REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.FYI
- "Human error" contributes to nearly all cyber incidents, study
finds - Even though organizations may have all of the bells and
whistles needed in their data security arsenal, it's the human
element that continues to fuel cyber incidents occurring, according
to one recent study.
- NASDAQ IT security spend: $1bn. Finding mystery malware on its
servers: Priceless - Probe reveals US banks just as wide open to
hacking - NASDAQ servers were infected by malware that exploited two
mystery zero-day vulnerabilities, according to a magazine cover
story published today.
InfoSec pros worried BYOD ushers in security exploits, survey says -
Bring-your-own-device (BYOD) is proving to be a worrisome security
challenge for information security professionals with nearly half
the respondents in a recent survey by the Information Security
Community on LinkedIn admitting that their organizations are exposed
to malware and embedded security exploits brought in by employees or
others using downloaded apps or content on personal devices.
31 percent of IT security teams don't speak to company execs -
Nearly a third of IT security teams never speak with their company's
executives about cyber security and of those who did, 23 percent
spoke to them only once per year, according to a new Ponemon
GAO - Credit Cards Designed for Medical Services Not Covered by
Government-grade malware in hacker hands - New research suggests
that 'government-grade' malware designed to operate undetected on
computer systems is in the hands of cybercriminals who are
integrating it into rootkits and ransomware. "Government-grade"
malware, which lurks in computer systems undetected for long periods
of time, is believed to be in the hands of hackers using it to make
rootkits and ransomware more potent.
Weaknesses Remain in FDIC's Information Security - The Federal
Deposit Insurance Corporation enforces banking laws and regulates
financial institutions across the country, yet weaknesses in its
security posture place information at unnecessary risk, according to
a new GovernmentAccountability Office report.
$4 billion breach suit against Sutter Health dismissed - An appeals
court has dismissed several class action lawsuits filed against
Sutter Health, due to a data breach it suffered nearly three years
- Sony to shell out $15M in PSN breach settlement - Sony has agreed
to a $15 million preliminary settlement in hopes of quashing even
heftier costs associated with its massive PlayStation Network hack
three years ago.
- Rhode Island hospital to pay $150K for past data breach - A Rhode
Island hospital must pay $150,000 after a data breach compromised
more than 12,000 Massachusetts residents' personal information.
- IT manager fired following massive Maricopa college district
breach - Officials with Maricopa County Community College District (MCCCD),
which announced a massive data breach in December 2013, voted to
fire the IT manager on Tuesday, according to an azfamily.com report.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Aloha point-of-sale terminal, sold on eBay, yields security
surprises - An HP researcher's findings highlight ongoing problems
with POS software and hardware - What was found was an eye-opening
mix of default passwords, at least one security flaw and a leftover
database containing the names, addresses, Social Security numbers
and phone numbers of employees who had access to the system.
Information Commissioner’s Office launched investigation following
data breach - The Information Commissioner’s Office (ICO) launched a
“full internal investigation” following a “non-trivial data security
incident”, it has been revealed. Details of the breach, which
happened within the last 12 months, were disclosed in a short
statement from head Christopher Graham in the ICO’s annual report.
Hamas targets TV station via satellite hack - As violence between
Israel and Palestinian militants of Hamas intensifies, reports have
surfaced that a satellite TV hack may have been used to incite
further turbulence between the groups.
Australian daily deals site discloses data breach after three years
- An Australian daily deals website company, Catch of the Day,
alerted its users on Friday of a data breach that impacted one of
its websites in 2011.
Benjamin F. Edwards tells New Hampshire AG CryptoWall led to breach
- The data breach that hit brokerage house Benjamin F. Edwards & Co.
(BFE) in May was the handiwork of CryptoLocker copycat ransomware.
Chinese hackers take command of Tesla Model S - Security firm Qihoo
360 says hackers gained control of some Tesla Model S functions --
but skimps on details of how the car was hacked.
Thousands had data on computers stolen from California medical
office - Three desktop computers were stolen from the California
office of Bay Area Pain Medical Associates, resulting in roughly
2,780 patients being notified that their personal information was in
a spreadsheet that could have been accessed.
Goodwill investigates compromise of credit, debit card info - Those
bargain finds might not look so good now to shoppers if their credit
or debit card information was compromised at one of several Goodwill
stores across the country.
Vice.com hacked, possibly The Wall Street Journal website too - On
Monday, a reported Russian hacker group known as W0rm tweeted, along
with screenshots, that it had hacked popular news, arts and culture
site Vice.com and The Wall Street Journal website, and would sell
each stolen database for a Bitcoin.
Wall Street Journal website vulnerable to SQL injection, gets hacked
- The Wall Street Journal confirmed in a Tuesday report that an
outside party - believed to be W0rm, a Russian hacker selling a
stolen database for a Bitcoin - exploited a vulnerability and hacked
into its news graphics systems.
