Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Cyber Camp Develops Tomorrow’s IT Security Pros - Players at the
2011 U.S. Cyber Challenge Summer Camp at Cal Poly Pomona entered a
free-range network that tested their cyber security knowledge.
- Report says firms must rethink patching strategy - With two
billion users now accessing the internet, even a small success rate
of attacks on endpoints translates to huge numbers of compromised
- Feds Defend Internet Domain Seizure in Piracy Crackdown - Federal
prosecutors are asking a judge not to return the domain names of one
of Spain’s most popular websites, seized as part of a major U.S.
crackdown on internet piracy.
- Wi-Fi–Hacking Neighbor From Hell Sentenced to 18 Years - A
Minnesota hacker prosecutors described as a “depraved criminal” was
handed an 18-year prison term Tuesday for unleashing a vendetta of
cyberterror that turned his neighbors’ lives into a living
- US, Romanian authorities target Internet fraud scheme - Romanian
law enforcement officials on Thursday executed 117 searches
targeting more than 100 people in an ongoing effort with the U.S.
Department of Justice to break up a large Internet auction fraud
scheme, the DOJ said.
- GAO - USDA Systems Modernization: Management and Oversight
Improvements Are Needed.
- Researcher finds serious vulnerability in Skype - A security
consultant has notified Skype of a cross-site scripting flaw that
could be used to change the password on someone's account, according
to details posted online.
- GAO - Complex Financial Institutions and International
Coordination Pose Challenges.
- FBI charges Anonymous members with PayPal DDoS - The FBI on
Wednesday charged 14 people, mostly twenty-somethings, for their
alleged involvement in an Anonymous-inspired attack on the PayPal
website in December.
- Reddit co-founder charged with intrusion, data theft - The
co-founder of social news website Reddit was indicted Tuesday in
Boston on charges of breaking into the Massachusetts Institute of
Technology (MIT) network and stealing more than four million
documents from JSTOR, an archive of scientific and academic
- Lessons of the Sony PlayStation hack - If we haven't yet been
taught to protect our data, certainly the past six months should
have changed that.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Pentagon Admits Major Data Breach as It Unveils Defensive
Cyber-Strategy - A foreign government was behind a March
cyber-attack against military computers that led to 24,000 files
being stolen from a defense contractor, the Department of Defense
said. The intruders were after files related to missile tracking
systems, unmanned aerial vehicles and the Joint Strike Fighter.
- Hack of Energy’s Pacific Northwest lab exploited zero-day
vulnerability - The cyberattack that took the Energy Department’s
Pacific Northwest National Laboratory offline on July 1 exploited a
zero-day vulnerability to infect the systems with an Advanced
- Sega forums still closed a month after mystery hack - Digital
pillage leaves lasting damage - Sega's forum remains offline almost
a month after its forums and other sites were hit by hacktivists.
- Hackers were in German police computers for months - German police
took months to notice that computer hackers had infiltrated federal
police and customs service computers, media reports said Sunday,
citing unnamed cyber security officials.
- Tosh admits customer accounts pillaged - Toshiba says that
unidentified hackers have stolen customer records belonging to 7,500
of its customers.
- Hacked SBS links to risky content - The website of the Special
Broadcasting Service (SBS) has been victim of a hacking attack over
the weekend, with users visiting the site exposed to malware.
- Energy lab back online after cyberattack - Almost two weeks after
a cyberattack forced the Energy Department’s Pacific Northwest
National Laboratory in Richland, Wash., to go offline, the lab has
restored Internet access and most public websites.
- Computer theft impacts 400K S. Carolina patients - In one of the
largest health care data breaches this year, a computer containing
hundreds of thousands of patient records was stolen from South
Carolina's Spartanburg Regional Healthcare System.
- Lady Gaga website hacked to expose users' data - The personal
information belonging to thousands of Lady Gaga fans was stolen
after hackers breached the singer's U.K. website.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 8 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage
disclosures to explain their limited role and responsibility with
respect to products and services offered through linked third-party
websites. The level of detail of the disclosure and its prominence
should be appropriate to the harm that may ensue from customer
confusion inherent in a particular link. The institution might post
a disclosure stating it does not provide, and is not responsible
for, the product, service, or overall website content available at a
third-party site. It might also advise the customer that its privacy
polices do not apply to linked websites and that a viewer should
consult the privacy disclosures on that site for further
information. The conspicuous display of the disclosure, including
its placement on the appropriate webpage, by effective use of size,
color, and graphic treatment, will help ensure that the information
is noticeable to customers. For example, if a financial institution
places an otherwise conspicuous disclosure at the bottom of its
webpage (requiring a customer to scroll down to read it), prominent
visual cues that emphasize the information's importance should point
the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use "pop-ups," or
intermediate webpages called "speedbumps," to notify customers they
are leaving the institution's website. For the reasons described
below, financial institutions should use speedbumps rather than
pop-ups if they choose to use this type of technology to deliver
their online disclaimers.
