REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Why the Security of USB Is Fundamentally Broken - Computer users
pass around USB sticks like silicon business cards. Although we know
they often carry malware infections, we depend on antivirus scans
and the occasional reformatting to keep our thumbdrives from
becoming the carrier for the next digital epidemic.
- Black Hat keynote talks cyber policies for field's future - At a
time where cyber security has become more relevant than ever to
senior leadership at companies, experts challenged practitioners to
simplify their focus, while taking up a radical approach, to remain
effective as a field.
- CIA Admits to Improperly Hacking Senate Computers - The Central
Intelligence Agency improperly and covertly hacked into computers
used by Senate staffers to investigate the spy agency's Bush-era
interrogation practices, according to an internal investigation.
- Homeland Security wants corporate board of directors more involved
in cyber-security - Setting corporate cyber-security policy and
taking actions around it must be a top concern for the board of
directors at any company, not just the information-technology
division, the Department of Homeland Security (DHS) indicated as a
high-level official there backed a private-sector effort to raise
awareness at the board level.
- House Wants Agency CIOs to Vouch for Security of Their Websites -
Federal websites that collect personally identifiable information
would have to be certified as secure by an agency chief information
officer under legislation the House passed Monday evening.
- 2014 Women in IT Security: Making headway - It's no secret that
women are greatly outnumbered by their male counterparts in the
field, and that other gaps, such as those in pay, remain a hurdle
for women aiming to reach new heights in their careers.
- A Contrarian View on Data Breaches - Weighing Risk of Exposing
Weaknesses, Executives Rethink Merits of Going Public With Attacks -
Urban Outfitters Inc. hired Dawn-Marie Hutchinson last year to keep
hackers out of its computers. If crooks were to get in, Ms.
Hutchinson doesn't think the teen retailer should immediately tell
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Canada's NRC breach work of Chinese state-sponsored actor -
Canada's National Research Council network was recently breached by
a “highly sophisticated Chinese state-sponsored actor,” according to
a statement issued by office of the Canadian government's CIO.
- Script fails, thousands of Mozilla developer emails, passwords
possibly exposed - It is not uncommon for data breaches to be the
result of programming errors - that is exactly what happened to
Mozilla when a data sanitization process for the Mozilla Developer
Network (MDN) failed and the email addresses and encrypted passwords
of thousands of users ended up on a publicly accessible server.
- P.F. Chang's update says 33 restaurant locations affected - P.F.
Chang's China Bistro restaurant chain issued an update on its June
security breach earlier today and stated that the the breach
affected point-of-sale (POS) systems at 33 locations.
- Florida bank notifies roughly 72,500 customers of breach - Early
in July, Florida-based TotalBank began notifying a reported 72,500
customers that their personal information - including banking
information and possibly Social Security numbers - may have been
compromised by an unauthorized individual who obtained access to the
TotalBank computer network.
- Sandwich Chain Jimmy John’s Investigating Breach Claims - Sources
at a growing number of financial institutions in the United States
say they are tracking a pattern of fraud that indicates nationwide
sandwich chain Jimmy John’s may be the latest retailer dealing with
a breach involving customer credit card data. The company says it is
working with authorities on an investigation.
- More than a billion unique credentials pilfered by Russian hackers
- A group of Russian hackers, dubbed “CyberVor,” are sitting on the
biggest cache of stolen credentials to date, according to a Tuesday
post by Hold Security.
- Insider breach at Las Vegas brain and spine surgery center - In
July, Las Vegas-based Western Regional Center for Brain & Spine
Surgery (WRCBSS) began notifying patients that their personal
information - including Social Security numbers - might have been
stolen by a former employee and used for fraudulent purposes.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
The Board of Directors and senior management are responsible for
developing the banking institution's business strategy. An explicit
strategic decision should be made as to whether the Board wishes the
bank to provide e-banking transactional services before beginning to
offer such services. Specifically, the Board should ensure that
e-banking plans are clearly integrated within corporate strategic
goals, a risk analysis is performed of the proposed e-banking
activities, appropriate risk mitigation and monitoring processes are
established for identified risks, and ongoing reviews are conducted
to evaluate the results of e-banking activities against the
institution's business plans and objectives.
