Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- GAO - Opportunities for Improvements in FDIC's Internal Controls
and Accounting Procedures -
- MU hosts cyber security camp to train future defenders of
cyberspace - Three winners walked away from the United States Cyber
Challenge Regional Cyber Security Boot Camp at MU with $1,000
- GAO - Federal Agencies Need Policies and Procedures for Managing
and Protecting Information They Access and Disseminate
- GAO - DHS Needs to Improve Its Independent Acquisition Reviews
- ALDI sells hard drives with malware inside - The Australian
Computer Emergency Response Team (AusCERT) released an alert
yesterday on the Federal Government's Stay Smart Online alert
service, alleging that the Fission External 4-in-1 Hard Drive, DVD,
USB and Card Reader product offered by ALDI contains the components
of the "Conficker" worm.
- 'War texting' hacks car systems and possibly much more - Software
that allows drivers to remotely unlock and start automobiles using
cell phones is vulnerable to hacks that allow attackers to do the
same thing, sometimes from thousands of miles away, it was widely
- SecurID breach cost RSA $66m - The security breach that targeted
sensitive data relating to RSA's SecurID two-factor authentication
product has cost parent company EMC $66m in the second quarter, The
Washington Post has reported.
- In ‘Anonymous’ Raids, Feds Work From List of Top 1,000 Protesters
- It turns out there’s a method behind the FBI’s raids of suspected
Anonymous members around the country. The bureau is working from a
list, provided by PayPal, of the 1,000 internet IP addresses
responsible for the most protest traffic during Anonymous’ DDoS
attacks against PayPal last December.
- Criminals abusing Amazon cloud to spread SpyEye - Criminals for
the past several weeks have been exploiting Amazon's Simple Storage
Service (S3) cloud offering to spread SpyEye malware, according to
researchers at anti-virus firm Kaspersky Lab.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- British phone hacking inquiry opens - A British judge has formally
opened an inquiry into the phone-hacking scandal that has rocked the
country, saying the first public hearings will be in September and
will focus on media ethics.
- 35m Cyworld, Nate users’ information hacked - SK Communications
Co. said on Thursday that personal information of its 35 million
online users has been hacked, marking South Korea’s worst online
security breach and sparking fears that the leak could lead to
massive online and voice scams in coming weeks.
- Seattle hospital data exposed online - Swedish Medical Center, the
largest nonprofit health care provider in the greater Seattle area,
is alerting current and former employees that their personal
information was inadvertently accessible online for several weeks.
- Hackers strike government cybersecurity contractor - Hackers
flying the AntiSec banner today released what they said was 400
megabytes of internal data from a government cybersecurity
contractor, ManTech, as part of their campaign to embarrass the FBI
every Friday, as well as target other government agencies and their
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We finish our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 10 of 10)
B. RISK MANAGEMENT TECHNIQUES
Managing Service Providers
Financial institutions, especially smaller institutions, may
choose to subcontract with a service provider to create, arrange,
and manage their websites, including weblinks. The primary risks for
these financial institutions are the same as for those institutions
that arrange the links directly. However, if a financial institution
uses a set of pre-established links to a large number of entities
whose business policies or procedures may be unfamiliar, it may
increase its risk exposure. This is particularly true in situations
it maintains certain minimum information security standards at all
When a financial institution subcontracts weblinking arrangements to
a service provider, the institution should conduct sufficient due
diligence to ensure that the service provider is appropriately
managing the risk exposure from other parties. Management should
keep in mind that a vendor might establish links to third parties
that are unacceptable to the financial institution. Finally, the
written agreement should contain a regulatory requirements clause in
which the service provider acknowledges that its linking activities
must comply with all applicable consumer protection laws and
Financial institution management should consider weblinking
agreements with its service provider to mitigate significant risks.
These agreements should be clear and enforceable with descriptions
of all obligations, liabilities, and recourse arrangements. These
may include the institution's right to exclude from its site links
the financial institution considers unacceptable. Such contracts
should include a termination clause, particularly if the contract
does not include the ability to exclude websites. Finally, a
financial institution should apply its link monitoring policies
discussed above to links arranged by service providers or other
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
A firewall is a collection of components (computers, routers, and
software) that mediate access between different security domains.
All traffic between the security domains must pass through the
firewall, regardless of the direction of the flow. Since the
firewall serves as a choke point for traffic between security
domains, they are ideally situated to inspect and block traffic and
coordinate activities with network IDS systems.
Financial institutions have four primary firewall types from which
to choose: packet filtering, stateful inspection, proxy servers, and
application-level firewalls. Any product may have characteristics of
one or more firewall types. The selection of firewall type is
dependent on many characteristics of the security zone, such as the
amount of traffic, the sensitivity of the systems and data, and
applications. Over the next few weeks we will discussed the
different types of firewalls.
Return to the top of
INTERNET PRIVACY - We continue our
review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Definitions and Key Concepts
In discussing the duties and limitations imposed by the
regulations, a number of key concepts are used. These concepts
include "financial institution"; "nonpublic personal information";
"nonaffiliated third party"; the "opt out" right and the exceptions
to that right; and "consumer" and "customer." Each concept is
briefly discussed below. A more complete explanation of each appears
in the regulations.
A "financial institution" is any institution the business of
which is engaging in activities that are financial in nature or
incidental to such financial activities, as determined by section
4(k) of the Bank Holding Company Act of 1956. Financial institutions
can include banks, securities brokers and dealers, insurance
underwriters and agents, finance companies, mortgage bankers, and
Nonaffiliated Third Party:
A "nonaffiliated third party" is any person except a
financial institution's affiliate or a person employed jointly by a
financial institution and a company that is not the institution's
affiliate. An "affiliate" of a financial institution is any company
that controls, is controlled by, or is under common control with the