REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Black Hat talk of incident response, trends - In his Black Hat
2014 session entitled “The State of Incident Response,” security
guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers
will invariably breach networks, but it is what comes next that
Tennessee company sues its bank for cyberheist losses - A
Tennessee-based electrical company, has sued its bank following a
cyberheist that stole $327,804 from the firm.
- ICO ‘sounds the alarm’ over legal profession's shoddy
data-handling - The Information Commissioner's Office (ICO) has
voiced its concern with a spat of data-protection blunders in the
legal profession, warning barristers and solicitors they face fines
as high as £500,000 if they put their clients' data at risk.
- Airport security equipment at risk - While the Transportation
Safety Administration and the Department of Homeland Security are
very exacting in the specifications for airport security equipment
must meet, x-ray machines, trace detection scanners, time and
attendance clocks and the like all have backdoors and other
vulnerabilities that can be exploited.
- U.S. court rules in favor of providing officials access to entire
email account - The federal court had earlier ruled that such a
warrant would provide too much information to law enforcement - A
federal Judge Friday ruled that providing law enforcement with
access to an entire email account in an investigation did not
violate the Fourth Amendment to the U.S. Constitution that prohibits
unreasonable searches and seizures of property.
- Anonymous wifi the latest casualty of Russia net neurosis -
Ruskies must provide mobile phone numbers to surf Starbucks -
Russians will be required to hand over their passport-validated
phone numbers to access public wireless networks under new laws.
- Schnucks reaches data breach settlement - Schnuck Markets (Schnucks)
has settled lawsuits resulting from a 2013 data breach, agreeing to
pay customers for “documented lost time,” fraudulent charges and
“extraordinary unreimbursed monetary losses” likely resulting from
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Breach of USIS believed to be state-sponsored, DHS reportedly
impacted - A provider of information and security services to
government agencies and commercial enterprises, including the
Department of Homeland Security (DHS) and Office of Personnel
Management (OPM), has been breached.
- Russian hackers steal 1.2 billion web passwords - Russian hackers
have amassed a huge trove of 1.2 billion web users’ emails and
passwords, having successfully breached scores of websites to steal
- Government spyware exposed after massive data breach - Gamma
International Ltd - an Anglo-German company that makes and sells
FinFisher spyware to various European, American and Asia Pacific
governments and law enforcement agencies - has been bit by a big
data breach, revealing hundreds of confidential documents.
- US contractor firm that vetted Snowden suffers major breach; data
likely snatched - A major contractor of the US Dept. of Homeland
Security suffers a major breach, months after it was accused of
faking hundreds of thousands of background checks. A contractor
working for the US Dept. of Homeland Security has suffered a data
breach, which likely led to the leak of personal employee
- Payment cards used on Wireless Emporium website compromised by
malware - After malware was discovered on the wirelessemporium.com
computer server, the company began notifying an undisclosed number
of individuals that their personal information - including payment
card data - might have been compromised.
- Patient data at risk following missing unencrypted CD - Jersey
City Medical Center (JCMC) patients are being notified that their
information may have been compromised after an unencrypted CD went
missing after being mailed.
- Hacked Canadian ISP leads to virtual currency theft - A hacker who
gained privileged access to a Canadian ISP's network hijacked net
traffic from foreign networks and stole more than $83,000 in virtual
- Subcontractor breach impacts more than 60K Tennessee workers -
More than 60,000 staffers who participated in Tennessee employee
health screenings are being notified that their personal information
may have been accessed by an unknown attacker that hacked into the
- Anonymous hacks Ferguson, Mo., police site for dispatch tapes -
The hacking collective publishes hours of alleged police dispatch
tapes on Twitter and YouTube from the day unarmed teenager Michael
Brown was shot to death by police in a St. Louis suburb.
- Vitamin seller website attacked, payment cards and other info
compromised - Anyone who made credit or debit card purchases on
TheNaturalOnline.com website between April 22 and July 17 may have
had their information compromised by an attacker who forced their
way into The Natural's computer system.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 1 of 2)
Vigilant management oversight is essential for the provision of
effective internal controls over e-banking activities. In addition
to the specific characteristics of the Internet distribution channel
discussed in the Introduction, the following aspects of e-banking
may pose considerable challenge to traditional risk management
1) Major elements of the delivery channel (the Internet and related
technologies) are outside of the bank's direct control.
2) The Internet facilitates delivery of services across multiple
national jurisdictions, including those not currently served by the
institution through physical locations.
3) The complexity of issues that are associated with e-banking and
that involve highly technical language and concepts are in many
cases outside the traditional experience of the Board and senior
In light of the unique characteristics of e-banking, new e-banking
projects that may have a significant impact on the bank's risk
profile and strategy should be reviewed by the Board of Directors
and senior management and undergo appropriate strategic and
cost/reward analysis. Without adequate up-front strategic review and
ongoing performance to plan assessments, banks are at risk of
underestimating the cost and/or overestimating the payback of their
In addition, the Board and senior management should ensure that the
bank does not enter into new e-banking businesses or adopt new
technologies unless it has the necessary expertise to provide
competent risk management oversight. Management and staff expertise
should be commensurate with the technical nature and complexity of
the bank's e-banking applications and underlying technologies.
Adequate expertise is essential regardless of whether the bank's
e-banking systems and services are managed in-house or outsourced to
third parties. Senior management oversight processes should operate
on a dynamic basis in order to effectively intervene and correct any
material e-banking systems problems or security breaches that may
occur. The increased reputational risk associated with e-banking
necessitates vigilant monitoring of systems operability and customer
satisfaction as well as appropriate incident reporting to the Board
and senior management.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE
Financial institution system development, acquisition, and
maintenance functions should incorporate agreed upon security
controls into software prior to development and implementation.
Management should integrate consideration of security controls into
each phase of the system development process. For the purposes of
this section, system development could include the internal
development of customized systems, the creation of database systems,
or the acquisition of third-party developed software. System
development could include long-term projects related to large
mainframe-based software projects with legacy source code or rapid
Web-based software projects using fourth-generation programming. In
all cases, institutions need to prioritize security controls
SOFTWARE DEVELOPMENT AND ACQUISITION
Financial institutions should develop security control requirements
for new systems, system revisions, or new system acquisitions.
Management will define the security control requirements based on
their risk assessment process evaluating the value of the
information at risk and the potential impact of unauthorized access
or damage. Based on the risks posed by the system, management may
use a defined methodology for determining security requirements,
such as ISO 15408, the Common Criteria.23 Management may also refer
to published, widely recognized industry standards as a baseline for
establishing their security requirements. A member of senior
management should document acceptance of the security requirements
for each new system or system acquisition, acceptance of tests
against the requirements, and approval for implementing in a
Development projects should consider automated controls for
incorporation into the application and the need to determine
supporting manual controls. Financial institutions can implement
appropriate security controls with greater cost effectiveness by
designing them into the original software rather than making
subsequent changes after implementation. When evaluating purchased
software, financial institutions should consider the availability of
products that have either been independently evaluated or received
security accreditation through financial institution or information
technology-related industry groups.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.