REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Agencies Aren’t Properly Vetting All Cyber Contractors - Vendors
operating systems that handle government data are required to take
security precautions, but most agencies are not making sure they do
- Federal agency to end contracts of background-check contractor
USIS - The federal Office of Personnel Management plans to terminate
its massive contracts with USIS, the major security clearance
contractor that was targeted last month by a cyberattack, several
officials said Tuesday.
- Documents reveal NSA plans to map every internet connected device
in the world - The National Security Agency (NSA) is looking to map
every single internet connected device in the world, including
smartphones, tablets and computers.
- GAO - Healthcare- Needed to Address Weaknesses in Information
Security and Privacy Controls.
- C&K apologizes for unauthorized access that led to Goodwill breach
- The web hosting service apologized Monday for the “intermittent”
unauthorized access to its hosted environment over an 18-month
period that likely led to the data breach incurred by Goodwill
- Things Can Go Kaboom When a Defense Contractor's 3-D Printer Gets
Hacked - Defense companies that manufacture parts with
three-dimensional printers using metal powders might want to heed
forthcoming government-issued standards for preventing hacks.
- 75 percent of mobile apps will fail security tests through end of
2015 - The bulk of mobile applications (75 percent) will fail basic
security tests over the next 15 months or so – through the end of
2015 – leaving businesses vulnerable to attack and violations of
their security policies.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Temple University patients impacted by possible breach - An
unencrypted desktop computer with the personal information of 3,780
patients was stolen from a Temple University physician's office in
- George Mason University travel system targeted for malware attack
- George Mason University detected a malware intrusion into its
travel booking system on July 16. No personal information is thought
to have been viewed, but the incident could have affected up to
- Tampa General Hospital breach impacts hundreds of patients -
Nearly 700 patients who were treated at Tampa General Hospital from
October 2011 to August 2014 are being notified that their personal
information – including Social Security numbers, in some instances –
may have been accessed, without authorization, by a former employee.
- Nigerian police search for ringleader in major bank heist - The
Economic and Financial Crimes Commission (EFCC), a Nigerian law
enforcement agency, has announced that a scammer, suspected of
diverting 6.28 billion Naira (nearly $49 million US) to mule
accounts, is being sought by police.
- Florida medical center hit with breach for third time in two years
- Aventura Hospital and Medical Center has reported a data breach;
the third time in two years the facility has been hit.
- Singaporean karaoke bar members' info compromised - A
Singapore-based karaoke chain, K Box, had members' personal
information compromised earlier this week when the hacker group “The
Knowns” posted the data online.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Security Controls - Principle 1: Banks should take
appropriate measures to authenticate the identity and authorization
of customers with whom it conducts business over the Internet. (Part
2 of 2)
The bank must determine which authentication methods to use based
on management's assessment of the risk posed by the e-banking system
as a whole or by the various sub-components. This risk analysis
should evaluate the transactional capabilities of the e-banking
system (e.g. funds transfer, bill payment, loan origination, account
aggregation etc.), the sensitivity and value of the stored e-banking
data, and the customer's ease of using the authentication method.
Robust customer identification and authentication processes are
particularly important in the cross-border e-banking context given
the additional difficulties that may arise from doing business
electronically with customers across national borders, including the
greater risk of identity impersonation and the greater difficulty in
conducting effective credit checks on potential customers.
As authentication methods continue to evolve, banks are encouraged
to monitor and adopt industry sound practice in this area such as
1) Authentication databases that provide access to e-banking
customer accounts or sensitive systems are protected from tampering
and corruption. Any such tampering should be detectable and audit
trails should be in place to document such attempts.
2) Any addition, deletion or change of an individual, agent or
system to an authentication database is duly authorized by an
3) Appropriate measures are in place to control the e-banking
system connection such that unknown third parties cannot displace
4) Authenticated e-banking sessions remain secure throughout the
full duration of the session or in the event of a security lapse the
session should require re-authentication.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Many financial institutions use commercial off-the-shelf (COTS)
software for operating systems and applications. COTS systems
generally provide more functions than are required for the specific
purposes for which it is employed. For example, a default
installation of a server operating system may install mail, Web, and
file-sharing services on a system whose sole function is a DNS
server. Unnecessary software and services represent a potential
security weakness. Their presence increases the potential number of
discovered and undiscovered vulnerabilities present in the system.
Additionally, system administrators may not install patches or
monitor the unused software and services to the same degree as
operational software and services. Protection against those risks
begins when the systems are constructed and software installed
through a process that is referred to as hardening a system.
When deploying off-the-shelf software, management should harden the
resulting system. Hardening includes the following actions:
! Determining the purpose of the system and minimum software and
! Documenting the minimum hardware, software and services to be
included on the system;
! Installing the minimum hardware, software, and services necessary
to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of
! Configuring privilege and access controls by first denying all,
then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed
activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior
to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically
configured systems, making configuration changes on a case-by-case
! Changing all default passwords; and
! Testing the resulting systems.
After deployment, the COTS systems may need updating with current
security patches. Additionally, the systems should be periodically
audited to ensure that the software present on the systems is
authorized and properly configured.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify which
module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is applicable.
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and controls,
including review of new products and services and controls over
servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including the
use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training program;
5) Suitability of the compliance audit program for ensuring that:
a) the procedures address all regulatory provisions as
b) the work is accurate and comprehensive with respect to the
institution's information sharing practices;
c) the frequency is appropriate;
d) conclusions are appropriately reached and presented to
e) steps are taken to correct deficiencies and to follow-up
on previously identified deficiencies; and
6) Knowledge level of management and personnel.