REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.FYI - "Human error" contributes to nearly all cyber incidents, study finds - Even though organizations may have all of the bells and whistles needed in their data security arsenal, it's the human element that continues to fuel cyber incidents occurring, according to one recent study. http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/

FYI - NASDAQ IT security spend: $1bn. Finding mystery malware on its servers: Priceless - Probe reveals US banks just as wide open to hacking - NASDAQ servers were infected by malware that exploited two mystery zero-day vulnerabilities, according to a magazine cover story published today.
http://www.theregister.co.uk/2014/07/17/nasdaq_hack_report/
http://www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-nasdaq

FYI - InfoSec pros worried BYOD ushers in security exploits, survey says - Bring-your-own-device (BYOD) is proving to be a worrisome security challenge for information security professionals with nearly half the respondents in a recent survey by the Information Security Community on LinkedIn admitting that their organizations are exposed to malware and embedded security exploits brought in by employees or others using downloaded apps or content on personal devices. http://www.scmagazine.com/infosec-pros-worried-byod-ushers-in-security-exploits-survey-says/article/362484/

FYI - 31 percent of IT security teams don't speak to company execs - Nearly a third of IT security teams never speak with their company's executives about cyber security and of those who did, 23 percent spoke to them only once per year, according to a new Ponemon Institute report. http://www.scmagazine.com/report-31-percent-of-it-security-teams-dont-speak-to-company-execs/article/361263/

FYI - GAO - Credit Cards Designed for Medical Services Not Covered by Insurance. http://www.gao.gov/products/GAO-14-570

FYI - Government-grade malware in hacker hands - New research suggests that 'government-grade' malware designed to operate undetected on computer systems is in the hands of cybercriminals who are integrating it into rootkits and ransomware. "Government-grade" malware, which lurks in computer systems undetected for long periods of time, is believed to be in the hands of hackers using it to make rootkits and ransomware more potent. http://www.zdnet.com/government-grade-malware-in-hacker-hands-7000031765/

FYI - Weaknesses Remain in FDIC's Information Security - The Federal Deposit Insurance Corporation enforces banking laws and regulates financial institutions across the country, yet weaknesses in its security posture place information at unnecessary risk, according to a new GovernmentAccountability Office report. http://www.nextgov.com/cybersecurity/2014/07/gao-weaknesses-remain-fdics-information-security/89126/?oref=ng-HPriver

FYI - $4 billion breach suit against Sutter Health dismissed - An appeals court has dismissed several class action lawsuits filed against Sutter Health, due to a data breach it suffered nearly three years ago. http://www.scmagazine.com/4-billion-breach-suit-against-sutter-health-dismissed/article/362244/

FYI - Sony to shell out $15M in PSN breach settlement - Sony has agreed to a $15 million preliminary settlement in hopes of quashing even heftier costs associated with its massive PlayStation Network hack three years ago. http://www.scmagazine.com/sony-to-shell-out-15m-in-psn-breach-settlement/article/362720/

FYI - Rhode Island hospital to pay $150K for past data breach - A Rhode Island hospital must pay $150,000 after a data breach compromised more than 12,000 Massachusetts residents' personal information. http://www.scmagazine.com/rhode-island-hospital-to-pay-150k-for-past-data-breach/article/362725/

FYI - IT manager fired following massive Maricopa college district breach - Officials with Maricopa County Community College District (MCCCD), which announced a massive data breach in December 2013, voted to fire the IT manager on Tuesday, according to an azfamily.com report. http://www.scmagazine.com/it-manager-fired-following-massive-maricopa-college-district-breach/article/362718/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Aloha point-of-sale terminal, sold on eBay, yields security surprises - An HP researcher's findings highlight ongoing problems with POS software and hardware - What was found was an eye-opening mix of default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system. http://news.techworld.com/security/3531445/aloha-point-of-sale-terminal-sold-on-ebay-yields-security-surprises/?olo=rss

FYI - Information Commissioner’s Office launched investigation following data breach - The Information Commissioner’s Office (ICO) launched a “full internal investigation” following a “non-trivial data security incident”, it has been revealed. Details of the breach, which happened within the last 12 months, were disclosed in a short statement from head Christopher Graham in the ICO’s annual report.
http://business-technology.co.uk/2014/07/information-commissioners-office-launched-investigation-following-data-breach/
http://www.scmagazine.com/uk-data-security-office-quietly-discloses-breach/article/361711/

FYI - Hamas targets TV station via satellite hack - As violence between Israel and Palestinian militants of Hamas intensifies, reports have surfaced that a satellite TV hack may have been used to incite further turbulence between the groups. http://www.scmagazine.com/hamas-targets-tv-station-via-satellite-hack/article/361712/

FYI - Australian daily deals site discloses data breach after three years - An Australian daily deals website company, Catch of the Day, alerted its users on Friday of a data breach that impacted one of its websites in 2011. http://www.scmagazine.com/australian-daily-deals-site-discloses-data-breach-after-three-years/article/361679/

FYI - Benjamin F. Edwards tells New Hampshire AG CryptoWall led to breach - The data breach that hit brokerage house Benjamin F. Edwards & Co. (BFE) in May was the handiwork of CryptoLocker copycat ransomware. http://www.scmagazine.com/benjamin-f-edwards-tells-new-hampshire-ag-cryptowall-led-to-breach/article/

FYI - Chinese hackers take command of Tesla Model S - Security firm Qihoo 360 says hackers gained control of some Tesla Model S functions -- but skimps on details of how the car was hacked. http://www.cnet.com/news/chinese-hackers-take-command-of-tesla-model-s/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Thousands had data on computers stolen from California medical office - Three desktop computers were stolen from the California office of Bay Area Pain Medical Associates, resulting in roughly 2,780 patients being notified that their personal information was in a spreadsheet that could have been accessed. http://www.scmagazine.com/thousands-had-data-on-computers-stolen-from-california-medical-office/article/361852/

