REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Black Hat talk of incident response, trends - In his Black Hat 2014 session entitled “The State of Incident Response,” security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters. http://www.scmagazine.com/black-hat-bruce-schneier-talks-incident-response-trends/article/

FYI - Tennessee company sues its bank for cyberheist losses - A Tennessee-based electrical company, has sued its bank following a cyberheist that stole $327,804 from the firm. http://www.scmagazine.com/tennessee-company-sues-its-bank-for-cyberheist-losses/article/366117/

FYI - ICO ‘sounds the alarm’ over legal profession's shoddy data-handling - The Information Commissioner's Office (ICO) has voiced its concern with a spat of data-protection blunders in the legal profession, warning barristers and solicitors they face fines as high as £500,000 if they put their clients' data at risk. http://www.v3.co.uk/v3-uk/news/2358882/ico-sounds-the-alarm-over-legal-professions-shoddy-data-handlingb

FYI - Airport security equipment at risk - While the Transportation Safety Administration and the Department of Homeland Security are very exacting in the specifications for airport security equipment must meet, x-ray machines, trace detection scanners, time and attendance clocks and the like all have backdoors and other vulnerabilities that can be exploited. http://www.scmagazine.com/black-hat-airport-security-equipment-at-risk/article/365044/

FYI - U.S. court rules in favor of providing officials access to entire email account - The federal court had earlier ruled that such a warrant would provide too much information to law enforcement - A federal Judge Friday ruled that providing law enforcement with access to an entire email account in an investigation did not violate the Fourth Amendment to the U.S. Constitution that prohibits unreasonable searches and seizures of property. http://www.computerworld.com/s/article/9250281/U.S._court_rules_in_favor_of_providing_officials_access_to_entire_email_account?taxonomyId=17

FYI - Anonymous wifi the latest casualty of Russia net neurosis - Ruskies must provide mobile phone numbers to surf Starbucks - Russians will be required to hand over their passport-validated phone numbers to access public wireless networks under new laws. http://www.theregister.co.uk/2014/08/11/anonymous_wifi_the_latest_casualty_of_russia_net_neurosis/

FYI - Schnucks reaches data breach settlement - Schnuck Markets (Schnucks) has settled lawsuits resulting from a 2013 data breach, agreeing to pay customers for “documented lost time,” fraudulent charges and “extraordinary unreimbursed monetary losses” likely resulting from the breach. http://www.scmagazine.com/schnucks-reaches-data-breach-settlement/article/365874/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Breach of USIS believed to be state-sponsored, DHS reportedly impacted - A provider of information and security services to government agencies and commercial enterprises, including the Department of Homeland Security (DHS) and Office of Personnel Management (OPM), has been breached. http://www.scmagazine.com/breach-of-usis-believed-to-be-state-sponsored-dhs-reportedly-impacted/article/365193/

FYI - Russian hackers steal 1.2 billion web passwords - Russian hackers have amassed a huge trove of 1.2 billion web users’ emails and passwords, having successfully breached scores of websites to steal data.
http://www.v3.co.uk/v3-uk/news/2358987/russian-hackers-steal-12-billion-web-passwords

FYI - Government spyware exposed after massive data breach - Gamma International Ltd - an Anglo-German company that makes and sells FinFisher spyware to various European, American and Asia Pacific governments and law enforcement agencies - has been bit by a big data breach, revealing hundreds of confidential documents. http://www.scmagazineuk.com/government-spyware-exposed-after-massive-data-breach/article/365047/

FYI - US contractor firm that vetted Snowden suffers major breach; data likely snatched - A major contractor of the US Dept. of Homeland Security suffers a major breach, months after it was accused of faking hundreds of thousands of background checks. A contractor working for the US Dept. of Homeland Security has suffered a data breach, which likely led to the leak of personal employee information. http://www.zdnet.com/us-contractor-firm-that-vetted-snowden-suffers-major-breach-data-likely-snatched-7000032397/

FYI - Payment cards used on Wireless Emporium website compromised by malware - After malware was discovered on the wirelessemporium.com computer server, the company began notifying an undisclosed number of individuals that their personal information - including payment card data - might have been compromised. http://www.scmagazine.com/payment-cards-used-on-wireless-emporium-website-compromised-by-malware/article/364686/

