REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Credit card security breach hits California campus - The University of Southern California is warning students and faculty about a credit card security breach following the hacking of a software system on the campus. http://edition.cnn.com/2012/06/29/us/california-usc-breach/index.html?hpt=us_c2

FYI - Hardware Hacker Sentenced to 3 Years in Prison for Selling Rooted Cable Modems - Cable-modem hacker has been sentenced to three years in prison for helping users steal internet access in what the authorities say was a $1 million scheme to defraud cable companies of business. http://www.wired.com/threatlevel/2012/06/ryan-harris-sentencing/

FYI - Bank Settles With Calif. Cyberheist Victim - A California escrow firm that sued its bank last year after losing nearly $400,000 in a 2010 cyberheist has secured a settlement that covers the loss and the company’s attorneys fees. The settlement is notable because such cases typically favor the banks, and litigating them is often prohibitively expensive for small- to mid-sized businesses victimized by these crimes. http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim/

FYI - GAO - Cyber Threats Facilitate Ability to Commit Economic Espionage - The nation faces an evolving array of cyber-based threats arising from a variety of sources. These sources include criminal groups, hackers, terrorists, organization insiders, and foreign nations engaged in crime, political activism, or espionage and information warfare. http://www.gao.gov/products/GAO-12-876T

FYI - U.S. Critical Infrastructure Cyberattack Reports Jump Dramatically - A new report from ICS-CERT shows the number of reported incidents increased from 9 to 198 between 2009 and 2011 - U.S. critical infrastructure companies saw a dramatic increase in the number of reported cyber-security incidents between 2009 and 2011, according to a new report from the U.S. Industrial Control System Cyber Emergency Response Team. http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240003029/u-s-critical-infrastructure-cyberattack-reports-jump-dramatically.html

FYI - FBI Credit Card Ring Bust Exposes PCI Challenges - Some experts say existence of complex credit card fraud black market a sign that PCI isn't effective. http://www.darkreading.com/compliance/167901112/security/news/240003101/fbi-credit-card-ring-bust-exposes-pci-challenges.html

FYI - Russian Authorities Take Out World’s Largest Banking Botnet - Russia’s Ministry of the Interior (MVD) announced on Friday that their special computer crimes “Department K” division took down what could be one of the largest botnets in the world. http://www.infosecisland.com/blogview/21732-Russian-Authorities-Take-Out-Worlds-Largest-Banking-Botnet.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FTC Sues Wyndham Hotels Over Data Security Failures - Hotel chain slammed for poor information security practices, leading to attackers obtaining 600,000 credit card numbers and committing millions of dollars in fraud. http://www.informationweek.com/news/security/privacy/240002829

FYI - Alaska agency must pay $1.7m after 500-person breach - The Alaska Department of Health and Social Services (DHSS) will shell out $1.7 million to settle violations of the HIPAA Security Rule. http://www.scmagazine.com/alaska-agency-must-pay-17m-after-500-person-breach/article/247697/

FYI - Two-month delay in notifying patients after cancer center breach - An unencrypted laptop containing patient data was stolen April 30 from the home of a doctor working for The University of Texas M.D. Anderson Cancer Center, but those whose data may have been compromised were not notified until June 28. http://www.scmagazine.com/two-month-delay-in-notifying-patients-after-cancer-center-breach/article/248157/?DCMP=EMC-SCUS_Newswire

FYI - USC credit card data accessed in campus dining breach - The credit card numbers of an undisclosed number of students at the University of Southern California (USC) have been exposed. http://www.scmagazine.com/usc-credit-card-data-accessed-in-campus-dining-breach/article/248538/?DCMP=EMC-SCUS_Newswire

FYI - Chinese hackers breach Indian navy computers - Chinese hackers allegedly plant bug via flash drives on India navy's computers, which relayed sensitive data to China IP addresses, report notes. http://www.zdnet.com/chinese-hackers-breach-indian-navy-computers-7000000077/

FYI - Online bank robbers face jail time for e-crimes - Two men who used computer viruses to steal cash from online bank accounts have been jailed. http://www.bbc.co.uk/news/technology-18672068

FYI - Judge approves Stratfor lawsuit settlement over breach - Global intelligence firm Stratfor is expected to settle a class-action lawsuit that was brought following last year's massive data breach, according to reports. http://www.scmagazine.com/judge-approves-stratfor-lawsuit-settlement-over-breach/article/247925/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 7: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.

Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorized to do so. Misuse or unauthorized disclosure of data exposes a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorized or inappropriate parties or used in ways the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties.

To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that:

1)  All confidential bank data and records are only accessible by duly authorized and authenticated individuals, agents or systems.

2)  All confidential bank data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks.

3)  The bank's standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships.

4)  All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

BUSINESS CONTINUITY CONSIDERATIONS

Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.

Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

(Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])