REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Task force seeks to update New York state cyber crime laws - A
proposal released Tuesday addresses much needed updates to New York
State's white collar laws (PDF), which have remained mostly
unaltered since 1965.
Dutch IT companies rebel against security breach notification law -
Nederland ICT, the Netherlands' trade association that represents
Dutch IT companies with over 250,000 staff between them, is not
amused by a Dutch government plan to force tech firms to report
Nearly two years after a security researcher published details of
the hard-coded credentials that ship with a slew of industrial
control system products made by Schneider Electric, the company has
released updated firmware that fix the problems.
Hundreds of hackers sought for new £500m UK cyber-bomber strike
force - Britain must rm -rf its enemies or be rm -rf'ed, declares
defence secretary - The UK's Ministry of Defence wants to recruit an
army of computer experts to serve as "cyber reservists" to defend
- Appreciate your log data - Log data are like streams of non-stop
“tweets” coming from nearly every IT asset in one's infrastructure.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lexis-Nexis, D&B and Kroll hacked - Data-stealing botnet found in
aggregators' services - Major data aggregators have been compromised
“for months”, according to prominent security blogger Brian Krebs,
including Lexis-Nexis and Dun & Bradstreet.
Ex-Barclays worker fined £3,360 for accessing customer's data - A
former employee was found to have accessed the account details of
the partner of a friends of hers on 22 occasions, back in 2011. This
included finding out how many children the partner had, and telling
Human error leads to Virginia Tech computer server breach - A
computer server within the Department of Human Resources at Virginia
Polytechnic Institute and State University, popularly known as
Virginia Tech, was breached as a result of human error.
LA students bypass security measures on iPads, home use suspended -
After only a week with their school district-issued iPads, hundreds
of students found a way to bypass security measures placed on the
Unencrypted laptop stolen from Calif. hospital puts patients at risk
- Patients of California-based Santa Clara Valley Medical Center had
their medical data compromised when an unencrypted laptop was stolen
from the audiology department.
Europol nabs cyber crooks behind 21,000-strong hacked server store -
Europol has arrested the hacker masterminds behind a notorious cyber
black market, selling access to 21,000 compromised servers.
British teen accused of massive Spamhaus DDoS attack arrested months
ago - Police secretly arrested a London-based teen last April in
connection with the huge DDoS attack on anti-spam organisation
Spamhaus, it has been confirmed.
Iran's Hackers Are Still Chipping Away at U.S. Networks - Even as
the presidents of Iran and the U.S. speak to each other (on the
phone) for the first time since 1979, it looks like Iran hasn't
given up its cyberwar against the U.S. According to the The Wall
Street Journal, a group of hackers either working directly for the
Iranian government or with its approval accessed an unclassified
Navy computer network.
- Stolen laptop compromises hundreds of Wisconsin hospital patients
- Hundreds of patients treated this year at St. Mary's Janesville
Hospital in Wisconsin may have had their personal data compromised
when a health care laptop was stolen from the car of an employee.
- Hackers steal Adobe product source code and credit card data of
three million customers - Adobe is warning nearly three million of
its customers that their credit card data was breached – and that
the intruders also appear to have stolen product source code via
- Unauthorized user accesses medical records at Iowa-based health
system - Nearly two thousand patients may have personal information
at risk after an unauthorized user accessed an electronic medical
record (EMR) system for Iowa-based UnityPoint Health.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week concludes our series on
the FDIC's Supervisory Policy on Identity Theft.
6 of 6)
President’s Identity Theft Task Force
On May 10, 2006, the President issued an executive order
establishing an Identity Theft Task Force (Task Force). The Chairman
of the FDIC is a principal member of the Task Force and the FDIC is
an active participant in its work. The Task Force has been charged
with delivering a coordinated strategic plan to further improve the
effectiveness and efficiency of the federal government's activities
in the areas of identity theft awareness, prevention, detection, and
prosecution. On September 19, 2006, the Task Force adopted interim
recommendations on measures that can be implemented immediately to
help address the problem of identity theft. Among other things,
these recommendations dealt with data breach guidance to federal
agencies, alternative methods of "authenticating" identities, and
reducing access of identity thieves to Social Security numbers. The
final strategic plan is expected to be publicly released soon.
Financial institutions have an affirmative and continuing obligation
to protect the privacy of customers' nonpublic personal information.
Despite generally strong controls and practices by financial
institutions, methods for stealing personal data and committing
fraud with that data are continuously evolving. The FDIC treats the
theft of personal financial information as a significant risk area
due to its potential to impact the safety and soundness of an
institution, harm consumers, and undermine confidence in the banking
system and economy. The FDIC believes that its collaborative efforts
with the industry, the public and its fellow regulators will
significantly minimize threats to data security and consumers.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Action Summary - Financial institutions should use effective
authentication methods appropriate to the level of risk. Steps
Selecting authentication mechanisms based on the risk associated
with the particular application or services;
2) Considering whether multi - factor authentication is appropriate
for each application, taking into account that multifactor
authentication is increasingly necessary for many forms of
electronic banking and electronic payment activities; and
3) Encrypting the transmission and storage of authenticators (e.g.,
passwords, PINs, digital certificates, and biometric templates).
Authentication is the verification of identity by a system based on
the presentation of unique credentials to that system. The unique
credentials are in the form of something the user knows, something
the user has, or something the user is. Those forms exist as shared
secrets, tokens, or biometrics. More than one form can be used in
any authentication process. Authentication that relies on more than
one form is called multi - factor authentication and is generally
stronger than any single authentication method. Authentication
contributes to the confidentiality of data and the accountability of
actions performed on the system by verifying the unique identity of
the system user.
Authentication is not identification as that term is used in the USA
PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide
assurance that the initial identification of a system user is
proper. Authentication only provides assurance that the user of the
system is the same user that was initially identified. Procedures
for the initial identification of a system user are beyond the scope
of this booklet.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
13. If the institution does not disclose nonpublic personal
information, and does not reserve the right to do so, other than
under exceptions in §14 and §15, does the institution provide a
simplified privacy notice that contains at a minimum:
a. a statement to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the
confidentiality and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to
other nonaffiliated third parties as permitted by law? [§6(c)(5)]
(Note: use of this type of simplified notice is optional; an
institution may always use a full notice.)