FYI - Patient data at risk following missing unencrypted CD - Jersey City Medical Center (JCMC) patients are being notified that their information may have been compromised after an unencrypted CD went missing after being mailed. http://www.scmagazine.com/patient-data-at-risk-following-missing-unencrypted-cd/article/365919/

FYI - Hacked Canadian ISP leads to virtual currency theft - A hacker who gained privileged access to a Canadian ISP's network hijacked net traffic from foreign networks and stole more than $83,000 in virtual currency. http://www.scmagazine.com/hacked-canadian-isp-leads-to-virtual-currency-theft/article/365898/

FYI - Subcontractor breach impacts more than 60K Tennessee workers - More than 60,000 staffers who participated in Tennessee employee health screenings are being notified that their personal information may have been accessed by an unknown attacker that hacked into the computer system. http://www.scmagazine.com/subcontractor-breach-impacts-more-than-60k-tennessee-workers/article/366142/

FYI - Anonymous hacks Ferguson, Mo., police site for dispatch tapes - The hacking collective publishes hours of alleged police dispatch tapes on Twitter and YouTube from the day unarmed teenager Michael Brown was shot to death by police in a St. Louis suburb. http://www.cnet.com/news/anonymous-hacks-into-ferguson-police-site-for-dispatch-tapes/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Vitamin seller website attacked, payment cards and other info compromised - Anyone who made credit or debit card purchases on TheNaturalOnline.com website between April 22 and July 17 may have had their information compromised by an attacker who forced their way into The Natural's computer system. http://www.scmagazine.com/vitamin-seller-website-attacked-payment-cards-and-other-info-compromised/article/366314/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 1 of 2)

Vigilant management oversight is essential for the provision of effective internal controls over e-banking activities. In addition to the specific characteristics of the Internet distribution channel discussed in the Introduction, the following aspects of e-banking may pose considerable challenge to traditional risk management processes:

1) Major elements of the delivery channel (the Internet and related technologies) are outside of the bank's direct control.

2) The Internet facilitates delivery of services across multiple national jurisdictions, including those not currently served by the institution through physical locations.

3) The complexity of issues that are associated with e-banking and that involve highly technical language and concepts are in many cases outside the traditional experience of the Board and senior management.

In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis. Without adequate up-front strategic review and ongoing performance to plan assessments, banks are at risk of underestimating the cost and/or overestimating the payback of their e-banking initiatives.

In addition, the Board and senior management should ensure that the bank does not enter into new e-banking businesses or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the bank's e-banking applications and underlying technologies. Adequate expertise is essential regardless of whether the bank's e-banking systems and services are managed in-house or outsourced to third parties. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material e-banking systems problems or security breaches that may occur. The increased reputational risk associated with e-banking necessitates vigilant monitoring of systems operability and customer satisfaction as well as appropriate incident reporting to the Board and senior management.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE

Financial institution system development, acquisition, and maintenance functions should incorporate agreed upon security controls into software prior to development and implementation. Management should integrate consideration of security controls into each phase of the system development process. For the purposes of this section, system development could include the internal development of customized systems, the creation of database systems, or the acquisition of third-party developed software. System development could include long-term projects related to large mainframe-based software projects with legacy source code or rapid Web-based software projects using fourth-generation programming. In all cases, institutions need to prioritize security controls appropriately.

SOFTWARE DEVELOPMENT AND ACQUISITION

Security Requirements

Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage. Based on the risks posed by the system, management may use a defined methodology for determining security requirements, such as ISO 15408, the Common Criteria.23 Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. A member of senior management should document acceptance of the security requirements for each new system or system acquisition, acceptance of tests against the requirements, and approval for implementing in a production environment.

Development projects should consider automated controls for incorporation into the application and the need to determine supporting manual controls. Financial institutions can implement appropriate security controls with greater cost effectiveness by designing them into the original software rather than making subsequent changes after implementation. When evaluating purchased software, financial institutions should consider the availability of products that have either been independently evaluated or received security accreditation through financial institution or information technology-related industry groups.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.