet layer.
TCP operates at the host-to-host layer, and provides a
connection-oriented, full - duplex, virtual circuit between hosts.
Different protocols support different services for the network. The
different services often introduce additional vulnerabilities. For
example, a third protocol, the user datagram protocol (UDP) is also
used at the host-to-host layer. Unlike TCP, UDP is not connection -
oriented, which makes it faster and a better protocol for supporting
broadcast and streaming services. Since UDP is not
connection-oriented, however, firewalls often do not effectively
filter it. To provide additional safeguards, it is often blocked
entirely from inbound traffic or additional controls are added to
verify and authenticate inbound UDP packets as coming from a trusted
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
46. Does the institution refrain from disclosing, directly
or through affiliates, account numbers or similar forms of access
numbers or access codes for a consumer's credit card account,
deposit account, or transaction account to any nonaffiliated third
party (other than to a consumer reporting agency) for telemarketing,
direct mail or electronic mail marketing to the consumer, except:
a. to the institution's agents or service providers solely to
market the institution's own products or services, as long as the
agent or service provider is not authorized to directly initiate
charges to the account; ['12(b)(1)] or
b. to a participant in a private label credit card program or an
affinity or similar program where the participants in the program
are identified to the customer when the customer enters into the
(Note: an "account number or similar form of access number
or access code" does not include numbers in encrypted form, so long
as the institution does not provide the recipient with a means of
decryption. ['12(c)(1)] A transaction account does not include an
account to which third parties cannot initiate charges. ['12(c)(2)])