A "pop up" is a screen generated by mobile code, for example Java or
Active X, when the customer clicks on a particular hyperlink. Mobile
code is used to send small programs to the user's browser.
Frequently, those programs cause unsolicited messages to appear
automatically on a user's screen. At times, the programs may be
malicious, enabling harmful viruses or allowing unauthorized access
to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the
customer to the transition to the third-party website. Like a
pop-up, a speedbump is activated when the customer clicks on a
particular weblink. However, use of a speedbump avoids the problems
of pop-up technology, because the speedbump is not generated
externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Routing (Part 1 of 2)
Packets are moved through networks using routers, switches, and
hubs. The unique IP address is commonly used in routing. Since users
typically use text names instead of IP addresses for their
addressing, the user's software must obtain the numeric IP address
before sending the message. The IP addresses are obtained from the
Domain Naming System (DNS), a distributed database of text names
(e.g., anybank.com) and their associated IP addresses. For example,
financial institution customers might enter the URL of the Web site
in their Web browser. The user's browser queries the domain name
server for the IP associated with anybank.com. Once the IP is
obtained, the message is sent. Although the example depicts an
external address, DNS can also function on internal addresses.
A router directs where data packets will go based on a table that
links the destination IP address with the IP address of the next
machine that should receive the packet. Packets are forwarded from
router to router in that manner until they arrive at their
destination. Since the router reads the packet header and uses a
table for routing, logic can be included that provides an initial
means of access control by filtering the IP address and port
information contained in the message header. Simply put, the router
can refuse to forward, or forward to a quarantine or other
restricted area, any packets that contain IP addresses or ports that
the institution deems undesirable. Security policies should define
the filtering required by the router, including the type of access
permitted between sensitive source and destination IP addresses.
Network administrators implement these policies by configuring an
access configuration table, which creates a filtering router or a
A switch directs the path a message will take within the network.
Switching works faster than IP routing because the switch only looks
at the network address for each message and directs the message to
the appropriate computer. Unlike routers, switches do not support
packet filtering. Switches, however, are designed to send messages
only to the device for which they were intended. The security
benefits from that design can be defeated and traffic through a
switch can be sniffed.
Return to the top of
INTERNET PRIVACY - This
concludes our series listing the regulatory-privacy examination
questions. Next week, we will begin our review of the issues in the
"Privacy of Consumer Financial Information" published by the
financial regulatory agencies.
Other Exceptions to Notice and Opt Out Requirements
50. If the institution discloses nonpublic personal information to
nonaffiliated third parties, do the requirements for initial notice
in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for
service providers and joint marketers in §13, not apply because the
institution makes the disclosure:
a. with the consent or at the direction of the consumer;
1. to protect the confidentiality or security of records;
2. to protect against or prevent actual or potential fraud,
unauthorized transactions, claims, or other liability;
3. for required institutional risk control or for resolving
consumer disputes or inquiries; [§15(a)(2)(iii)]
4. to persons holding a legal or beneficial interest relating to
the consumer; [§15(a)(2)(iv)] or
5. to persons acting in a fiduciary or representative capacity on
behalf of the consumer; [§15(a)(2)(v)]
c. to insurance rate advisory organizations, guaranty funds or
agencies, agencies rating the institution, persons assessing
compliance, and the institution's attorneys, accountants, and
d. in compliance with the Right to Financial Privacy Act, or to law
enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA or
from a consumer report reported by a consumer reporting agency;
f. in connection with a proposed or actual sale, merger, transfer,
or exchange of all or a portion of a business or operating unit, if
the disclosure of nonpublic personal information concerns solely
consumers of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or legal
h. to comply with a properly authorized civil, criminal, or
regulatory investigation, or subpoena or summons by Federal, state,
or local authorities; [§15(a)(7)(ii)] or
i. to respond to judicial process or government regulatory
authorities having jurisdiction over the institution for
examination, compliance, or other purposes as authorized by law?
(Note: the regulation gives the following as an example of
the exception described in section a of this question: "A consumer
may specifically consent to [an institution's] disclosure to a
nonaffiliated insurance company of the fact that the consumer has
applied to [the institution] for a mortgage so that the insurance
company can offer homeowner's insurance to the consumer.")