Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- U.S. Sources Exposed as Unredacted State Department Cables Are
Unleashed Online - An encrypted WikiLeaks file containing 251,000
unredacted U.S. State Department cables is now widely available
online, along with the passphrase to open it. The release of the
documents in raw form, including the names of U.S. informants around
the globe, has raised concerns that dozens of people could now be in
- Google Certificate Hackers May Have Stolen 200 Others - Hackers
who obtained a fraudulent digital certificate for Google may have
actually obtained more than 200 digital certificates for other top
internet entities such as Mozilla, Yahoo and even the privacy and
anonymizing service Tor.
- Laptop Tracking Software Faces New Privacy Heat - Judge rules
couple can sue maker of Lojack For Laptops software for intercepting
and sharing couple's communications with police. How far can someone
go when tracking stolen technology goods?
- No pointing fingers: Defense in the cloud is everyone's
responsibility - Over the last two decades, the now-famous 1993 New
Yorker cartoon showing two canines in front of a PC with one saying
to the other, “On the internet, nobody knows you are a dog” has
become a staple of presentations on internet identity and privacy.
- Dutch CA banished for life from Chrome, Firefox - Game over for
DigiNotar and its PKIoverheid fiefdom - The network breach in July
that forged a near-perfect replica of a Google.com credential minted
more than 200 other SSL certificates for more than 20 different
domains, a top manager for Mozilla's Firefox browser said.
- Plods to get dot-uk takedown powers - without court order - Why?
'Cos we're the bleedin' law, you slaag - Police in the UK could get
new powers to suspend internet domain names without a court order if
they're being used for illegal activity, under rules proposed to .uk
registry manager Nominet.
- Pakistan May Have to Abandon Cryptography Ban - As other countries
have discovered, businesses need encrypted communications. This
week, a Pakistani Internet service provider (ISP) leaked a
government regulatory memo requiring all ISPs to block encrypted
communications sent over virtual private networks (VPNs).
- Alleged 'Anonymous 14' plead innocent to PayPal DDoS - Fourteen
individuals believed to be part of the hacktivist group Anonymous
pleaded innocent on Thursday in federal court in San Jose, Calif to
charges of participating in an attack against PayPal.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- California blazes trail again with enhanced breach alert law -
After being vetoed twice by the prior administration, a bill that
updates California's pioneering data breach notification law was
signed into law Wednesday by Gov. Jerry Brown.
- Kernel.org Linux repository rooted in hack attack - Multiple
servers used to maintain and distribute the Linux operating system
were infected with malware that gained root access, modified system
software, and logged passwords and transactions of the people who
used them, the official Linux Kernel Organization has confirmed.
- More insiders snooping into health records, says survey - Breaches
into protected health information (PHI) are on the rise, and
staffers are responsible for more than a third of the intrusions, a
new survey has found.
- Turkish net hijack hits big name websites - Visitors to the
websites of Vodafone, the Daily Telegraph, UPS and four others were
re-directed to a site set up by Turkish hackers on Sunday night. The
diversion was the result of the group's attack on computers that
hold web address information.
- Ex-employee hacks US military contractor's computer systems -
After being terminated from his job, he logged into McLane Advanced
Technologies and wiped customer data - At the Bar and Grill in
Austin, Texas, you can get burgers and beer served to you by a
waitresses. And if you're a recently fired IT worker, you can also
log on using their WiFi, break into a US military contractor's
computer systems and wipe out payroll files.
- Anonymous targets Texas police chiefs site - In the face of new
arrests and the arraignments of 14 Anonymous members accused of
launching attacks last year against PayPal, the hacktivist group
continues to expose security weaknesses and embarrassing documents.
In its latest digital heist, Anonymous on Thursday leaked 3 GB of
data from TexasPoliceChiefs.org.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
5 of 6)
The FDIC believes that consumers have an important role to play in
protecting themselves from identity theft. As identity thieves
become more sophisticated, consumers can benefit from accurate,
up-to-date information designed to educate them concerning steps
they should take to reduce their vulnerability to this type of
fraud. The financial services industry, the FDIC and other federal
regulators have made significant efforts to raise consumers'
awareness of this type of fraud and what they can do to protect
In 2005, the FDIC sponsored four identity theft symposia entitled
Fighting Back Against Phishing and Account-Hijacking. At each
symposium (held in Washington, D.C., Atlanta, Los Angeles and
Chicago), panels of experts from government, the banking industry,
consumer organizations and law enforcement discussed efforts to
combat phishing and account hijacking, and to educate consumers on
avoiding scams that can lead to account hijacking and other forms of
identity theft. Also in 2006, the FDIC sponsored a symposia series
entitled Building Confidence in an E-Commerce World. Sessions were
held in San Francisco, Phoenix and Miami. Further consumer education
efforts are planned for 2007.
In 2006, the FDIC released a multi-media educational tool, Don't Be
an On-line Victim, to help online banking customers avoid common
scams. It discusses how consumers can secure their computer, how
they can protect themselves from electronic scams that can lead to
identity theft, and what they can do if they become the victim of
identity theft. The tool is being distributed through the FDIC's web
site and via CD-ROM. Many financial institutions also now display
anti-fraud tips for consumers in a prominent place on their public
web site and send customers informational brochures discussing ways
to avoid identity theft along with their account statements.
Financial institutions are also redistributing excellent educational
materials from the Federal Trade Commission, the federal
government's lead agency for combating identity theft.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 1 of 3)
A firewall policy states management's expectations for how the
firewall should function and is a component of the overall security
policy. It should establish rules for traffic coming into and going
out of the security domain and how the firewall will be managed and
updated. Therefore, it is a type of security policy for the
firewall, and forms the basis for the firewall rules. The firewall
selection and the firewall policy should stem from the ongoing
security risk assessment process. Accordingly, management needs to
update the firewall policy as the institution's security needs and
the risks change. At a minimum, the policy should address:
! Firewall topology and
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all
traffic not expressly allowed is denied, detailing which
applications can traverse the firewall and under what exact
circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the
firewall's effectiveness, and
! Contingency planning.
Financial institutions should also appropriately train and manage
their staffs to ensure the firewall policy is implemented properly.
Alternatively, institutions can outsource the firewall management,
while ensuring that the outsourcer complies with the institution's
specific firewall policy.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
A "customer" is a consumer who has a "customer relationship"
with a financial institution. A "customer relationship" is a
continuing relationship between a consumer and a financial
institution under which the institution provides one or more
financial products or services to the consumer that are to be used
primarily for personal, family, or household purposes.
For example, a customer relationship may be established when a
consumer engages in one of the following activities with a financial
1) maintains a deposit or investment account;
2) obtains a loan;
3) enters into a lease of personal property; or
4) obtains financial, investment, or economic advisory services for
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
There is a special rule for loans. When a financial institution
sells the servicing rights to a loan to another financial
institution, the customer relationship transfers with the servicing
rights. However, any information on the borrower retained by the
institution that sells the servicing rights must be accorded the
protections due any consumer.
Note that isolated transactions alone will not cause a consumer to
be treated as a customer. For example, if an individual purchases a
bank check from a financial institution where the person has no
account, the individual will be a consumer but not a customer of
that institution because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a financial
institution where the individual has no account, even repeatedly,
the individual will be a consumer, but not a customer of that