In addition, the Board and senior management should ensure that the
operational and security risk dimensions of the institution's
e-banking business strategies are appropriately considered and
addressed. The provision of financial services over the Internet may
significantly modify and/or even increase traditional banking risks
(e.g. strategic, reputational, operational, credit and liquidity
risk). Steps should therefore be taken to ensure that the bank's
existing risk management processes, security control processes, due
diligence and oversight processes for outsourcing relationships are
appropriately evaluated and modified to accommodate e-banking
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
CONTROLS TO PROTECT AGAINST MALICIOUS CODE
Typical controls to protect against malicious code use technology,
policies and procedures, and training. Prevention and detection of
malicious code typically involves anti-virus and other detection
products at gateways, mail servers, and workstations. Those products
generally scan messages for known signatures of a variety of
malicious code, or potentially dangerous behavioral characteristics.
Differences between products exist in detection capabilities and the
range of malicious code included in their signatures. Detection
products should not be relied upon to detect all malicious code.
Additionally, anti-virus and other products that rely on signatures
generally are ineffective when the malicious code is encrypted. For
example, VPNs, IPSec, and encrypted e-mail will all shield malicious
code from detection.
Signature-based anti-virus products scan for unique components of
certain known malicious code. Since new malicious code is created
daily, the signatures need to be updated continually. Different
vendors of anti-virus products update their signatures on different
frequencies. When an update appears, installing the update on all of
an institution's computers may involve automatically pushing the
update to the computers, or requesting users to manually obtain the
Heuristic anti - virus products generally execute code in a
protected area of the host to analyze and detect any hostile intent.
Heuristic products are meant to defend against previously unknown or
disguised malicious code.
Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail
attachments, as well as any Active-X or Java applets. A more refined
strategy might block based on certain characteristics of known code.
Protection of servers involves examining input from users and only
accepting that input which is expected. This activity is called
filtering. If filtering is not employed, a Web site visitor, for
instance, could employ an attack that inserts code into a response
form, causing the server to perform certain actions. Those actions
could include changing or deleting data and initiating fund
Protection from malicious code also involves limiting the
capabilities of the servers and Web applications to only include
functions necessary to support operations. See "Systems Development,
Acquisition, and Maintenance."
Anti-virus tools and code blocking are not comprehensive solutions.
New malicious code could have different signatures, and bypass other
controls. Protection against newly developed malicious code
typically comes in the form of policies, procedures, and user
awareness and training. For example, policies could prohibit the
installation of software by unauthorized employees, and regular
reviews for unauthorized software could take place. System users
could be trained not to open unexpected messages, not to open any
executables, and not to allow or accept file transfers in P2P
communications. Additional protection may come from disconnecting
and isolating networks from each other or from the Internet in the
face of a fast-moving malicious code attack.
An additional detection control involves network and host intrusion
detection devices. Network intrusion detection devices can be tuned
to alert when known malicious code attacks occur. Host intrusion
detection can be tuned to alert when they recognize abnormal system
behavior, the presence of unexpected files, and changes to other
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 4 of 6)
Requirements for Notices (continued)
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial notice
together with an opt out notice stating that the institution's
privacy notice is available upon request and explaining a reasonable
means for the consumer to obtain it. The following is a list of
disclosures regarding nonpublic personal information that
institutions must provide in their privacy notices, as applicable:
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to whom
the institution may disclose information;
4) policies with respect to the treatment of former customers'
5) information disclosed to service providers and joint marketers
6) an explanation of the opt out right and methods for opting out;
7) any opt out notices the institution must provide under the Fair
Credit Reporting Act with respect to affiliate information sharing;
8) policies for protecting the security and confidentiality of
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and