Metro.us site compromised, serves malicious code - The U.S. version
of the Metro International website is serving up malicious code,
according to a blog post by the researchers at Websense Security
Labs who detected the compromise.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Risk management principles (Part 2 of 2)
The Committee recognizes that banks will need to develop risk
management processes appropriate for their individual risk profile,
operational structure and corporate governance culture, as well as
in conformance with the specific risk management requirements and
policies set forth by the bank supervisors in their particular
jurisdiction(s). Further, the numerous e-banking risk management
practices identified in this Report, while representative of current
industry sound practice, should not be considered to be
all-inclusive or definitive, since many security controls and other
risk management techniques continue to evolve rapidly to keep pace
with new technologies and business applications.
This Report does not attempt to dictate specific technical solutions
to address particular risks or set technical standards relating to
e-banking. Technical issues will need to be addressed on an on-going
basis by both banking institutions and various standards-setting
bodies as technology evolves. Further, as the industry continues to
address e-banking technical issues, including security challenges, a
variety of innovative and cost efficient risk management solutions
are likely to emerge. These solutions are also likely to address
issues related to the fact that banks differ in size, complexity and
risk management culture and that jurisdictions differ in their legal
and regulatory frameworks.
For these reasons, the Committee does not believe that a "one size
fits all" approach to e-banking risk management is appropriate, and
it encourages the exchange of good practices and standards to
address the additional risk dimensions posed by the e-banking
delivery channel. In keeping with this supervisory philosophy, the
risk management principles and sound practices identified in this
Report are expected to be used as tools by national supervisors and
implemented with adaptations to reflect specific national
requirements where necessary, to help promote safe and secure
e-banking activities and operations.
The Committee recognizes that each bank's risk profile is different
and requires a risk mitigation approach appropriate for the scale of
the e-banking operations, the materiality of the risks present, and
the willingness and ability of the institution to manage these
risks. These differences imply that the risk management principles
presented in this Report are intended to be flexible enough to be
implemented by all relevant institutions across jurisdictions.
National supervisors will assess the materiality of the risks
related to e-banking activities present at a given bank and whether,
and to what extent, the risk management principles for e-banking
have been adequately met by the bank's risk management framework.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
EXAMPLES OF ENCRYPTION USES
Asymmetric encryption is the basis of PKI, or public key
infrastructure. In theory, PKI allows two parties who do not know
each other to authenticate each other and maintain the
confidentiality, integrity, and accountability for their messages.
PKI rests on both communicating parties having a public and a
private key, and keeping their public keys registered with a third
party they both trust, called the certificate authority, or CA. The
use of and trust in the third party is a key element in the
authentication that takes place. For example, assume individual A
wants to communicate with individual B. A first hashes the message,
and encrypts the hash with A's private key. Then A obtains B's
public key from the CA, and encrypts the message and the hash with
B's public key. Obtaining B's public key from the trusted CA
provides A assurance that the public key really belongs to B and not
someone else. Using B's public key ensures that the message will
only be able to be read by B. When B receives the message, the
process is reversed. B decrypts the message and hash with B's
private key, obtains A's public key from the trusted CA, and
decrypts the hash again using A's public key. At that point, B has
the plain text of the message and the hash performed by A. To
determine whether the message was changed in transit, B must re -
perform the hashing of the message and compare the newly computed
hash to the one sent by A. If the new hash is the same as the one
sent by A, B knows that the message was not changed since the
original hash was created (integrity). Since B obtained A's public
key from the trusted CA and that key produced a matching hash, B is
assured that the message came from A and not someone else
Various communication protocols use both symmetric and asymmetric
encryption. Transaction layer security (TLS, the successor to SSL)
uses asymmetric encryption for authentication, and symmetric
encryption to protect the remainder of the communications session.
TLS can be used to secure electronic banking and other transmissions
between the institution and the customer. TLS may also be used to
secure e - mail, telnet, and FTP sessions. A wireless version of TLS
is called WTLS, for wireless transaction layer security.
Virtual Private Networks (VPNs) are used to provide employees,
contractors, and customers remote access over the Internet to
institution systems. VPN security is provided by authentication and
authorization for the connection and the user, as well as encryption
of the traffic between the institution and the user. While VPNs can
exist between client systems, and between servers, the typical
installation terminates the VPN connection at the institution
firewall. VPNs can use many different protocols for their
communications. Among the popular protocols are PPTP (point - to -
point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use
different authentication methods, and different components on the
host systems. Implementations between vendors, and between products,
may differ. Currently, the problems with VPN implementations
generally involve interfacing a VPN with different aspects of the
host systems, and reliance on passwords for authentication.
IPSec is a complex aggregation of protocols that together provide
authentication and confidentiality services to individual IP
packets. It can be used to create a VPN over the Internet or other
untrusted network, or between any two computers on a trusted
network. Since IPSec has many configuration options, and can provide
authentication and encryption using different protocols,
implementations between vendors and products may differ. Secure
Shell is frequently used for remote server administration. SSH
establishes an encrypted tunnel between a SSH client and a server,
as well as authentication services.
Disk encryption is typically used to protect data in storage.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of its
privacy policies and practices to each customer, not later than the
time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
2) A financial institution must provide an annual notice at least
once in any period of 12 consecutive months during the continuation
of the customer relationship.
3) Generally, new privacy notices are not required for each new
product or service. However, a financial institution must provide a
new notice to an existing customer when the customer obtains a new
financial product or service from the institution, if the initial or
annual notice most recently provided to the customer was not
accurate with respect to the new financial product or service.
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice.