REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Phishing attacks explode and executives are taking the bait -
Phishing attacks are growing off the chart, and while we're not
surprised by the numbers of attacks we are seeing, the dirty little
secret chief security officers don't want to talk about is that the
executive team may be the ones putting the company at risk.
- Changing IP address to access public website ruled violation of US
law - Changing your IP address or using proxy servers to access
public websites you've been forbidden to visit is a violation of the
Computer Fraud and Abuse Act (CFAA), a judge ruled Friday in a case
involving Craigslist and 3taps.
- Insurer to Schnucks: We won't pay for lawsuits related to your
breach - The insurer for Midwestern supermarket chain Schnucks,
whose systems were hacked last winter to steal 2.4 million credit
card numbers, is claiming in court that the grocer's policy doesn't
cover the cost of lawsuits arising from the breach.
- An ongoing debate: Certification or degree? - There's an ongoing
debate in the IT field about whether or not you need certifications
or degrees to advance in your career. Frankly, it would be easier to
answer the chicken and egg problem! Most of the time people will
answer “it depends.”
- GAO - Army Networks: Opportunities Exist to Better Utilize Results
from Network Integration Evaluations.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Washington Post, CNN and Time websites hit by pro-Assad hackers -
Websites belonging to the Washington Post, CNN, and Time magazine
have been attacked by supporters of Syrian President Bashar
- U.S. defense contractor sustains data breach - Employees for and
applicants to the linguist program of Virginia-based defense
contractor Northrop Grumman may have had their sensitive information
compromised when a database was accessed by an unauthorized party.
- ‘Maintenance Update,’ Not Hackers, Felled NY Times - The New York
Times’ website and corporate email went down sporadically earlier
today, fueling widespread speculation the newspaper of record might
have been hacked or went offline for traffic-congestion reasons.
- Several thousand students and staffers affected in Ferris State
breach - Tens of thousands of staffers and students may have had
their personal information compromised after an unauthorized person
dodged network security and gained access to a database at Ferris
State University in Michigan.
- Department of Energy data breach affects thousands - A number of
current and past employees at the U.S. Department of Energy (DOE)
are being notified in letters that an unauthorized party gained
access to their personally identifiable information (PII) on the
- Officials investigate scope of Emory University breach - Health
information and Social Security numbers are among data that may have
been compromised for faculty, staff and students in a data breach at
Emory University in Atlanta.
- Prison Computer ‘Glitch’ Blamed for Opening Cell Doors in
Maximum-Security Wing - Florida prison officials say a computer
“glitch” may be to blame for opening all of the doors at a maximum
security wing simultaneously, setting prisoners free and allowing
gang members to pursue a rival with weapons.
- Fraudsters target "wire payment switch" at banks to steal millions
- Instead of targeting the bank accounts of individuals or
organizations, criminals recently took over the wire payment switch
at several U.S. banks to steal millions from their choice of
accounts, according to a security analyst.
- Syrian Electronic Army attacks several sites for the price of one
- It only took one attack last week, but it was enough to allow the
Syrian Electronic Army (SEA) to compromise The Washington Post, CNN
- Employee fired for stealing external hard drive containing patient
data - A external hard drive containing personal medical information
on thousands of patients was stolen by a former employee of the
North Texas Comprehensive Spine and Pain Center in Sherman.
- Cybercrooks use DDoS attacks to mask theft of banks' millions -
Analyst says three unidentified US banks have been hit with "low
powered" DDoS attacks to cover fraudulent wire transfers.
