REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - FDIC: Improve Vendor Management - Monitoring Service Providers Is Banks' Responsibility - Federal regulators are urging banking institutions to pay more attention to vendor management in light of recent breaches, such as one that compromised core processor Fidelity National Information Services, better known as FIS. http://www.bankinfosecurity.com/fdic-improve-vendor-management-a-6053

FYI - New guidelines aid organizations in beefing up security teams - In light of evolving cyber crime, hacktivism and insider threats, the Security for Business Innovation Council (SBIC) – an independent group of security experts from Global 1000 enterprises – has released a report on what it takes for an organization to create an elite security team (PDF). http://www.scmagazine.com/new-guidelines-aid-organizations-in-beefing-up-security-teams/article/311847/?DCMP=EMC-SCUS_Newswire

FYI - Four charged over alleged plot to plant device, drain millions from London bank - Four men in London where charged with allegedly plotting a sophisticated cyber heist against Santander bank. http://www.scmagazine.com/four-charged-over-alleged-plot-to-plant-device-drain-millions-from-london-bank/article/311842/?DCMP=EMC-SCUS_Newswire
 
FYI - Cyberspies attack key South Korean institutions, North Korean hackers suspected - South Korean organizations that conduct research on international affairs, national security and Korean unification are under siege from cyberspies whose attack may have its origins in North Korea. http://www.computerworld.com.sg/resource/security/cyberspies-attack-key-south-korean-institutions-north-korean-hackers-suspected/

FYI - Hacker sentenced to three years for breaching police sites - A man said to be affiliated with the hacking collective Anonymous gets prison time for breaking into police and municipal Web sites in Utah, New York, Missouri, and California. http://news.cnet.com/8301-1009_3-57602761-83/hacker-sentenced-to-three-years-for-breaching-police-sites/

FYI - In Barnes & Noble skimming case, federal judge dismisses plaintiffs' class-action suit - A federal judge in Illinois has tossed a class-action lawsuit against Barnes & Noble, after plaintiffs failed to demonstrate loss or injury as a result of a PIN pad tampering incident last year. http://www.scmagazine.com/in-barnes-noble-skimming-case-federal-judge-dismisses-plaintiffs-class-action-suit/article/311262/

FYI - Secret Spy Court Demands Surveillance Transparency From Feds - The secret spy court at the center of NSA whistleblower Edward Snowden’s leaks today ordered the government to begin declassifying its opinions involving the Patriot Act. http://www.wired.com/threatlevel/2013/09/secret-spy-court/

FYI - Cyber security: The new arms race for a new front line - The Pentagon - and a growing cyber industrial complex - gears up for the new front line: cyberspace. Cyber defense is necessary. But it could cost us. http://www.csmonitor.com/USA/Military/2013/0915/Cyber-security-The-new-arms-race-for-a-new-front-line

FYI - Health Agency Watchdog Doesn’t Have Time to Vet Obamacare Cyber Designs - Inspectors have declined to review draft and final security plans for health insurance online marketplaces set to launch Oct. 1. http://www.nextgov.com/cybersecurity/2013/09/health-agency-watchdog-doesnt-have-time-vet-obamacare-cyber-designs/70352/?oref=ng-HPtopstory

FYI - AT&T shakes its banhammer at would-be pirates - If you appear to pirate on an AT&T connection, your service may be terminated. AT&T is alerting would-be pirates that their illegal activity could result in termination of their Internet access, according to a letter obtained by TorrentFreak. http://arstechnica.com/tech-policy/2013/09/att-shakes-its-banhammer-at-would-be-pirates/

FYI - "Hackers for hire" group Hidden Lynx on mission to collect corporate data - Researchers believe that a group of “hackers for hire” based out of China are linked to numerous high-profile attacks on U.S. companies, including those against Google and security firm Bit9. http://www.scmagazine.com/hackers-for-hire-group-hidden-lynx-on-mission-to-collect-corporate-data/article/312075/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - No warrant, no problem: US gov't uses travel alerts for warrantless electronics search - The ACLU has released documents showing how the US government uses border searches to take citizens' electronics and rifle through private data to its heart's content. http://www.zdnet.com/no-warrant-no-problem-us-govt-uses-travel-alerts-for-warrantless-electronics-search-7000020487/

FYI - Vodafone Germany hack hits two million customers - Personal details of more than two million customers of Vodafone Germany have been stolen by a hacker. Vodafone said the attacker got access to customer names, addresses, bank account numbers and birth dates. http://www.bbc.co.uk/news/technology-24063621

FYI - Email contains personal data on thousands of insurance agents - Thousands of agents with state online health insurance exchange MNsure in Minnesota may have had personal data compromised when an employee inadvertently sent out an email attachment that contained the information. http://www.scmagazine.com/email-contains-personal-data-on-thousands-of-insurance-agents/article/311540/?DCMP=EMC-SCUS_Newswire

FYI - Kaiser Permanente employee sends out email containing patient data - An employee of health care provider Kaiser Permanente affected hundreds of patients by inadvertently sending out an email containing personal information related to a pilot Wellness Screening competition. http://www.scmagazine.com/kaiser-permanente-employee-sends-out-email-containing-patient-data/article/311964/?DCMP=EMC-SCUS_Newswire

FYI - Teenager busted for running botnet that stole $50,000 a month - A 19-year-old Argentinean man, whose identity has not been revealed, could face up to 10 years behind bars after being arrested and charged with intercepting $50,000 a month from gaming and money transfer sites and dumping it into his bank account. http://www.scmagazine.com/teenager-busted-for-running-botnet-that-stole-50000-a-month/article/311886/?DCMP=EMC-SCUS_Newswire

FYI - Website programming error compromises personal information - A programming error on the website belonging to PLS Financial Services - a Chicago-based consumer financial services retailer - allowed some visitors to access personal information of an undisclosed number of customers. http://www.scmagazine.com/website-programming-error-compromises-personal-information/article/312361/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 4 of  6)

Supervisory Action

As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.

Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.

The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force.  These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.

The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (4 of 5)

The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.

Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.

Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed.  Additionally, access to these default accounts should be monitored more closely than other accounts.

Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]