Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- FFIEC guidance addresses corporate account takeover - The
long-awaited update to the Federal Financial Institutions
Examination Council (FFIEC) guidelines around authentication has
- DOD proposes new cybersecurity requirements for contractors -
Federal contractors whose information systems contain unclassified
Defense Department information would have to safeguard that
information from unauthorized access and notify DOD of any breaches
under a proposed rule published today.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers steal personal data of military, gov personnel - Hackers
breached the security of a defense industry news website and stole
sensitive subscriber information that could be used in attacks
targeting the US military and its contractors.
- Electronic Arts Bioware server hacked - Electronic Arts’ BioWare
studio posted an Q&A answering questions about a cyber attack after
sending customers e-mails detailing a hack on one of the company’s
decade-old servers for forums supporting its online game,
- Fox News hacker tweets Obama dead - Hackers have taken over a
Twitter account belonging to US broadcaster Fox News and declared
President Obama dead.
- Hackers claim Apple online data was compromised - A list of 27
user names and encrypted passwords apparently for an Apple website
was posted to the Internet over the weekend along with a warning
from hacker group Anonymous that the Cupertino-based computer maker
could be a target of its attacks.
- DropBox CEO: Lone hacker downloaded data from 'fewer than a
hundred' accounts - A user victimized by last Monday’s security
lapse at DropBox sent me this personal apology letter from CEO Drew
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 6 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
A financial institution should conduct sufficient due diligence
to determine whether it wishes to be associated with the quality of
products, services, and overall content provided by third-party
sites. A financial institution should consider more product-focused
due diligence if the third parties are providing financial products,
services, or other financial website content. In this case,
customers may be more likely to assume the institution reviewed and
approved such products and services. In addition to reviewing the
linked third-party's financial statements and its customer service
performance levels, a financial institution should consider a review
of the privacy and security policies and procedures of the third
party. Also, the financial institution should consider the
character of the linked party by considering its past compliance
with laws and regulations and whether the linked advertisements
might by viewed as deceptive advertising in violation of Section 5
of the Federal Trade Commission Act.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency
Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 3 of 3)
Applications are built in conformance with the protocols to provide
services from hosts to clients. Because clients must have a standard
way of accessing the services, the services are assigned to standard
host ports. Ports are logical not physical locations that are either
assigned or available for specific network services. Under TCP/IP,
65536 ports are available, and the first 1024 ports are commercially
accepted as being assigned to certain services. For instance, Web
servers listen for requests on port 80, and secure socket layer Web
servers listen on port 443. A complete list of the commercially
accepted port assignments is available at
www.iana.org. Ports above 1024
are known as high ports, and are user - assignable. However, users
and administrators have the freedom to assign any port to any
service, and to use one port for more than one service.
Additionally, the service listening on one port may only proxy a
connection for a separate service. For example, a Trojan horse
keystroke - monitoring program can use the Web browser to send
captured keystroke information to port 80 of an attacker's machine.
In that case, monitoring of the packet headers from the compromised
machine would only show a Web request to port 80 of a certain IP
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
48. If the institution discloses nonpublic personal
information to nonaffiliated third parties, do the requirements for
initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in
§8, and for service providers and joint marketing in §13, not apply
because the information is disclosed as necessary to effect,
administer, or enforce a transaction that the consumer requests or
authorizes, or in connection with:
a. servicing or processing a financial product or service requested
or authorized by the consumer; [§14(a)(1)]
b. maintaining or servicing the consumer's account with the
institution or with another entity as part of a private label credit
card program or other credit extension on behalf of the entity; or
c. a proposed or actual securitization, secondary market sale
(including sale of servicing rights) or other similar transaction
related to a transaction of the consumer? [§14(a)(3)]