Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Sony insurer says it's not liable for costs of data breach - Sues
game maker for saying otherwise - Sony has been sued by its
insurance company, which says the policy it issued doesn't cover a
series of high-profile security breaches that exposed personal
information associated with more than 100 million accounts.
Alleged Laval botnet creator arrested in Canada - The alleged author
of the Laval botnet has been arrested by police in Canada. It is
thought that the 24-year-old programmed the malware himself and then
infected servers in Canada, the US and beyond, creating a vast
network of zombie PCs.
Federal auditors scold IRS for slow notification of security
breaches - The Obama administration is compelling private businesses
to adopt new standards to protect themselves and the consumers they
serve from hackers and cybertheft. Now federal auditors are scolding
the government for not protecting consumers from itself.
GAO - Continued Attention Needed to Protect Our Nation's Critical
GAO - Data Center Consolidation: Agencies Need to Complete
Inventories and Plans to Achieve Expected Savings
- Calif. Co. Sues Bank Over $465k eBanking Heist - A California real
estate escrow company that lost more than $465,000 in an online
banking heist last year is suing its former financial institution,
alleging that the bank was negligent and that it failed to live up
to the terms of its own online banking contract.
- Maryland Governor Martin O'Malley Recognizes Winners of U.S. Cyber
Challenge National Cyber Foundations Competition - Top Winner
Receives General Dynamics Cyber Scholarship - Maryland Governor
Martin O'Malley and the U.S. Cyber Challenge announced today the
state's winners of the 2011 Spring Cyber Foundations National
- US-CERT Director Leaves Abruptly - The director of the agency that
protects the federal government from cyber attacks has resigned
abruptly in the wake of a spate of hacks against government
- Florida reportedly sells drivers' info for $63M - The state made
$63 million in 2010 selling drivers' names, addresses, dates of
birth and what cars they own to employers, insurance companies and
such personal data collection.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Attack On Pacific Northwest National Lab Started At Public Web
Servers - Zero-day Flash payload infected visitors to lab's
public-facing Web servers - The cyberattack discovered at Pacific
Northwest National Laboratory (PNNL) during the Fourth of July
holiday weekend used a combination of a Web server vulnerability and
a payload that delivered a zero-day Adobe Flash attack, according to
officials at the Department of Energy-contracted facility.
Feds Charge Activist as Hacker for Downloading Millions of Academic
Articles - A well-known coder and activist was arrested Tuesday,
charged with violating federal hacking laws for downloading millions
of academic articles from a subscription database service that MIT
had given him access to via a guest account. If convicted, he faces
up to 35 years in prison and a $1 million fine.
Pfizer latest corporate victim in hacktivist attacks - The Facebook
page for Pfizer has returned online after it was compromised by
hackers who posted remarks disparaging the pharmaceutical giant.
- China-Based Spies Said to Be Behind Hacking of IMF Computers -
Investigators probing the recent ransacking of International
Monetary Fund computers have concluded the attack was carried out by
cyber spies connected to China, according to two people close to the
- Hacker Sentenced In Virginia to 10 Years In Prison For Stealing
675,000 Credit Card Numbers Leading To $36 Million In Losses -
Hacker was sentenced today to 120 months in prison by U.S. District
Judge Anthony J. Trenga in Alexandria, Va., for trafficking in
counterfeit credit cards and aggravated identity theft.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 9 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
Customer Service Complaints
Financial institutions should have plans to respond to customer
complaints, including those regarding the appropriateness or quality
of content, services, or products provided or the privacy and
security policies of the third-party site. The plan also should
address how the financial institution will address complaints
regarding any failures of linked third parties to provide agreed
upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the
activities of linked third parties as a part of its risk management
strategy. Monitoring policies and procedures should include periodic
content review and testing to ensure that links function properly,
and to verify that the levels of services provided by third parties
are in accordance with contracts and agreements. Website content is
dynamic, and third parties may change the presentation or content of
a website in a way that results in risk to the financial
institution's reputation. Periodic review and testing will reduce
this risk exposure. The frequency of review should be commensurate
with the degree of risk presented by the linked site.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Routing (Part 2 of 2)
Routers and switches are sometimes difficult to locate. Users may
install their own devices and create their own unauthorized subnets.
Any unrecognized or unauthorized network devices pose security
risks. Financial institutions should periodically audit network
equipment to ensure that only authorized and maintained equipment
resides on their network.
DNS hosts, routers and switches are computers with their own
operating system. If successfully attacked, they can allow traffic
to be monitored or redirected. Financial institutions must restrict,
log, and monitor administrative access to these devices. Remote
administration typically warrants an encrypted session, strong
authentication, and a secure client. The devices should also be
appropriately patched and hardened.
Packets are sent and received by devices using a network interface
card (NIC) for each network to which they connect. Internal
computers would typically have one NIC card for the corporate
network or a subnet. Firewalls, proxy servers, and gateway servers
are typically dual-homed with two NIC cards that allow them to
communicate securely both internally and externally while limiting
access to the internal network.
Return to the top of
INTERNET PRIVACY - With this
issue, we begin our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
On November 12, 1999, President Clinton signed into law the
Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act
governs the treatment of nonpublic personal information about
consumers by financial institutions. Section 502 of the Subtitle,
subject to certain exceptions, prohibits a financial institution
from disclosing nonpublic personal information about a consumer to
nonaffiliated third parties, unless the institution satisfies
various notice and opt-out requirements, and provided that the
consumer has not elected to opt out of the disclosure. Section 503
requires the institution to provide notice of its privacy policies
and practices to its customers. Section 504 authorizes the issuance
of regulations to implement these provisions.
Accordingly, on June 1, 2000, the four federal bank and thrift
regulators published substantively identical regulations
implementing provisions of the Act governing the privacy of consumer
financial information. The regulations establish rules governing
duties of a financial institution to provide particular notices and
limitations on its disclosure of nonpublic personal information, as
1) A financial institution must provide a notice of its privacy
policies, and allow the consumer to opt out of the disclosure of the
consumer's nonpublic personal information, to a nonaffiliated third
party if the disclosure is outside of the exceptions in sections 13,
14 or 15 of the regulations.
2) Regardless of whether a financial institution shares nonpublic
personal information, the institution must provide notices of its
privacy policies to its customers.
3) A financial institution generally may not disclose customer
account numbers to any nonaffiliated third party for marketing
4) A financial institution must follow reuse and redisclosure
limitations on any nonpublic personal information it receives from a
nonaffiliated financial institution.