Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- FFIEC Releases Supplemental Guidance on Internet Banking
Authentication - The Federal Financial Institutions Examination
Council1 (FFIEC) today issued a supplement to the Authentication in
an Internet Banking Environment guidance, issued in October 2005.
Financial institutions will be expected to comply with the guidance
no later than January 1, 2012.
- Inside the Anonymous Army of 'Hacktivist' Attackers - In this
sleepy Dutch town last December, police burst into the bedroom of
19-year-old Martijn Gonlag as he hurriedly pulled on jeans over his
boxer shorts. He was hauled away on suspicion of taking part in
cyber attacks by the online group calling itself Anonymous.
- Prepare for tougher data breach rules - Shocked commissioner hopes
to improve consumer confidence online - European Commissioner
Viviane Reding has warned banks that they will be required to notify
customers about data security breaches.
- Australia toughens cybercrime laws - Conventional thinking -
Australian carriers and ISPs will be forced to retain customer’s
private data such as email and text messages by police and
authorities, without a warrant, if it is required for investigations
- In search of a global network security standard - Earlier this
month on SCMagazineUS.com, Peter George, CEO of Fidelis Security
Systems, wrote an “Open letter to the network security industry,”
encouraging the industry to rally together.
- Bug-Squashing Tools Offered to Improve Network Security - After a
spate of hacking attacks, the Department of Homeland Security is
promoting ways to make software more trustworthy. The Department of
Homeland Security has announced an initiative to shore up security
by squashing software bugs. This follows a slew of high-profile
attacks on government and corporate computer systems that have led
to sensitive information being stolen.
- LulzSec calls it quits after 50 days of 'mayhem' - The computer
hacking group LulzSec said Saturday it had ended its campaign of
cyberassaults on government and corporate websites and that it was
time for it to "sail into the distance."
- Drug Prescription Data Mining Cleared By Supreme Court - A Vermont
Law that forbade using prescription information collected by
pharmacies for marketing purposes was declared unconstitutional on
First Amendment grounds.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Former student pleads guilty to computer hacking at University of
Central Missouri - United States Attorney for the Western District
of Missouri announced that a former student of the University of
Central Missouri pleaded guilty today to his role in a computer
- Sacked IT manager hacks, replaces CEO's presentation with ??? - A
former IT manager who hacked into the presentation of his former
company's CEO and replaced it with ??? has been sentenced to two
years in prison.
- Another Certificate Authority Compromised: No Fake SSL
Certificates Issued - The fifth certificate authority to be hacked
this year, StartSSL has suspended issuing its free SSL certificates
- AT&T IPad Hacker Pleads Guilty - A 26-year-old man who last year
helped hackers steal personal information belonging to about 120,000
iPad users pleaded guilty to fraud and hacking charges in a New
- Teenager charged over alleged website attacks - A 19-year-old
Essex man has been charged with five computer offences, including
attacking the Serious Organised Crime Agency's website.
- Feds crack multi-million scareware ring - Multinational gang face
20 years - The Department of Justice and the FBI have cracked an
international scareware ring believed to have scammed over $72m
- FBI throws a scare into datacenter service providers - In a story
reported yesterday evening by the NY Times, the FBI decided to take
down activity from a suspicious IP address by seizing three
enclosures full of servers from a hosting Facility in Reston , VA,
used by DigitalOne, the hosting company, based in Switzerland, that
was being used by the target of the FBI investigation.
- Feds claim victory over Coreflood botnet - FBI shuts down anti-botnet
project, says it reduced Coreflood by 95% - Federal authorities have
declared victory over the Coreflood botnet and shut down the
replacement server that the FBI used to issue commands to infected
- Citigroup hackers made $2.7 million - Citigroup suffered about
$2.7 million in losses after hackers found a way to steal credit
card numbers from its website and post fraudulent charges.
- ChronoPay Co-Founder Arrested - Russian authorities on Thursday
arrested the co-founder of ChronoPay, the country’s largest
processor of online payments, for allegedly hiring a hacker to
attack his company’s rivals.
- Travelodge warns of spam emails but downplays rumours of hacking
or customer data being sold - Travelodge UK has informed the
Information Commissioner's Office over a potential data compromise
after spam emails were sent from official accounts.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Protocols and Ports (Part 2 of 3)
Other common protocols in a TCP/IP network include the following
! Address resolution protocol (ARP) - Obtains the hardware address
of connected devices and matches that address with the IP address
for that device. The hardware address is the Ethernet card's
address, technically referred to as the "media access control" (MAC)
address. Ethernet systems route messages by the MAC address,
requiring a router to obtain both the IP address and the MAC address
of connected devices. Reverse ARP (RARP) also exists as a protocol.
! Internet control message protocol (ICMP) - Used to send messages
about network health between devices, provides alternate routing
information if trouble is detected, and helps to identify problems
with a routing.
! File transfer protocol (FTP) - Used to browse directories and
transfer files. Although access can be authenticated or anonymous,
FTP does not support encrypted authentication. Conducting FTP within
encrypted channels, such as a Virtual Private Network (VPN), secure
shell (SSH) or secure sockets layer (SSL) sessions can improve
! Trivial file transfer protocol (TFTP) - A file transfer protocol
with no file - browsing ability, and no support for authentication.
! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail
systems to send mail.
! Post office protocol (POP) - Commonly used to receive e-mail.
! Hypertext transport protocol (HTTP) - Used for Web browsing.
! Secure shell (SSH) - Encrypts communications sessions, typically
used for remote administration of servers.
! Secure sockets layer (SSL) - Typically used to encrypt
Webbrowsing sessions, sometimes used to secure e-mail transfers and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
SUBPART C - Exception to Opt Out Requirements for Service
Providers and Joint Marketing
47. If the institution discloses nonpublic personal information to
a nonaffiliated third party without permitting the consumer to opt
out, do the opt out requirements of §7 and §10, and the revised
notice requirements in §8, not apply because:
a. the institution disclosed the information to a
nonaffiliated third party who performs services for or functions on
behalf of the institution (including joint marketing of financial
products and services offered pursuant to a joint agreement as
defined in paragraph (b) of §13); [§13(a)(1)]
b. the institution has provided consumers with the initial notice;
c. the institution has entered into a contract with that party
prohibiting the party from disclosing or using the information
except to carry out the purposes for which the information was
disclosed, including use under an exception in §14 or §15 in the
ordinary course of business to carry out those purposes?