REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- The FDA takes steps to strengthen cybersecurity of medical devices
- To strengthen the safety of medical devices, the U.S. Food and
Drug Administration today finalized recommendations to manufacturers
for managing cybersecurity risks to better protect patient health
- The Unpatchable Malware That Infects USBs Is Now on the Loose -
t’s been just two months since researcher Karsten Nohl demonstrated
an attack he called BadUSB to a standing-room-only crowd at the
Black Hat security conference in Las Vegas, showing that it’s
possible to corrupt any USB device with insidious, undetectable
- Marriott fined $600k for deliberate JAMMING of guests' Wi-Fi
hotspots - The Marriott has been fined $600,000 by the FCC for
paralyzing guests' personal Wi-Fi hotspots, forcing them to use the
hotel giant's expensive network instead.
- Group infects more than 500K systems, targets banking credentials
in U.S. - Researchers with security company Proofpoint have
identified a Russian-speaking cybercrime group that has infected
more than 500,000 systems and is targeting online credentials for
major banks in the U.S and Europe.
- ISACA announces entry-level cybersecurity certificate - Global IT
association ISACA has created a new cybersecurity certificate that's
intended for those looking to break into the field.
- US spying scandal will 'break the Internet,' says Google's Schmidt
- US government surveillance is destroying the digital economy, a
roundtable of execs from Google, Microsoft, Facebook and other tech
companies tell Sen. Ron Wyden.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Chase breach affects 76 million accounts, raises questions about
detection failure - As JPMorgan Chase issued an apology to customers
and acknowledges that the data breach discovered this summer lasted
much longer and affected more customers than previously believed,
serious questions—that industry insiders say require immediate
answers—are being posed about how the breach could have gone
undetected for so long.
- After Chase disclosure, bank regulator rallies execs to shore up
defenses - Now that JPMorgan Chase has revealed that a cyberattack
it sustained impacts the accounts of 76 million households and seven
million businesses, a New York bank regulator has taken action to
make sure the heads of financial institutions are aware of their
responsibility in thwarting future attacks within the sector.
- FHSU former student data inadvertently posted online - Fort Hays
State University in Kansas is notifying more than a hundred former
students that an employee inadvertently made their personal
information – including Social Security numbers – available online.
- Unauthorized employee may have accessed AT&T customer info - The
personal information of AT&T might have been compromised when an
employee viewed account information without proper authorization,
according to a letter the company sent to victims.
- Unencrypted laptop stolen from Community Technology Alliance -
California-based Community Technology Alliance (CTA) is notifying
more than a thousand individuals that their personal information –
including Social Security numbers – was on an unencrypted, password
protected laptop that was stolen.
- ATM malware 'Tyupkin' found on over 50 machines in Europe, spreads
to U.S. - New malware, called “Tyupkin,” has been used by criminals
to withdraw millions in cash from ATM machines running 32-bit
Windows platforms – and researchers warn that the threat has
continued to evolve in recent months.
- Touchstone Medical Imaging patient data accessible online -
Tennessee-based Touchstone Medical Imaging is notifying an
undisclosed number of patients that their personal information –
including Social Security numbers – had inadvertently been made
accessible via the internet.
- Valeritas notifies all employees of possible data breach - Medical
treatment solutions developer Valeritas is notifying all staffers
that security settings were inadvertently removed from a folder
containing their personal information – including Social Security
numbers – and it was possible for other employees to access the
- Malware on NDSCS computers that stored data on 15K students and
staffers - North Dakota State College of Science (NDSCS) is
notifying more than 15,000 current and former students and employees
that malware was discovered on numerous computers that contained
their personal information – including Social Security numbers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 4: Banks should ensure that proper
authorization controls and access privileges are in place for
e-banking systems, databases and applications.
In order to maintain segregation of duties, banks need to strictly
control authorization and access privileges. Failure to provide
adequate authorization control could allow individuals to alter
their authority, circumvent segregation and gain access to e-banking
systems, databases or applications to which they are not privileged.
In e-banking systems, the authorizations and access rights can be
established in either a centralized or distributed manner within a
bank and are generally stored in databases. The protection of those
databases from tampering or corruption is therefore essential for
effective authorization control.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND
Financial institutions should protect the confidentiality of
information about their customers and organization. A breach in
confidentiality could disclose competitive information, increase
fraud risk, damage the institution's reputation, violate customer
privacy and associated rights, and violate regulatory requirements.
Confidentiality agreements put all parties on notice that the
financial institution owns its information, expects strict
confidentiality, and prohibits information sharing outside of that
required for legitimate business needs. Management should obtain
signed confidentiality agreements before granting new employees and
contractors access to information technology systems.
Job descriptions, employment agreements, and policy awareness
acknowledgements increase accountability for security. Management
can communicate general and specific security roles and
responsibilities for all employees within their job descriptions.
Management should expect all employees, officers, and contractors to
comply with security and acceptable use policies and protect the
institution's assets, including information. The job descriptions
for security personnel should describe the systems and processes
they will protect and the control processes for which they are
responsible. Management can take similar steps to ensure contractors
and consultants understand their security responsibilities as well.
Financial institutions need to educate users regarding their
security roles and responsibilities. Training should support
security awareness and should strengthen compliance with the
security policy. Ultimately, the behavior and priorities of senior
management heavily influence the level of employee awareness and
policy compliance, so training and the commitment to security should
start with senior management. Training materials would typically
review the acceptable - use policy and include issues like desktop
security, log - on requirements, password administration guidelines,
etc. Training should also address social engineering, and the
policies and procedures that protect against social engineering
attacks. Many institutions integrate a signed security awareness
agreement along with periodic training and refresher courses.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will
help ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 2 of 3)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial, annual and
revised notices, as well as any short-form notices that the
institution may use for consumers who are not customers. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1),
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes
practices disclosed in the notices that exceed regulatory
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§6). Note that if
the institution shares under Section 13 the notice provisions for
that section shall also apply.
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and
b. Reasonableness of the method of delivery (e.g., by hand;
by mail; electronically, if the consumer agrees; or as a necessary
step of a transaction) (§9).
customers only, review the timeliness of delivery (§§4(d), 4(e),
5(a)), means of delivery of annual notice (§9(c)), and accessibility
of or ability to retain the notice (§9(e)).