REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- AT&T Hit by DDoS Attack, Suffers DNS Outage - A distributed
denial-of-service attack aimed at AT&T's DNS (Domain Name System)
servers has disrupted data traffic for some of the company's
- Appeals Court OKs Warrantless, Real-Time Mobile Phone Tracking - A
federal appeals court on Wednesday said the authorities do not need
a probable-cause warrant to track a suspect’s every move via GPS
signals from a suspect’s mobile phone.
- ACLU sues for FBI GPS tracking guidelines - The American Civil
Liberties Union is taking the Justice Department to court over the
Federal Bureau of Investigation's most recent policies for using
global positioning systems to track people.
- New NIST encryption guidelines may force agencies to replace old
websites - Next month the National Institute of Standards and
Technology (NIST) plans to put out for public review its draft for a
new government encryption standard that, when finalized, is going to
compel federal agencies with older websites to replace them.
- Can YOU crack the Gauss uber-virus encryption? - Appeal for help
to break open hidden scrambled payload - Antivirus experts have
called on cryptographers and other clever bods for help after
admitting they are no closer to figuring out the main purpose of the
newly discovered Gauss supervirus.
- NIST seeks vulnerability analysis for military Android apps - The
National Institute of Standards and Technology is seeking
vulnerability analysis and security scanning for the Pentagon’s
Android software applications, according to a solicitation posted
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Jailed man narrowly escapes fatal error in electronic health
record - In one of a series of alleged errors by a county jail’s new
electronic health record system, the EHR recommended what could have
been a fatal dose of medication for a heart patient, the jail’s
nurses said this week.
- Data-wiping Shamoon targeting Middle East energy sector -
Researchers are warning of the latest advanced cyber threat, Shamoon,
which has targeted at least one energy company in the Middle East.
- ICO to investigate Tesco following data security claims - The
Information Commissioner's Office (ICO) is to investigate Tesco
after research revealed failings in the retail giant's security.
- 500K Credit Cards Stolen in Australian Point-of-Sale Hack - Police
in Australia are investigating a breach of half a million credit
card numbers that reports say was conducted by the same gang that
struck the Subway restaurant chain in the United States.
- University of South Carolina web server hacked by overseas
attackers - The University of South Carolina (USC) in Columbia
announced Tuesday that its College of Education's web server was
hacked – a discovery made in June by school officials.
- MD Anderson sustains second security breach this year - An
employee of the University of Texas MD Anderson Cancer Center lost a
thumb drive, potentially exposing unencrypted medical and personal
information of patients.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 2 of 3)3. Banks should adopt appropriate procedures for ensuring the
adequacy of contracts governing e-banking. Contracts governing
outsourced e-banking activities should address, for example, the
a) The contractual liabilities of the respective parties as well as
responsibilities for making decisions, including any sub-contracting
of material services are clearly defined.
b) Responsibilities for providing information to and receiving
information from the service provider are clearly defined.
Information from the service provider should be timely and
comprehensive enough to allow the bank to adequately assess service
levels and risks. Materiality thresholds and procedures to be used
to notify the bank of service disruptions, security breaches and
other events that pose a material risk to the bank should be spelled
c) Provisions that specifically address insurance coverage, the
ownership of the data stored on the service provider's servers or
databases, and the right of the bank to recover its data upon
expiration or termination of the contract should be clearly defined.
d) Performance expectations, under both normal and contingency
circumstances, are defined.
e) Adequate means and guarantees, for instance through audit
clauses, are defined to insure that the service provider complies
with the bank's policies.
f) Provisions are in place for timely and orderly intervention and
rectification in the event of substandard performance by the service
g) For cross-border outsourcing arrangements, determining which
country laws and regulations, including those relating to privacy
and other customer protections, are applicable.
h) The right of the bank to conduct independent reviews and/or
audits of security, internal controls and business continuity and
contingency plans is explicitly defined.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY TESTING - KEY FACTORS
Management is responsible for considering the following key factors
in developing and implementing independent diagnostic tests:
Personnel. Technical testing is frequently only as good as
the personnel performing and supervising the test. Management is
responsible for reviewing the qualifications of the testing
personnel to satisfy themselves that the capabilities of the testing
personnel are adequate to support the test objectives.
Scope. The tests and methods utilized should be sufficient to
validate the effectiveness of the security process in identifying
and appropriately controlling security risks.
Notifications. Management is responsible for considering whom
to inform within the institution about the timing and nature of the
tests. The need for protection of institution systems and the
potential for disruptive false alarms must be balanced against the
need to test personnel reactions to unexpected activities.
Controls Over Testing. Certain testing can adversely affect
data integrity, confidentiality, and availability. Management is
expected to limit those risks by appropriately crafting test
protocols. Examples of issues to address include the specific
systems to be tested, threats to be simulated, testing times, the
extent of security compromise allowed, situations in which testing
will be suspended, and the logging of test activity. Management is
responsible for exercising oversight commensurate with the risk
posed by the testing.
Frequency. The frequency of testing should be determined by
the institution's risk assessment. High - risk systems should be
subject to an independent diagnostic test at least once a
year. Additionally, firewall policies and other policies addressing
access control between the financial institution's network and other
networks should be audited and verified at least quarterly. Factors
that may increase the frequency of testing include the extent of
changes to network configuration, significant changes in potential
attacker profiles and techniques, and the results of other testing.
(FYI - This is exactly
the type of independent diagnostic testing that the VISTA pen-test
study covers. Please refer to
http://www.internetbankingaudits.com/ for information.)
Proxy Testing. Independent diagnostic testing of a proxy
system is generally not effective in validating the effectiveness of
a security process. Proxy testing, by its nature, does not test the
operational system's policies and procedures, or its integration
with other systems. It also does not test the reaction of personnel
to unusual events. Proxy testing may be the best choice, however,
when management is unable to test the operational system without
creating excessive risk.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
33. Except as permitted by §§13-15,
does the institution refrain from disclosing any nonpublic personal
information about a consumer to a nonaffiliated third party, other
than as described in the initial privacy notice provided to the
a. the institution has provided the consumer with a clear and
conspicuous revised notice that accurately describes the
institution's privacy policies and
b. the institution has provided the consumer with a new opt out
c. the institution has given the consumer a reasonable opportunity
to opt out of the disclosure, before disclosing any information;
d. the consumer has not opted out? [§8(a)(4)]