REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.FYI
- "Human error" contributes to nearly all cyber incidents, study
finds - Even though organizations may have all of the bells and
whistles needed in their data security arsenal, it's the human
element that continues to fuel cyber incidents occurring, according
to one recent study.
- NIST drafts report on cloud computing challenges, requests
comments - The National Institute of Standards and Technology (NIST)
has released a draft report, NIST Cloud Computing Forensic Science
Challenges, that summarized 65 cloud computing challenges that
forensic investigators face.
Senate Intelligence Committee okays cybersecurity bill - The bill
has been criticized by civil liberties and privacy groups because of
its potential privacy implications - The U.S. Senate Intelligence
Committee approved Tuesday a cybersecurity bill that would pave the
way for sharing of information between government and the private
sector on security threats.
Romanian man sentenced to 45 months for role in phishing scheme - A
Romanian man was sentenced on Tuesday to 45 months in prison for his
role in a massive phishing scheme involving several individuals.
Computing student jailed after failing to hand over crypto keys -
sledgehammer once again used to crack a nut - A computer science
student accused of hacking offences has been jailed for six months
for failing to hand over his encryption passwords, which he had been
urged to do in "the interests of national security".
Man pleads guilty to bank fraud, 48-hour global operation netted $14
million - A 27-year-old man – arrested in Germany and extradited to
the United States in 2012 – pleaded guilty to bank fraud on Friday
for his role in a roughly 48-hour operation in 2011 that resulted in
criminals withdrawing about $14 million from ATMs in nearly 20
Security not prioritized in critical infrastructure, though most
admit compromise - In a study, most IT execs at critical
infrastructure companies revealed that their organization was
compromised in the last year, but only 28 percent of them said that
security was a top priority across their enterprise.
77 percent of IT staffers have incorrectly reported the cause of a
security incident - When relaying information to executive teams, 77
percent of IT staffers admitted that they incorrectly reported the
root cause of a network or security incident, according to a
visibility survey released Tuesday.
New York suffered 900 data breaches in 2013, AG reports - Public and
private organizations in New York state were hit by more than 900
data breaches last year that exposed the personal and financial
records of 7.3 million residents, a report released by the State
Document posted to California city website, employee data accessed -
In California, the City of Encinitas and San Dieguito Water District
is notifying 615 current and former employees that a California
Public Employees' Retirement System (CalPERS) payment document
containing their personal information – including Social Security
numbers – was inadvertently made public on the City's website for
about seven weeks, and was accessed by 16 people.
GAO - Information Security: FDIC Made Progress in Securing Key
Financial Systems, but Weaknesses Remain.
- 72 percent of Chicago fraud victims also data breach victims -
Chicagoans who have been affected by data breaches are at a higher
risk of becoming victims of fraud than anyone whose information was
breached in either Miami and Los Angeles.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hotel business center computers see uptick in keylogger malware -
Criminals are infecting hotel business center computers with
keylogger malware, according to a non-public advisory issued by the
U.S. Secret Service on Thursday, and obtained and posted about on
About 20K impacted in South Carolina college laptop theft -
Orangeburg-Calhoun Technical College in South Carolina is notifying
roughly 20,000 current and former students and faculty that their
personal information – including Social Security numbers – was on a
laptop that was stolen from a staffer's office.
Teenager set off major cyber attack - A 17-year-old boy from Bergen
on Norway’s west coast has been arrested and charged for a massive
cyber attack earlier this week that crippled the websites of major
banks, airlines, telecoms and finance firms. He had also
impersonated the hacker group Anonymous Norway, claiming it was
behind the attacks when it wasn’t.
About 18K doctors may have had Social Security numbers exposed -
About 18,000 doctors are being notified that the Blue Shield of
California inadvertently included their Social Security numbers in
rosters it is required to provide to the Department of Managed
Health Care (DMHC), which are viewable by the public.
Penn State College of Medicine breach risks alumni Social Security
numbers - More than 1,000 Penn State College of Medicine alumni's
Social Security numbers might have been compromised after malware
was found on a university computer.
