REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- CoNetrix released a new, complimentary online tool called tandem
Compliance Calendar to help financial institutions effectively
manage regulatory requirements and schedule important tasks such as
audits, training, operations and compliance. This free solution is
part of their tandem software suite designed to help financial
institutions with their security and compliance needs.
- Homeland Security pushes pay boost for cyber pros - The Homeland
Security Department made a final pitch to Congress to equalize pay
packages for DHS cyber professionals and their higher-paid Pentagon
counterparts, as cybersecurity legislation looked likely to stall
for the third consecutive year.
- India: We DO have the BlackBerry encryption keys - Indian
government officials have apparently claimed that Research in Motion
has handed over the skeleton keys used to encrypt BlackBerry
communications – once again ignoring the fact that such keys don't
- Air Force prepares to open cyberwarfare simulation center to
outside users - The Air Force is slated to open a virtual
cyberwarfare program to more military commands, educational
institutions and other federal agencies, contracting papers
- White House reportedly considers cyber executive order - After
Senate Republicans last week blocked the passage of a cyber security
bill, the White House is considering reviving the legislation
through an executive order, according to a report this weekend.
- Proposed Privacy Law Demands Court Warrants for Cloud Data - Two
Democratic congressmen are proposing sweeping changes to a U.S.
privacy law that for the first time would require the government to
obtain a probable-cause warrant to access data stored in the cloud.
- Password security can improve, but the hackers will still get in -
In June, millions of password hashes were disclosed from LinkedIn,
eHarmony and Last.fm. And in July, more than 400,000 usernames and
passwords were stolen from Yahoo, while the social networking site
Formspring, clothing company Billabong, and gaming site Gamigo all
suffered similar breaches.
- Gauss trojan targets Lebanese banks, likely U.S. creation -
Researchers have come across another sophisticated piece of Middle
Eastern-targeted espionage malware, which, at the very least, is
capable of stealing bank login details, and, at the most extreme, is
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Knight Capital Shows How Financial Services Firms Have Become
Widow Makers - Knight Capital experienced an electronic trading
malfunction that caused havoc in the trading of stocks ranging from
RadioShack to Dupont. Now, Knight says its losses from the trading
debacle are $440 million.
- Employee password reuse behind Dropbox spam outbreak - The spam
outbreak that last month flooded the inboxes of Dropbox customers
has been traced back to a hacked employee account, company
representatives said late Tuesday.
- Metropolitan Police ransomware pretender ensnares 1,100 computers
- The Metropolitan Police's Central e-Crime Unit (PCeU) has
uncovered a ransomware scam attempting to extort money from
unsuspecting members of the public by impersonating it.
- Data breach costs LinkedIn up to $1 million - Due to one of the
year's largest reported data breaches, business networking site
LinkedIn has announced that it already has taken up to a $1 million
- Yahoo faces lawsuit following data breach - As is the norm
following a high-profile breach, Yahoo is facing a lawsuit following
its disclosure last month that hackers stole 450,000 unencrypted
email addresses and passwords of its members.
- Thumb drive with data on 14k hospital patients stolen - A USB
drive with data on thousands of patients of Oregon Health & Science
University (OHSU) in Portland was stolen from the home of an
employee on July 4 or 5.
- Hackers breach Environment Protection Agency database - Thousands
of U.S. Environmental Protection Agency (EPA) employees had their
personal information exposed through a database breach.
- Patient data outage exposes risks of electronic medical
records - 'Human error' is blamed for a five-hour computer outage
last week. It highlights the risks of a nationwide switch to
electronic medical records.
- Reuters suffers double hack - Call it a “psy-ops” attack,
if you like: Reuters has suffered the embarrassment of having two
platforms infiltrated and used to spread propaganda messages
supporting the Syrian regime.
- How Apple let a hacker remotely wipe an iPhone, iPad,
MacBook - Gizmodo's Twitter account was recently hacked, after a
former employee's iCloud account was breached, and all his Apple
devices (iPhone, iPad, MacBook Air) were remotely wiped. It turns
out the hacker didn't even have to get the password: he just tricked
Apple's tech support.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Security Control Practices for E-Banking
1. Security profiles should be created and maintained and specific
authorization privileges assigned to all users of e-banking systems
and applications, including all customers, internal bank users and
outsourced service providers. Logical access controls should also be
designed to support proper segregation of duties.
2. E-banking data and systems should be classified according to
their sensitivity and importance and protected accordingly.
Appropriate mechanisms, such as encryption, access control and data
recovery plans should be used to protect all sensitive and high-risk
e-banking systems, servers, databases and applications.
3. Storage of sensitive or high-risk data on the organization's
desktop and laptop systems should be minimized and properly
protected by encryption, access control and data recovery plans.
4. Sufficient physical controls should be in place to deter
unauthorized access to all critical e-banking systems, servers,
databases and applications.
5. Appropriate techniques should be employed to mitigate external
threats to e-banking systems, including the use of:
a) Virus-scanning software at all critical entry points (e.g.
remote access servers, e-mail proxy servers) and on each desktop
b) Intrusion detection software and other security assessment tools
to periodically probe networks, servers and firewalls for weaknesses
and/or violations of security policies and controls.
c) Penetration testing of internal and external networks.
6. A rigorous security review process should be applied to all
employees and service providers holding sensitive positions.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
Measurement and Interpretation of Test Results.
Institutions should design tests to produce results that are logical
and objective. Results that are reduced to metrics are potentially
more precise and less subject to confusion, as well as being more
readily tracked over time. The interpretation and significance of
test results are most useful when tied to threat scenarios.
Traceability. Test results that indicate an unacceptable risk in an
institution's security should be traceable to actions subsequently
taken to reduce the risk to an acceptable level.
Thoroughness. Institutions should perform tests sufficient to
provide a high degree of assurance that their security plan,
strategy and implementation is effective in meeting the security
objectives. Institutions should design their test program to draw
conclusions about the operation of all critical controls. The scope
of testing should encompass all systems in the institution's
production environment and contingency plans and those systems
within the institution that provide access to the production
Frequency. Test frequency should be based on the risk that
critical controls are no longer functioning. Factors to consider
include the nature, extent, and results of prior tests, the value
and sensitivity of data and systems, and changes to systems,
policies and procedures, personnel, and contractors. For example,
network vulnerability scanning on highrisk systems can occur at
least as frequently as significant changes are made to the network.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
30. Does the institution allow the
consumer to opt out at any time? [§7(f)]
31. Does the institution continue to honor the consumer's opt out
direction until revoked by the consumer in writing, or, if the
consumer agrees, electronically?