REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Military Companies Brace for Rules on Monitoring Hackers - Companies that do business with the Defense Department are bracing for new U.S. rules requiring them to report computer breaches to the Pentagon and give the government access to their networks to analyze the attacks. http://www.bloomberg.com/news/2014-08-13/military-companies-brace-for-rules-on-monitoring-hackers.html

FYI - Big Win for Amazon: First Provider Authorized to Handle Sensitive DOD Workloads in Cloud - Amazon Web Services has become the first commercial cloud provider authorized to handle the Defense Department’s most sensitive unclassified data. http://www.nextgov.com/cloud-computing/2014/08/big-win-amazon-first-provider-authorized-handle-sensitive-dod-workloads/92069/?oref=ng-HPtopstory

FYI - Most higher ed malware infections attributed to 'Flashback' - A security ratings firm found that Flashback – a trojan noted for infecting hundreds of thousands of Mac machines – was the most prevalent malware impacting institutions of higher education. http://www.scmagazine.com/study-most-higher-ed-malware-infections-attributed-to-flashback/article/367513/

FYI - US agencies to release cyberthreat info faster to healthcare industry - Representatives of the FBI and DHS say they're looking at ways to get more information into the hands of health-care providers - U.S government agencies will work to release cyberthreat information faster to the healthcare industry after a massive breach at hospital operator Community Health Systems, representatives of two agencies said. http://www.computerworld.com/s/article/9250579/US_agencies_to_release_cyberthreat_info_faster_to_healthcare_industry?taxonomyId=17

FYI - China plans new PC operating system in October - The Chinese Academy of Engineering has disclosed plans to release a new operating system for PCs as soon as October. http://www.bbc.com/news/technology-28928369

FYI - Cybersecurity's hiring crisis: A troubling trajectory - There is a severe -- and worsening -- shortage of information security professionals. Leading industry experts believe it predicts a grave outcome. http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/

FYI - NIST to sysadmins: clean up your SSH mess - NIST has taken a look at how companies use Secure Shell (SSH), and doesn't much like what it sees.
http://www.theregister.co.uk/2014/08/25/nist_to_sysadmins_clean_up_your_ssh_mess/
http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf

FYI - Organizations lack training, budget to thwart insider threats - The Edward Snowden leaks brought insider threats to the forefront of risks and challenges posed to organizations, but more than one year after the exemplary case enterprises still aren't equipped to handle such incidents, according to a recent study. http://www.scmagazine.com/study-organizations-lack-training-budget-to-thwart-insider-threats/article/367613/

FYI - Calif. passes law requiring smartphone kill switch technology - On Monday, California Governor Jerry Brown has signed legislation requiring all smartphones sold in the state to include “kill switch” technology as an anti-theft measure. http://www.scmagazine.com/calif-passes-law-requiring-smartphone-kill-switch-technology/article/368084/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UPS announces breach impacting 51 U.S. locations - More than 50 of The UPS Store's U.S. locations were found to have malware on their computer systems, and in some cases, it's been present since mid-January. http://www.scmagazine.com/ups-announces-breach-impacting-51-us-locations/article/367257/

FYI - Heartbleed implicated in US hospital megahack - This time superbug has nothing to do with MRSA - The Heartbleed flaw is responsible for the high-impact US hospital hacking attack disclosed this week, an unnamed investigator told Bloomberg. http://www.theregister.co.uk/2014/08/20/heartbleed_chs_hospital_mega_breach_link/

FYI - JPMorgan Chase customers targeted in massive phishing campaign - Customers of JPMorgan Chase are the target of a massive multifaceted phishing campaign impacting mostly people in the U.S., according to a security firm. http://www.scmagazine.com/jpmorgan-chase-customers-targeted-in-massive-phishing-campaign/article/367615/

FYI - At least 25k gov't workers impacted by USIS data breach - The personal information of up to 25,000 government workers may be at risk after U.S. Investigations Services (USIS), a Falls Church, Va.-based firm that performs background checks, was breached. http://www.scmagazine.com/at-least-25k-govt-workers-impacted-by-usis-data-breach/article/367947/