Russian hackers compromise CNET servers - Popular technology news
and review site CNET was hacked this weekend in an attack that might
have compromised the account information of more than one million
Subcontractor breach impacts 1,700 in Dominion Resources employee
wellness plan - About 1,700 people in the employee wellness program
for Virginia-based Dominion Resources are being notified that their
personal information was accessed by an attacker who gained entry to
the systems of a subcontractor.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Risk management principles (Part 1 of 2)
Based on the early work of the Electronic Banking Group EBG, the
Committee concluded that, while traditional banking risk management
principles are applicable to e-banking activities, the complex
characteristics of the Internet delivery channel dictate that the
application of these principles must be tailored to fit many online
banking activities and their attendant risk management challenges.
To this end, the Committee believes that it is incumbent upon the
Boards of Directors and banks' senior management to take steps to
ensure that their institutions have reviewed and modified where
necessary their existing risk management policies and processes to
cover their current or planned e-banking activities. Further, as the
Committee believes that banks should adopt an integrated risk
management approach for all banking activities, it is critical that
the risk management oversight afforded e-banking activities becomes
an integral part of the banking institution's overall risk
To facilitate these developments, the Committee asked the EBG to
identify the key risk management principles that would help banking
institutions expand their existing risk oversight policies and
processes to cover their e-banking activities and, in turn, promote
the safe and sound electronic delivery of banking products and
These Risk Management Principles for Electronic Banking, which are
identified in this Report, are not put forth as absolute
requirements or even "best practice" but rather as guidance to
promote safe and sound e-banking activities. The Committee believes
that setting detailed risk management requirements in the area of
e-banking might be counter-productive, if only because these would
be likely to become rapidly outdated by the speed of change related
to technological and product innovation. Therefore the principles
included in the present Report express supervisory expectations
related to the overall objective of banking supervision to ensure
safety and soundness in the financial system rather than stringent
The Committee is of the view that such supervisory expectations
should be tailored and adapted to the e-banking distribution channel
but not be fundamentally different to those applied to banking
activities delivered through other distribution channels.
Consequently, the principles presented below are largely derived and
adapted from supervisory principles that have already been expressed
by the Committee or national supervisors over a number of years. In
some areas, such as the management of outsourcing relationships,
security controls and legal and reputational risk management, the
characteristics and implications of the Internet distribution
channel introduce a need for more detailed principles than those
expressed to date.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
Three types of encryption exist: the cryptographic hash, symmetric
encryption, and asymmetric encryption.
A cryptographic hash reduces a variable - length input to a
fixed-length output. The fixed-length output is a unique
cryptographic representation of the input. Hashes are used to verify
file and message integrity. For instance, if hashes are obtained
from key operating system binaries when the system is first
installed, the hashes can be compared to subsequently obtained
hashes to determine if any binaries were changed. Hashes are also
used to protect passwords from disclosure. A hash, by definition, is
a one - way encryption. An attacker who obtains the password cannot
run the hash through an algorithm to decrypt the password. However,
the attacker can perform a dictionary attack, feeding all possible
password combinations through the algorithm and look for matching
hashes, thereby deducing the password. To protect against that
attack, "salt," or additional bits, are added to the password before
encryption. The addition of the bits means the attacker must
increase the dictionary to include all possible additional bits,
thereby increasing the difficulty of the attack.
Symmetric encryption is the use of the same key and algorithm by the
creator and reader of a file or message. The creator uses the key
and algorithm to encrypt, and the reader uses both to decrypt.
Symmetric encryption relies on the secrecy of the key. If the key is
captured by an attacker either when it is exchanged between the
communicating parties, or while one of the parties uses or stores
the key, the attacker can use the key and the algorithm to decrypt
messages, or to masquerade as a message creator.
Asymmetric encryption lessens the risk of key exposure by using two
mathematically related keys, the private key and the public key.
When one key is used to encrypt, only the other key can decrypt.
Therefore, only one key (the private key) must be kept secret. The
key that is exchanged (the public key) poses no risk if it becomes
known. For instance, if individual A has a private key and publishes
the public key, individual B can obtain the public key, encrypt a
message to individual A, and send it. As long as individual A keeps
his private key secure from discovery, only individual A will be
able to decrypt the message.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a reasonable
means to opt out); and
3) a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to opt
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions.