REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.FYI - "Human error" contributes to nearly all cyber incidents, study finds - Even though organizations may have all of the bells and whistles needed in their data security arsenal, it's the human element that continues to fuel cyber incidents occurring, according to one recent study. http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/

FYI - The Federal Financial Institutions Examination Council today launched a Web page on cybersecurity. The Web page is a central repository for current and future FFIEC-related materials on cybersecurity. www.ffiec.gov/press/pr062414.htm

FYI - NCUA Hosting Webinar on Mobile Apps - Learn How Mobile Applications Are Changing the Financial Services Landscape - The growing use of mobile applications and the rewards and risks associated with their usage will be discussed during a free webinar, “Mobile Applications - The Next Step” hosted by the National Credit Union Administration on Wednesday, July 9, 2014, at 2 p.m. Eastern. 
www.ncua.gov/News/Pages/NW20140623Webinar.aspx

FYI - United Security Bank settles with TRC oil firm for $350K - A Fresno, Calif., bank has settled with an oil production firm after fraudulent Ukrainian wire transfers stole more than $200,000 from the oil firm's accounts. http://www.scmagazine.com/united-security-bank-settles-with-trc-oil-firm-for-350k/article/357013/

FYI - Google and Facebook can be legally intercepted, says UK spy boss - UK intelligence service GCHQ can legally snoop on British use of Google, Facebook and web-based email without specific warrants because the firms are based abroad, the government has said. http://www.bbc.com/news/technology-27887639

FYI - Google yanks malicious app from Play Store - A malware app called “Google Play Stoy,” which intercepts banking credentials, certificates and text messages from Android devices, has been removed from the Google Play Store, according to a Wednesday blog post from FireEye, which worked with Google to remove it. http://www.scmagazine.com/google-yanks-malicious-app-from-play-store/article/356748/

FYI - Despite patching efforts, 300K servers are still vulnerable to Heartbleed - The number of servers vulnerable to the Heartbleed exploit decreased by only around 9,000 in the past month, a recent scan shows - Despite a great start, the rate of patching OpenSSL servers against the critical Heartbleed vulnerability has slowed down to almost a halt. Around 300,000 servers remain vulnerable and many of them are unlikely to get patched anytime soon. http://www.computerworld.com/s/article/9249310/Despite_patching_efforts_300K_servers_are_still_vulnerable_to_Heartbleed?taxonomyId=17

FYI - Illinois buys cell-tracking gear complete with NDAs, no-bid process - Homeland Security grant funded secret buy of stingrays for state police. Newly published documents show that in July 2008, the Illinois State Police purchased more than $250,000 worth of “covert cellular tracking equipment” from the Harris Corporation. http://arstechnica.com/tech-policy/2014/06/illinois-spent-over-250000-on-covert-cellular-tracking-equipment/

FYI - HackingTeam tool makes use of mobile malware targeting all major platforms - Researchers have uncovered troubling details about a mobile surveillance service provided by HackingTeam, an Italian seller of monitoring software. http://www.scmagazine.com/hackingteam-tool-makes-use-of-mobile-malware-targeting-all-major-platforms/article/357652/

FYI - Banks, payment services and social networks most targeted by phishing kits - Financial institutions, ePayment and money transfer services, and social networks are the top three targets of phishing kits, respectively, according to PhishLabs. http://www.scmagazine.com/banks-payment-services-and-social-networks-most-targeted-by-phishing-kits/article/357880/

FYI - Supreme Court's landmark ruling bars warrantless search of cell phones - In a landmark ruling, the Supreme Court has decided that police may no longer search the contents of suspects' cell phones without a warrant. http://www.scmagazine.com/supreme-courts-landmark-ruling-bars-warrantless-search-of-cell-phones/article/358091/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - P.F. Chang’s Breach Likely Began in Sept. 2013 - The recently-announced credit card breach at P.F. Chang’s Chinese Bistro appears to have gone on for at least nine months: New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11, one day after KrebsOnSecurity.com broke the news about the break-in. http://krebsonsecurity.com/2014/06/p-f-changs-breach-likely-began-in-sept-2013/

FYI - Hong Kong polling site suffers massive DDoS attack - An online polling site intended to gauge the support for universal suffrage in Hong Kong was hit by a large distributed denial-of-service (DDoS) attack Tuesday. http://www.scmagazine.com/hong-kong-polling-site-suffers-massive-ddos-attack/article/356866/

FYI - Nearly 8,500 notification letters sent out in Metropolitan Companies breach - About 8,500 notification letters are being sent out to individuals employed by, or who submitted an application for employment to, New York-based The Metropolitan Companies, Inc. http://www.scmagazine.com/nearly-8500-notification-letters-sent-out-in-metropolitan-companies-breach/article/356852/

FYI - Employee accesses nearly 100K patient files in NRAD Medical Associates breach - As many as 97,000 current and former patients of New York-based NRAD Medical Associates had personal information – including Social Security numbers – compromised by a former employee radiologist who accessed and acquired the data without authorization. http://www.scmagazine.com/employee-accesses-nearly-100k-patient-files-in-nrad-medical-associates-breach/article/357218/

FYI - Hackers steal trade secrets from major US hedge firm - Trades delayed as multi-million dollar secret sauce snaffled - Criminals have successfully attacked a hedge fund, delaying trades and stealing profitable secrets in a rare direct raid on the financial services sector, according to BAE Systems Applied Intelligence. http://www.theregister.co.uk/2014/06/23/hackers_steal_trade_secrets_from_major_us_hedge_firm/

FYI - College student faces computer fraud charges, hacked peers' accounts - A Pasco-Hernando State College student has been arrested and charged with 11 felony computer fraud charges after hacking into his peers' accounts. http://www.scmagazine.com/college-student-faces-computer-fraud-charges-hacked-peers-accounts/article/357859/

FYI - Laptop stolen from Calif. hospital stored data on more than 500 patients - More than 500 patients of California-based Riverside County Regional Medical Center (RCRMC) have been notified that their personal information was on a laptop that was reported missing from a hospital procedure room. http://www.scmagazine.com/laptop-stolen-from-calif-hospital-stored-data-on-more-than-500-patients/article/357831/

FYI - New Jersey teen charged after altering students' grades and attendance records - A 16-year-old New Jersey teen is being charged with unlawfully accessing his school district's computer system and using it to change students' grades and attendance records. http://www.scmagazine.com/new-jersey-teen-charged-after-altering-students-grades-and-attendance-records/article/358103/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Legal and Reputational Risk Management 

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimize operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION

Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.

Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability.

Properly used, encryption can strengthen the security of an institution's systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti - virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.

Although necessary, encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. The products used and administrative controls should contain robust and effective controls to ensure reliability.

Encryption can impose significant overhead on networks and computing devices. A loss of encryption keys or other failures in the encryption process can deny the institution access to the encrypted data.

Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. For instance, authenticators should be encrypted at a strength sufficient to allow the institution time to detect and react to an authenticator theft before the attacker can decrypt the stolen authenticators.

Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. Generally speaking, authenticators are always encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network, and also may be encrypted within the institution.

Encryption cannot guarantee data security. Even if encryption is properly implemented, for example, a security breach at one of the endpoints of the communication can be used to steal the data or allow an intruder to masquerade as a legitimate system user.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

The Exceptions

Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

1)  To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution's own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. In a contract for a joint marketing agreement, the contract must provide that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the additional disclosure and confidentiality requirements of section 13. Disclosure under this exception could include the outsourcing of marketing to an advertising company. (Section 13)

2)  As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or to provide an account statement. (Section 14)

3)  For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators. (Section 15)