FYI - South Korean data breach impacts 27 million - At least seventy percent of South Korea's population aged between 15 and 65 might have had their personal information exposed in a recent data breach. http://www.scmagazine.com/south-korean-data-breach-impacts-27-million/article/367859/

FYI - Los Angeles-based health system breached; more than 500 patients affected - Personal information on more than 500 Cedars-Sinai Health System patients was compromised in June after a laptop was stolen from an employee's home. http://www.scmagazine.com/los-angeles-based-health-system-breached-more-than-500-patients-affected/article/367974/

FYI - Attack targets auto industry firms in Europe - Attackers are sending emails containing a new information-stealing Trojan program to customer service departments, Symantec researchers said - Cybercriminals are using a new information-stealing malware program to target companies from the automobile industry in Europe, security researchers warned. http://www.computerworld.com/article/2598560/malware-vulnerabilities/attack-targets-auto-industry-firms-in-europe.html

FYI - Possible payment card breach at Dairy Queen stores - Several financial institutions are reporting payment card fraud activity on cards used at Dairy Queen, Brian Krebs reported on Tuesday, explaining cards were reportedly used at locations in Florida, Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee and Texas. http://www.scmagazine.com/possible-payment-card-breach-at-dairy-queen-stores/article/368412/

FYI - Backup hard drive stolen from law firm contained personal info - Law firm Imhoff and Associates, PC is notifying an undisclosed number of individuals that their personal information – including Social Security numbers – was on a backup hard drive that was stolen from the locked trunk of an employee's vehicle. http://www.scmagazine.com/backup-hard-drive-stolen-from-law-firm-contained-personal-info/article/368427/

FYI - JPMorgan bank could be hackers' latest victim - The FBI investigates a data breach into one of the world's largest banks that may have involved malware being deposited on an employee's personal computer.
http://www.pcworld.com/article/2599960/fbi-secret-service-studying-scope-of-reported-bank-cyberattacks.html#tk.nl_today
http://www.cnet.com/news/jpmorgan-bank-could-be-hackers-latest-victim/

FYI - Reported breaches involving zero-day bug at JPMorgan Chase, other banks - Citing an unnamed U.S. government official and other anonymous sources briefed by U.S. law enforcement, Bloomberg reported on Wednesday that JPMorgan Chase, as well as at least four other financial institutions, have been hacked. http://www.scmagazine.com/reported-breaches-involving-zero-day-bug-at-jpmorgan-chase-other-banks/article/368690/

FYI - Chinese national had access to data on 5M Arizona drivers, possible breach goes undisclosed - A Chinese national had access in 2007 to law enforcement, intelligence and drivers license databases, including the personal information of up to 5 million Arizona drivers, and the case's details have remained hidden until now, according to a new investigative piece from ProPublica and the Center for Investigative Reporting. http://www.scmagazine.com/chinese-national-had-access-to-data-on-5m-arizona-drivers-possible-breach-goes-undisclosed/article/368682/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process. 

The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. This should include establishing appropriate authorization privileges, logical and physical access controls, and adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities.

Safeguarding of bank assets is one of the Board's fiduciary duties and one of senior management's fundamental responsibilities. However, it is a challenging task in a rapidly evolving e-banking environment because of the complex security risks associated with operating over the public Internet network and using innovative technology.

To ensure proper security controls for e-banking activities, the Board and senior management need to ascertain whether the bank has a comprehensive security process, including policies and procedures, that addresses potential internal and external security threats both in terms of incident prevention and response. Key elements of an effective e-banking security process include: 

1) Assignment of explicit management/staff responsibility for overseeing the establishment and maintenance of corporate security policies.

2) Sufficient physical controls to prevent unauthorized physical access to the computing environment.

3) Sufficient logical controls and monitoring processes to prevent unauthorized internal and external access to e-banking applications and databases.

4)  Regular review and testing of security measures and controls, including the continuous tracking of current industry security developments and installation of appropriate software upgrades, service packs and other required measures.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Development and Support

Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:

! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the changes,
! Ensuring the application or system owner has authorized changes in advance,
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.

Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.

When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.