REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Retailers warned to act now to protect against Backoff malware-
The Payment Card Industry Security Standards Council on Wednesday
issued a bulletin urging retailers to immediately review their
security controls to ensure point-of-sale systems are protected
against "Backoff," a malware tool that was used in the massive data
theft at retailer Target last year.
- UK Prisons Issued Encrypted Drives to Stop Exposing Data but That
Didn’t Work - Accidentally leaked credentials; Insider attack;
Misplaced data - The Ministry of Justice was fined about $300,000
for losing a device with prison records, after not realizing one
must turn on disk encryption for it to function.
- Professor says Google search, not hacking, yielded medical info -
Though unnamed in a breach notification and follow-up reports, a
professor of ethical hacking at City College San Francisco (CCSF),
Sam Bowne, has come forward on the internet to clarify that he did
not demonstrate hacking a medical center's server in a class, but
rather came across sensitive information during a Google search.
- Firm explores attack methods allowing possible Home Depot breach -
Hackers could have exploited a vulnerability in Home Depot's payment
interface to steal customer payment information, a Bitdefender
reseracher said, though it's more likely they broke into the
company's storage facilities to steal credentials linked with a
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- JPMorgan hackers altered, deleted bank records, says report -
Investigation into attack on JPMorgan Chase may have expanded to
seven of the world's top banks, amid a report that hackers altered
- DQ Breach? HQ Says No, But Would it Know? - Sources in the
financial industry say they’re seeing signs that Dairy Queen may be
the latest retail chain to be victimized by cybercrooks bent on
stealing credit and debit card data.
at 50 Oil Companies in Norway - The breach was the largest in the
country’s history and might have affected an additional 250 oil and
investigates possible payment card breach - Home Depot is the latest
retailer to begin investigating a possible data breach.
investigate celebrity photo hacking incident - A hacking incident,
which reportedly impacted over 100 celebrities whose personal
photos, including nude images, were posted online, is now being
investigated by the FBI and Apple.
card processing systems compromised at five Bartell Hotels locations
- Bartell Hotels issued a notification that the payment card
processing systems used at five of its San Diego locations were
compromised and personal information – including credit card numbers
– may be at risk.
announces breach, more than 800K payment cards compromised - In a
letter to customers dated Tuesday, Jim Gibbons, president and CEO of
Goodwill Industries International (GII), announced that payment card
data was accessed following a malware attack on a third-party vendor
used in about 10 percent of stores.
10K electronic medical records compromised at Houston health system
- A health system employee accessed electronic medical records from
Memorial Hermann Health System in Houston. The records were accessed
for more than six years.http://www.scmagazine.com/more-than-10k-electronic-medical-records-compromised-at-houston-health-system/article/369842/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight - Principle 3: The
Board of Directors and senior management should establish a
comprehensive and ongoing due diligence and oversight process for
managing the bank's outsourcing relationships and other third-party
dependencies supporting e-banking.
Increased reliance upon partners and third party service providers
to perform critical e-banking functions lessens bank management's
direct control. Accordingly, a comprehensive process for managing
the risks associated with outsourcing and other third-party
dependencies is necessary. This process should encompass the
third-party activities of partners and service providers, including
the sub-contracting of outsourced activities that may have a
material impact on the bank.
Historically, outsourcing was often limited to a single service
provider for a given functionality. However, in recent years, banks'
outsourcing relationships have increased in scale and complexity as
a direct result of advances in information technology and the
emergence of e-banking. Adding to the complexity is the fact that
outsourced e-banking services can be sub-contracted to additional
service providers and/or conducted in a foreign country. Further, as
e-banking applications and services have become more technologically
advanced and have grown in strategic importance, certain e-banking
functional areas are dependent upon a small number of specialized
third-party vendors and service providers. These developments may
lead to increased risk concentrations that warrant attention both
from an individual bank as well as a systemic industry standpoint.
Together, these factors underscore the need for a comprehensive and
ongoing evaluation of outsourcing relationships and other external
dependencies, including the associated implications for the bank's
risk profile and risk management oversight abilities. Board and
senior management oversight of outsourcing relationships and
third-party dependencies should specifically focus on ensuring that:
1) The bank fully understands the risks associated with entering
into an outsourcing or partnership arrangement for its e-banking
systems or applications.
2) An appropriate due diligence review of the competency and
financial viability of any third-party service provider or partner
is conducted prior to entering into any contract for e-banking
3) The contractual accountability of all parties to the outsourcing
or partnership relationship is clearly defined. For instance,
responsibilities for providing information to and receiving
information from the service provider should be clearly defined.
4) All outsourced e-banking systems and operations are subject to
risk management, security and privacy policies that meet the bank's
5) Periodic independent internal and/or external audits are
conducted of outsourced operations to at least the same scope
required if such operations were conducted in-house.
This is the last of three principles regarding Board and Management
Oversight. Next week we will begin the series on the principles of
security controls, which include Authentication, Non-repudiation,
Data and transaction integrity, Segregation of duties, Authorization
controls, Maintenance of audit trails, and Confidentiality of key
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
e continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Source Code Review and Testing
Application and operating system source code can have numerous
vulnerabilities due to programming errors or misconfiguration. Where
possible, financial institutions should use software that has been
subjected to independent security reviews of the source code
especially for Internet facing systems. Software can contain
erroneous or intentional code that introduces covert channels,
backdoors, and other security risks into systems and applications.
These hidden access points can often provide unauthorized access to
systems or data that circumvents built-in access controls and
logging. The source code reviews should be repeated after the
creation of potentially significant changes.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
1. To assess the quality of a financial institution's
compliance management policies and procedures for implementing the
privacy regulation, specifically ensuring consistency between what
the financial institution tells consumers in its notices about its
policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial
institution's internal controls and procedures for monitoring the
institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the
privacy regulation, specifically in meeting the following
a) Providing to customers notices of its privacy policies and
practices that are timely, accurate, clear and conspicuous, and
delivered so that each customer can reasonably be expected to
receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated
third parties, other than under an exception, after first meeting
the applicable requirements for giving consumers notice and the
right to opt out;
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information
received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in the
4. To initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are deficient.