REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Alliance of IT security groups issues cyber principles for
government - In a new proposal aimed at governments worldwide, an
alliance of IT security groups from the United States, Europe and
Japan issued a call for cooperation between government and private
industry to further advance cyber security initiatives while not
encumbering processes with complex regulations.
- Racket drains "high roller" bank accounts in automated style -
Researchers have exposed a fraud ring that uses enhanced variants of
the SpyEye and Zeus toolkits to target the customers carrying high
balances at smaller banks.
- Don't fear BYOD, embrace it and monitor it - Steve Jobs never set
out to penetrate corporate networks with the iPad, but the sheer
portability and usability of the device, coupled with the lure of
free, fast and unmetered internet connectivity, make the presence of
it and other employee-owned laptops, tablets and smartphones on the
corporate LAN practically an inevitability.
- OSC sends a stern warning about reading employees’ emails - In a
fiercely worded bid for whistleblowers’ rights, the Office of
Special Counsel released a memo Wednesday to all executive
departments and federal agencies strongly urging them to evaluate
their policies on monitoring employee emails and other
- TSA wants spyware to screen employees’ digital activities for
leaks - The Transportation Security Administration is shopping for a
computer program to snoop into the online activities of agency
employees, including their keystrokes and emails, for signs of
potential leaks, procurement documents reveal.
- Japanese boffins plumb darknet for cyber attack alerts - DAEDALUS
system monitors unused IP addresses - Japanese boffins at the
National Institute of Information and Communications Technology (NICT)
have been showing off a new real-time alert system designed to help
security teams spot and visualise cyber attacks more effectively.
- Senators Float National Data Breach Law, Take Four - Data Security
Bill is fourth attempt to craft a national law to supersede
legislation now on the books in more than 40 states. But it's weaker
than some state laws. Senate Republicans have introduced draft
legislation aimed at creating a single national standard for
reporting data breaches.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cyber crooks evading advanced bank security to transfer funds -
Cyber criminals are using an automated system to silently loot bank
accounts without having to be online at the same time, according to
a new white paper from Trend Micro.
- Memorial Sloan-Kettering Cancer Center patient data compromised -
For more than six years, the personal and medical data of hundreds
of patients of Memorial Sloan-Kettering Cancer Center (MSKCC) in New
York was posted on the internet.
- Feds Bust Hacker For Selling Government Supercomputer Access -
Pennsylvania man allegedly offered to sell login access to two
Department of Energy supercomputers, as well as remote
administration capabilities, for $50,000.
- Cleveland nonprofit employment agency loses SSNs on 100k - Tens of
thousands of job-seekers are at risk after a laptop belonging to a
nonprofit employment agency was stolen.
- FTC sues Wyndham Hotels after three credit card breaches - The
Federal Trade Commission is suing a major hotel chain and its
subsidiaries for allegedly failing to secure the financial
information of its guests, which led to fraudulent charges of more
than $10 million and the siphoning out of hundreds of thousands of
credit card numbers.
In Hacking Attack On 60 Banks - Sixty million euro has been stolen
from bank accounts in a massive cyber bank raid after fraudsters
raided dozens of financial institutions around the world.
agency must pay $1.7m after 500-person breach - The Alaska
Department of Health and Social Services (DHSS) will shell out $1.7
million to settle violations of the HIPAA Security Rule.
sting nabs 24 trading stolen cards, crime tools - Twenty-four
people, including 11 in the United States, were arrested this week
for their role in an international global cyber crime ring that
trafficked stolen credit card information, the FBI announced
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 6: Banks should ensure that clear audit trails exist
for all e-banking transactions.
Delivery of financial services over the Internet can make it more
difficult for banks to apply and enforce internal controls and
maintain clear audit trails if these measures are not adapted to an
e-banking environment. Banks are not only challenged to ensure that
effective internal control can be provided in highly automated
environments, but also that the controls can be independently
audited, particularly for all critical e-banking events and
A bank's internal control environment may be weakened if it is
unable to maintain clear audit trails for its e-banking activities.
This is because much, if not all, of its records and evidence
supporting e-banking transactions are in an electronic format. In
making a determination as to where clear audit trails should be
maintained, the following types of e-banking transactions should be
1) The opening, modification or closing of a customer's account.
2) Any transaction with financial consequences.
3) Any authorization granted to a customer to exceed a limit.
4) Any granting, modification or revocation of systems access
rights or privileges.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 2 of 2)
Successful implementation of any response policy and
procedure requires the assignment of responsibilities and training.
Some organizations formalize the response organization with the
creation of a computer security incident response team (CSIRT). The
CSIRT is typically tasked with performing, coordinating, and
supporting responses to security incidents. Due to the wide range of
non-technical issues that are posed by an intrusion, typical CSIRT
membership includes individuals with a wide range of backgrounds and
expertise, from many different areas within the institution. Those
areas include management, legal, public relations, as well as
information technology. Other organizations may outsource some of
the CSIRT functions, such as forensic examinations. When CSIRT
functions are outsourced, institutions should ensure that their
institution's policies are followed by the service provider and
confidentiality of data and systems are maintained.
Institutions can assess best the adequacy of their preparations
While containment strategies between institutions can vary, they
typically contain the following broad elements:
! Isolation of compromised systems, or enhanced monitoring of
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are
included in individual agency guidance); and
! Communication with effected parties.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
21. Does the institution provide the
consumer with the following information about
the right to opt out:
a. all the categories of nonpublic personal information that the
institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the
information is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of
that information; [§7(a)(2)(i)(A)] and
d. the financial products or services that the consumer obtains to
which the opt out direction would apply? [§7(a)(2)(i)(B)]