REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- MI5 and GCHQ urge FTSE chiefs to carry out cyber security ‘health
check’ - The security bodies have asked that the check not be
carried out by the CIO - The director general of MI5 and the
director of GCHQ have written to all chairmen of FTSE 350 companies
asking them to take part in a “cyber governance health check”, in a
bid to raise awareness at the top of the corporate food chain and
highlight internal vulnerabilities.
Banking trojan KINS resembles architecture of Zeus, targets Windows
users - A new banking trojan designed to steal financial information
from Windows users is up for sale, and researchers may be mixing it
up with other malware.
Hack of Chipotle's Twitter account faked by company - Considering a
number of high-profile companies have fallen victim to Twitter
account hijacks, prompting the service to install additional
protections, a bizarre string of tweets sent by Chipotle Mexican
Grill's account on Sunday appeared to fit the pattern of a hack.
- High court bans publication of car-hacking paper - Researchers
won't publish redacted version because info is already online. A
high court judge has ruled that a computer scientist cannot publish
an academic paper over fears that it could lead to vehicle theft.
Five charged in hacking corporate networks to steal 160M card
numbers - Federal prosecutors in New Jersey announced Thursday that
five men have been charged for their role in one of the country's
largest-ever hacking operations to be dismantled.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
NYC's new Citi Bike program exposes card info of riders - New York
City's two-month-old bike-sharing program, Citi Bike, sustained a
data breach that exposed the personal and financial information of
people who signed up for annual membership.
Medical supply company files lawsuit after breach - San Jose Medical
Supply Co. in California has filed a lawsuit against former
employees for allegedly disclosing customer information to two
competitors, which it also is suing.
Top server host OVH warns of 'multi-stage' hacking attack - 'Higher
level of paranoia' suggests EU and US users should change passwords
- French-based server host OVH has warned that its systems have been
penetrated in a multi-stage attack that leaves US and European
customers at risk.
Syrian Electronic Army hacks Viber App Store account listing - Apple
iOS users who checked out the Israeli start-up's Apple App Store
page this weekend may have noticed an updated description reading:
“We created this app to spy on you, PLEASE DOWNLOAD IT!” http://www.scmagazine.com/syrian-electronic-army-hacks-viber-app-store-account-listing/article/305026/?DCMP=EMC-SCUS_Newswire
Patients notified after resident doctors store their data on Google
- Portland-based Oregon Health & Science University (OSHU) notified
more than 3,000 patients that their information had been stored in
an unauthorized cloud service.
- White House Employees’ Personal Email Hacked - Three White House
staffers have had their personal Gmail accounts breached in what
appears to be a malicious operation directed at the team responsible
for the Obama administration's social media outreach, according to
individuals familiar with the incident.
- Don’t Get Sucker Pumped - Gas pump skimmers are getting craftier.
A new scam out of Oklahoma that netted thieves $400,000 before they
were caught is a reminder of why it’s usually best to pay with
credit versus debit cards when filling up the tank.
- Professor fools $80M superyacht’s GPS receiver on the high seas -
One of the world’s foremost academic experts in GPS spoofing - A
University of Texas assistant professor - released a short video on
Monday showing how he and his students deceived the GPS equipment
aboard an expensive superyacht.
- Stanford University Network Hacked - Stanford University says it
has been hacked and is trying to determine the extent of the breach.
- Oil, gas field sensors vulnerable to attack via radio waves -
Researchers with IOActive say they can shut down a plant from up to
40 miles away by attacking industrial sensors - Sensors widely used
in the energy industry to monitor industrial processes are
vulnerable to attack from 40 miles away using radio transmitters,
according to alarming new research.
- Seventeen companies, including banks and retailers, named as
victims in hacker campaign - Numerous companies have been identified
as victims of a nearly seven-year-long hacking operation that
resulted Wednesday with the indictment of five more individuals.
- BlackBerry purportedly sending users' email credentials in
cleartext - Upset that BlackBerry has yet to address a potentially
major security and privacy vulnerability in the email client of its
latest version, a security company said Monday that it's fed up with
the response and has notified federal authorities.
- US Airways employees notified of potential data compromise -
Letters have been mailed to US Airways employees after payroll
vendor Automatic Data Processing (ADP) inadvertently made personal
information visible to fellow airline staffers.
- Laptop theft leads to compromised student health records - The
health records for 2,000 Fairfax County public school students in
Virginia were compromised after a laptop containing personal
information was stolen out of an employee's vehicle.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 7 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
If a financial institution receives compensation from a third
party as the result of a weblink to the third-party's website, the
financial institution should enter into a written agreement with
that third party in order to mitigate certain risks. Financial
institutions should consider that certain forms of business
arrangements, such as joint ventures, can increase their risk. The
financial institution should consider including contract provisions
to indemnify itself against claims by:
1) dissatisfied purchasers of third-party products or services;
2) patent or trademark holders for infringement by the third party;
3) persons alleging the unauthorized release or compromise of their
confidential information, as a result of the third-party's conduct.
The agreement should not include any provision obligating the
financial institution to engage in activities inconsistent with the
scope of its legally permissible activities. In addition, financial
institutions should be mindful that various contract provisions,
including compensation arrangements, may subject the financial
institution to laws and regulations applicable to insurance,
securities, or real estate activities, such as RESPA, that establish
broad consumer protections.
In addition, the agreement should include conditions for terminating
the link. Third parties, whether they provide services directly to
customers or are merely intermediaries, may enter into bankruptcy,
liquidation, or reorganization during the period of the agreement.
The quality of their products or services may decline, as may the
effectiveness of their security or privacy policies. Also
potentially just as harmful, the public may fear or assume such a
decline will occur. The financial institution will limit its risks
if it can terminate the agreement in the event the service provider
fails to deliver service in a satisfactory manner.
Some weblinking agreements between a financial institution and a
third party may involve ancillary or collateral information-sharing
arrangements that require compliance with the Privacy Regulations.
For example, this may occur when a financial institution links to
the website of an insurance company with which the financial
institution shares customer information pursuant to a joint
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (1 of 2)
A risk assessment is the key driver of the information security
process. Its effectiveness is directly related to the following key
1) Multidisciplinary and Knowledge - based Approach - A consensus
evaluation of the risks and risk mitigation practices followed by
the institution requires the involvement of a broad range of users,
with a range of expertise and business knowledge. Not all users may
have the same opinion of the severity of various attacks, the
importance of various controls, and the importance of various data
elements and information system components. Management should apply
a sufficient level of expertise to the assessment.
2) Systematic and Central Control - Defined procedures and central
control and coordination help to ensure standardization,
consistency, and completeness of risk assessment policies and
procedures, as well as coordination in planning and performance.
Central control and coordination will also facilitate an
organizational view of risks and lessons learned from the risk
3) Integrated Process - A risk assessment provides a foundation for
the remainder of the security process by guiding the selection and
implementation of security controls and the timing and nature of
testing those controls. Testing results, in turn, provide evidence
to the risk assessment process that the controls selected and
implemented are achieving their intended purpose. Testing can also
validate the basis for accepting risks.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Initial Privacy Notice
5) When the subsequent delivery of a privacy notice is
permitted, does the institution provide notice after establishing a
customer relationship within a reasonable time? [§4(e)]