FYI - Goodwill investigates compromise of credit, debit card info - Those bargain finds might not look so good now to shoppers if their credit or debit card information was compromised at one of several Goodwill stores across the country. http://www.scmagazine.com/goodwill-investigates-compromise-of-credit-debit-card-info/article/362092/

FYI - Vice.com hacked, possibly The Wall Street Journal website too - On Monday, a reported Russian hacker group known as W0rm tweeted, along with screenshots, that it had hacked popular news, arts and culture site Vice.com and The Wall Street Journal website, and would sell each stolen database for a Bitcoin. http://www.scmagazine.com/vicecom-hacked-possibly-the-wall-street-journal-website-too/article/362087/

FYI - Wall Street Journal website vulnerable to SQL injection, gets hacked - The Wall Street Journal confirmed in a Tuesday report that an outside party - believed to be W0rm, a Russian hacker selling a stolen database for a Bitcoin - exploited a vulnerability and hacked into its news graphics systems. http://www.scmagazine.com/wall-street-journal-website-vulnerable-to-sql-injection-gets-hacked/article/362432/

FYI - Metro.us site compromised, serves malicious code - The U.S. version of the Metro International website is serving up malicious code, according to a blog post by the researchers at Websense Security Labs who detected the compromise. http://www.scmagazine.com/metrous-site-compromised-serves-malicious-code/article/362427/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management principles (Part 2 of 2)

The Committee recognizes that banks will need to develop risk management processes appropriate for their individual risk profile, operational structure and corporate governance culture, as well as in conformance with the specific risk management requirements and policies set forth by the bank supervisors in their particular jurisdiction(s). Further, the numerous e-banking risk management practices identified in this Report, while representative of current industry sound practice, should not be considered to be all-inclusive or definitive, since many security controls and other risk management techniques continue to evolve rapidly to keep pace with new technologies and business applications.

This Report does not attempt to dictate specific technical solutions to address particular risks or set technical standards relating to e-banking. Technical issues will need to be addressed on an on-going basis by both banking institutions and various standards-setting bodies as technology evolves. Further, as the industry continues to address e-banking technical issues, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that banks differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.

For these reasons, the Committee does not believe that a "one size fits all" approach to e-banking risk management is appropriate, and it encourages the exchange of good practices and standards to address the additional risk dimensions posed by the e-banking delivery channel. In keeping with this supervisory philosophy, the risk management principles and sound practices identified in this Report are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements where necessary, to help promote safe and secure e-banking activities and operations.

The Committee recognizes that each bank's risk profile is different and requires a risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. These differences imply that the risk management principles presented in this Report are intended to be flexible enough to be implemented by all relevant institutions across jurisdictions. National supervisors will assess the materiality of the risks related to e-banking activities present at a given bank and whether, and to what extent, the risk management principles for e-banking have been adequately met by the bank's risk management framework.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

EXAMPLES OF ENCRYPTION USES

Asymmetric encryption is the basis of PKI, or public key infrastructure. In theory, PKI allows two parties who do not know each other to authenticate each other and maintain the confidentiality, integrity, and accountability for their messages. PKI rests on both communicating parties having a public and a private key, and keeping their public keys registered with a third party they both trust, called the certificate authority, or CA. The use of and trust in the third party is a key element in the authentication that takes place. For example, assume individual A wants to communicate with individual B. A first hashes the message, and encrypts the hash with A's private key. Then A obtains B's public key from the CA, and encrypts the message and the hash with B's public key. Obtaining B's public key from the trusted CA provides A assurance that the public key really belongs to B and not someone else. Using B's public key ensures that the message will only be able to be read by B. When B receives the message, the process is reversed. B decrypts the message and hash with B's private key, obtains A's public key from the trusted CA, and decrypts the hash again using A's public key. At that point, B has the plain text of the message and the hash performed by A. To determine whether the message was changed in transit, B must re - perform the hashing of the message and compare  the newly computed hash to the one sent by A. If the new hash is the same as the one sent by A, B knows that the message was not changed since the original hash was created (integrity). Since B obtained A's public key from the trusted CA and that key produced a matching hash, B is assured that the message came from A and not someone else (authentication).

Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS, the successor to SSL) uses asymmetric encryption for authentication, and symmetric encryption to protect the remainder of the communications session. TLS can be used to secure electronic banking and other transmissions between the institution and the customer. TLS may also be used to secure e - mail, telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security.

Virtual Private Networks (VPNs) are used to provide employees, contractors, and customers remote access over the Internet to institution systems. VPN security is provided by authentication and authorization for the connection and the user, as well as encryption of the traffic between the institution and the user. While VPNs can exist between client systems, and between servers, the typical installation terminates the VPN connection at the institution firewall. VPNs can use many different protocols for their communications. Among the popular protocols are PPTP (point - to - point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use different authentication methods, and different components on the host systems. Implementations between vendors, and between products, may differ. Currently, the problems with VPN implementations generally involve interfacing a VPN with different aspects of the host systems, and reliance on passwords for authentication.

IPSec is a complex aggregation of protocols that together provide authentication and confidentiality services to individual IP packets. It can be used to create a VPN over the Internet or other untrusted network, or between any two computers on a trusted network. Since IPSec has many configuration options, and can provide authentication and encryption using different protocols, implementations between vendors and products may differ. Secure Shell is frequently used for remote server administration. SSH establishes an encrypted tunnel between a SSH client and a server, as well as authentication services.

Disk encryption is typically used to protect data in storage.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 2 of 6)

Notice Duties to Customers:

In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times.

1)  A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulations describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship.

2)  A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship.

3)  Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service.

4)  When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.