Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- 7 Lessons: Surviving A Zero-Day Attack - Pacific Northwest
National Laboratory CIO Jerry Johnson takes you inside the cyber
attack that he faced down--and shares his security lessons learned.
When Pacific Northwest National Laboratory detected a cyber
attack--actually two of them--against its tech infrastructure in
July, the lab acted quickly to root out the exploits and secure its
- Telecommunications regulator bars DigiNotar from issuing
certificates - The Dutch telecommunications regulator (OPTA) has
barred the DigiNotar Certificate Authority from issuing further
- Man stole data from U.S. service members via P2P - A California
man who dug up sensitive information belonging to U.S. service
members on peer-to-peer networks, and then used it to order iPods,
cameras, and even washing machines from an online store, was
sentenced to 75 months in federal prison Thursday.
- FISMA Mandates Monthly Security Reports For Agencies - Move from
annual reports to consistent CyberScope submissions expected to
lighten agencies' compliance burden, tighten federal cybersecurity.
Federal agencies must begin reporting security data to an online
compliance tool as part of fiscal year 2011 requirements for the
Federal Information Security Management Act (FISMA).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- FBI investigating 400 bank account takeovers - Despite fresh
guidance and quicker fraud detection, the FBI actively is
investigating more than 400 cases of corporate bank account
takeovers, an official told federal lawmakers last week.
- SpyEye hacking kit adds Android infection to bag of tricks -
Intercepts text messages bank use as secondary authentication for
account access - The SpyEye hacking toolkit has added an Android
component that collects the text messages some banks use as an extra
security precaution, a researcher said today.
- Hacker "soldier" steals $3.2 million from U.S. companies - A
hacker known in the cybercriminal underground as “soldier” has
stolen $3.2 million from major U.S. corporations in the past six
months, according to researchers at anti-virus firm Trend Micro.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series
Federal Financial Institutions Examination Council Guidance on
Electronic Financial Services and Consumer Compliance.
Electronic Fund Transfer
Act, Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 3 of 3)
Financial institutions can reduce their vulnerability to these
attacks somewhat through network configuration and design, sound
implementation of its firewall architecture that includes multiple
filter points, active firewall monitoring and management, and
integrated intrusion detection. In most cases, additional access
controls within the operating system or application will provide an
additional means of defense.
Given the importance of firewalls as a means of access control, good
! Hardening the firewall by removing all unnecessary services and
appropriately patching, enhancing, and maintaining all software on
the firewall unit;
! Restricting network mapping capabilities through the firewall,
primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not
! Using NAT and split DNS (domain name service) to hide internal
system names and addresses from external networks (split DNS uses
two domain name servers, one to communicate outside the network, and
the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the
firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the
firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and
strong authentication, only accessing the firewall from secure
devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of its
privacy policies and practices to each customer, not later than the
time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
2) A financial institution must provide an annual notice at least
once in any period of 12 consecutive months during the continuation
of the customer relationship.
3) Generally, new privacy notices are not required for each new
product or service. However, a financial institution must provide a
new notice to an existing customer when the customer obtains a new
financial product or service from the institution, if the initial or
annual notice most recently provided to the customer was not
accurate with respect to the new financial product or service.
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice.