REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Military Companies Brace for Rules on Monitoring Hackers -
Companies that do business with the Defense Department are bracing
for new U.S. rules requiring them to report computer breaches to the
Pentagon and give the government access to their networks to analyze
Big Win for Amazon: First Provider Authorized to Handle Sensitive
DOD Workloads in Cloud - Amazon Web Services has become the first
commercial cloud provider authorized to handle the Defense
Department’s most sensitive unclassified data.
Most higher ed malware infections attributed to 'Flashback' - A
security ratings firm found that Flashback – a trojan noted for
infecting hundreds of thousands of Mac machines – was the most
prevalent malware impacting institutions of higher education.
US agencies to release cyberthreat info faster to healthcare
industry - Representatives of the FBI and DHS say they're looking at
ways to get more information into the hands of health-care providers
- U.S government agencies will work to release cyberthreat
information faster to the healthcare industry after a massive breach
at hospital operator Community Health Systems, representatives of
two agencies said.
China plans new PC operating system in October - The Chinese Academy
of Engineering has disclosed plans to release a new operating system
for PCs as soon as October.
Cybersecurity's hiring crisis: A troubling trajectory - There is a
severe -- and worsening -- shortage of information security
professionals. Leading industry experts believe it predicts a grave
NIST to sysadmins: clean up your SSH mess - NIST has taken a look at
how companies use Secure Shell (SSH), and doesn't much like what it
Organizations lack training, budget to thwart insider threats - The
Edward Snowden leaks brought insider threats to the forefront of
risks and challenges posed to organizations, but more than one year
after the exemplary case enterprises still aren't equipped to handle
such incidents, according to a recent study.
Calif. passes law requiring smartphone kill switch technology - On
Monday, California Governor Jerry Brown has signed legislation
requiring all smartphones sold in the state to include “kill switch”
technology as an anti-theft measure.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
UPS announces breach impacting 51 U.S. locations - More than 50 of
The UPS Store's U.S. locations were found to have malware on their
computer systems, and in some cases, it's been present since
Heartbleed implicated in US hospital megahack - This time superbug
has nothing to do with MRSA - The Heartbleed flaw is responsible for
the high-impact US hospital hacking attack disclosed this week, an
unnamed investigator told Bloomberg.
JPMorgan Chase customers targeted in massive phishing campaign -
Customers of JPMorgan Chase are the target of a massive multifaceted
phishing campaign impacting mostly people in the U.S., according to
a security firm.
At least 25k gov't workers impacted by USIS data breach - The
personal information of up to 25,000 government workers may be at
risk after U.S. Investigations Services (USIS), a Falls Church,
Va.-based firm that performs background checks, was breached.
South Korean data breach impacts 27 million - At least seventy
percent of South Korea's population aged between 15 and 65 might
have had their personal information exposed in a recent data breach.
Los Angeles-based health system breached; more than 500 patients
affected - Personal information on more than 500 Cedars-Sinai Health
System patients was compromised in June after a laptop was stolen
from an employee's home.
Attack targets auto industry firms in Europe - Attackers are sending
emails containing a new information-stealing Trojan program to
customer service departments, Symantec researchers said -
Cybercriminals are using a new information-stealing malware program
to target companies from the automobile industry in Europe, security
- Possible payment card breach at Dairy Queen stores - Several
financial institutions are reporting payment card fraud activity on
cards used at Dairy Queen, Brian Krebs reported on Tuesday,
explaining cards were reportedly used at locations in Florida,
Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee and Texas.
- Backup hard drive stolen from law firm contained personal info -
Law firm Imhoff and Associates, PC is notifying an undisclosed
number of individuals that their personal information – including
Social Security numbers – was on a backup hard drive that was stolen
from the locked trunk of an employee's vehicle.
- JPMorgan bank could be hackers' latest victim - The FBI
investigates a data breach into one of the world's largest banks
that may have involved malware being deposited on an employee's
- Reported breaches involving zero-day bug at JPMorgan Chase, other
banks - Citing an unnamed U.S. government official and other
anonymous sources briefed by U.S. law enforcement, Bloomberg
reported on Wednesday that JPMorgan Chase, as well as at least four
other financial institutions, have been hacked.
- Chinese national had access to data on 5M Arizona drivers,
possible breach goes undisclosed - A Chinese national had access in
2007 to law enforcement, intelligence and drivers license databases,
including the personal information of up to 5 million Arizona
drivers, and the case's details have remained hidden until now,
according to a new investigative piece from ProPublica and the
Center for Investigative Reporting.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight -
Principle 2: The Board of Directors and senior management should
review and approve the key aspects of the bank's security control
The Board of Directors and senior management should oversee
the development and continued maintenance of a security control
infrastructure that properly safeguards e-banking systems and data
from both internal and external threats. This should include
establishing appropriate authorization privileges, logical and
physical access controls, and adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities.
Safeguarding of bank assets is one of the Board's fiduciary duties
and one of senior management's fundamental responsibilities.
However, it is a challenging task in a rapidly evolving e-banking
environment because of the complex security risks associated with
operating over the public Internet network and using innovative
To ensure proper security controls for e-banking activities, the
Board and senior management need to ascertain whether the bank has a
comprehensive security process, including policies and procedures,
that addresses potential internal and external security threats both
in terms of incident prevention and response. Key elements of an
effective e-banking security process include:
1) Assignment of explicit management/staff responsibility for
overseeing the establishment and maintenance of corporate security
2) Sufficient physical controls to prevent unauthorized physical
access to the computing environment.
3) Sufficient logical controls and monitoring processes to prevent
unauthorized internal and external access to e-banking applications
4) Regular review and testing of security measures and controls,
including the continuous tracking of current industry security
developments and installation of appropriate software upgrades,
service packs and other required measures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Development and Support
Development and support activities should ensure that new software
and software changes do not compromise security. Financial
institutions should have an effective application and system change
control process for developing, implementing, and testing changes to
internally developed software and purchased software. Weak change
control procedures can corrupt applications and introduce new
security vulnerabilities. Change control considerations relating to
security include the following:
! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the
! Ensuring the application or system owner has authorized changes in
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.
Changes to operating systems may degrade the efficiency and
effectiveness of applications that rely on the operating system for
interfaces to the network, other applications, or data. Generally,
management should implement an operating system change control
process similar to the change control process used for application
changes. In addition, management should review application systems
following operating system changes to protect against a potential
compromise of security or operational integrity.
When creating and maintaining software, separate software libraries
should be used to assist in enforcing access controls and
segregation of duties. Typically, separate libraries exist for
development, test, and production.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
Next week we will start covering the examination objectives.