REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - GCHQ to advise senior business leaders on how to fight cyber attacks - GCHQ is to use its expertise to take a lead role advising Britain's senior business leaders on how to combat the multi-billion pound threat of cyber attacks, under a programme being unveiled today. http://www.telegraph.co.uk/news/uknews/defence/9521715/PLS-PIC-AND-PUB-GCHQ-to-advise-senior-business-leaders-on-how-to-fight-cyber-attacks.html

FYI - FTC offers guidance for mobile application development - As enterprises expand their roll-outs of mobile applications, the Federal Trade Commission wants them to be mindful of the privacy and security ramifications that go along with these advancements. http://www.scmagazine.com/ftc-offers-guidance-for-mobile-application-development/article/257656/

FYI - Worker had proper access when he snagged corporate data, court rules - Decision highlights need for firms to tighten computer access, use polices - In a decision likely to be sobering for companies fighting insider threats, an appeals court has ruled that an employee who used his valid computer access rights to access data from his employer can't be prosecuted under a federal anti-hacking law. http://www.computerworld.com/s/article/9230998/Worker_had_proper_access_when_he_snagged_corporate_data_court_rules?taxonomyId=82

FYI - Google Aurora Attackers Still On Loose, Symantec Says - Gang that attacked Google in 2009 has continued operating, stealing sensitive data via zero-day attacks and compromising target companies' business partners. Whatever happened to the group of attackers that successfully hacked into Google in 2009? http://www.informationweek.com/security/attacks/google-aurora-attackers-still-on-loose-s/240006930

FYI - Germany pushes for an end to massive fines for hijacked Wi-Fi - The cities of Hamburg and Berlin are to launch a new legal initiative to protect owners of WLAN networks from litigation if intruders commit offences on their network. Wi-Fi network owners in Germany look set to get an easier legal ride when their WLANs are used by criminals. http://www.zdnet.com/germany-pushes-for-an-end-to-massive-fines-for-hijacked-wi-fi-7000003844/

FYI - GAO - Community Banks and Credit Unions: Impact of the Dodd-Frank Act Depends Largely on Future Rule Makings. http://www.gao.gov/products/GAO-12-881

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Sony says 400 customer names, emails from mobile division leaked in China - The Japanese electronics firm said at least one server run by a third-party Chinese company was compromised - Sony said Thursday that hackers accessed about 400 names and email addresses of its mobile customers in China and Taiwan, but that no credit card or banking information was compromised. http://www.computerworld.com/s/article/9230977/Sony_says_400_customer_names_emails_from_mobile_division_leaked_in_China?taxonomyId=82

FYI - FBI finds no evidence that AntiSec hacked its laptop - Hackers say they got data on Apple device users from FBI agent's laptop, but the agency denies knowing anything about it. http://news.cnet.com/8301-1009_3-57505925-83/fbi-finds-no-evidence-that-antisec-hacked-its-laptop/

FYI - GoDaddy works to restore site service to unknown numbers - An unknown, but significant, number of websites hosted by GoDaddy are feeling the effects of an apparent attack on the company's DNS servers. http://www.scmagazine.com/godaddy-works-to-restore-site-service-to-unknown-numbers/article/258376/?DCMP=EMC-SCUS_Newswire

FYI - Apple Device IDs Leaked by Anonymous Traced to App Developer Blue Toad - Those Apple device IDs that an Anonymous offshoot claimed to have hacked from an FBI agent’s computer in March appear to have actually originated just weeks ago from the hack of a little-known app development company in Florida. http://www.wired.com/threatlevel/2012/09/udid-leak-traced-to-blue-toad/

FYI - Wyndham Hotels challenges FTC security suit over breaches - Wyndham Hotels and Resorts has filed a motion in U.S. District Court in Phoenix to dismiss a complaint launched by the Federal Trade Commission (FTC) over the chain's repeated security breaches. http://www.scmagazine.com/wyndham-hotels-challenges-ftc-security-suit-over-breaches/article/258559/?DCMP=EMC-SCUS_Newswire

FYI - Miami hospital hit by second patient breach this year - The University of Miami Hospital has fired two employees suspected of stealing and possibly selling the personally identifiable information (PII) of patients. http://www.scmagazine.com/miami-hospital-hit-by-second-patient-breach-this-year/article/258895/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Audit Trail Practices for E-Banking Systems

1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.

2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.

3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:

a)   The bank should ensure that it has access to relevant audit trails maintained by the service provider.

b)   Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING - MONITORING

Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:

! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.

! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.

! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:

 -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,

 -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and

 -  Providing effective oversight of service providers and vendors to identify and react to new security issues.

! Senior management should require periodic security self-assessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.

! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [§9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution's electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or 

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)])