- League of Legends is hacked, with crucial user info accessed - One
of the world's most popular online video games falls prey to a
security breach involving usernames, e-mail addresses, salted
passwords, and 120,000 salted credit card numbers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We finish our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 10 of 10)
B. RISK MANAGEMENT TECHNIQUES
Managing Service Providers
Financial institutions, especially smaller institutions, may
choose to subcontract with a service provider to create, arrange,
and manage their websites, including weblinks. The primary risks for
these financial institutions are the same as for those institutions
that arrange the links directly. However, if a financial institution
uses a set of pre-established links to a large number of entities
whose business policies or procedures may be unfamiliar, it may
increase its risk exposure. This is particularly true in situations
it maintains certain minimum information security standards at all
When a financial institution subcontracts weblinking arrangements to
a service provider, the institution should conduct sufficient due
diligence to ensure that the service provider is appropriately
managing the risk exposure from other parties. Management should
keep in mind that a vendor might establish links to third parties
that are unacceptable to the financial institution. Finally, the
written agreement should contain a regulatory requirements clause in
which the service provider acknowledges that its linking activities
must comply with all applicable consumer protection laws and
Financial institution management should consider weblinking
agreements with its service provider to mitigate significant risks.
These agreements should be clear and enforceable with descriptions
of all obligations, liabilities, and recourse arrangements. These
may include the institution's right to exclude from its site links
the financial institution considers unacceptable. Such contracts
should include a termination clause, particularly if the contract
does not include the ability to exclude websites. Finally, a
financial institution should apply its link monitoring policies
discussed above to links arranged by service providers or other
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY STRATEGY (2 of 2)
particular approach should consider: (1) policies, standards, and
procedures; (2) technology and architecture; (3) resource
dedication; (4) training; and (5) testing.
For example, an institution's management may be assessing the proper
strategic approach to intrusion detection for an Internet
environment. Two potential approaches were identified for
evaluation. The first approach uses a combination of network and
host intrusion detection sensors with a staffed monitoring center.
The second approach consists of daily access log review. The former
alternative is judged much more capable of detecting an attack in
time to minimize any damage to the institution and its data, albeit
at a much greater cost. The added cost is entirely appropriate when
customer data and institution processing capabilities are exposed to
an attack, such as in an Internet banking environment. The latter
approach may be appropriate when the primary risk is reputational
damage, such as when the only information being protected is an
information-only Web site, and the Web site is not connected to
other financial institution systems.
Strategies should consider the layering of controls. Excessive
reliance on a single control could create a false sense of
confidence. For example, a financial institution that depends solely
on a firewall can still be subject to numerous attack methodologies
that exploit authorized network traffic. Financial institutions
should design multiple layers of security controls and testing to
establish several lines of defense between the attacker and the
asset being attacked. To successfully attack the data, each layer
must be penetrated. With each penetration, the probability of
detecting the attacker increases.
Policies are the primary embodiment of strategy, guiding decisions
made by users, administrators, and managers, and informing those
individuals of their security responsibilities. Policies also
specify the mechanisms through which responsibilities can be met,
and provide guidance in acquiring, configuring, and auditing
information systems. Key actions that contribute to the success of a
security policy are:
1) Implementing through ordinary means, such as system
administration procedures and acceptable - use policies;
2) Enforcing policy through security tools and sanctions;
3) Delineating the areas of responsibility for users,
administrators, and managers;
4) Communicating in a clear, understandable manner to all
5) Obtaining employee certification that they have read and
understood the policy;
6) Providing flexibility to address changes in the
7) Conducting annually a review and approval by the board of
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
(Part 1 of 2)
8) Do the initial, annual, and revised privacy notices include
each of the following, as applicable: (Part 1 of 2)
a) the categories of nonpublic personal information that the
institution collects; [§6(a)(1)]
b) the categories of nonpublic personal information that the
institution discloses; [§6(a)(2)]
c) the categories of affiliates and nonaffiliated third
parties to whom the institution discloses nonpublic personal
information, other than parties to whom information is disclosed
under an exception in §14 or §15; [§6(a)(3)]
d) the categories of nonpublic personal information disclosed
about former customers, and the categories of affiliates and
nonaffiliated third parties to whom the institution discloses that
information, other than those parties to whom the institution
discloses information under an exception in §14 or §15; [§6(a)(4)]