REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Supreme Court allows wiretapping immunity law to stand - Hepting
v. AT&T, a suit challenging the FISA Amendments Act, comes to an
end. The Supreme Court declined to review a lower court ruling in a
case that challenged a Bush-era law (the FISA Amendments Act),
retroactively giving telecommunications firms - including Verizon,
Sprint, and AT&T - legal immunity after performing warrantless
wiretapping at the government’s request.
- DLA Demands Chip Makers Tag Products With Plant DNA; A War On
Counterfeiters - This November, the Defense Logistics Agency will
require companies selling microcircuits to the military to stamp
their products with an unlikely seal of authenticity: plant DNA.
- Use of location data not well-disclosed - A GAO report says that
mobile carriers and app developers provide inconsistent and unclear
information about their use of location data - Mobile carriers and
app providers do not consistently or clearly disclose to customers
how they use location information and other personal data, according
to a new report from government auditor the U.S. Government
Accountability Office (GAO).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Irish Google, Yahoo Domains Taken Offline Briefly After Security
Breach - Users of Google.ie and Yahoo.ie were impacted by the
incident, which stemmed from an unauthorized access of a registrar's
account. The DNS name server records of both domains were changed to
point to other name servers associated with well-known hacking
sites, officials say.
- Thousands of student records stolen in Florida college breach -
Confidential information of nearly 300,000 students, faculty, and
employees is accessed in hack, education officials warn. Hackers
have accessed the confidential information of nearly 300,000
students, employees, and faculty in a massive security breach at a
Florida college, officials said today.
- Bank Hacks: Iran Blame Game Intensifies - Wells Fargo official
says scale of the attacks was "pretty significant." Is this the face
of "cyberwar"? Who's behind the continuing series of attacks against
the websites of numerous U.S. banks? A flurry of news reports Friday
pointed the finger squarely at Iran.
- Cyberthieves loot $400,000 from city bank account - Cybertheft
comes just days after RSA issued a warning that criminal gang
planned massive attacks against U.S. banking customers - Burlington,
Wash. officials have notified hundreds of employees and residents
that their bank account information was compromised last week when
hackers broke into city systems and stole more than $400,000 from a
city account at Bank of America.
- NZ government network leaking data like a sieve - Ministry
apologises, launches investigation - A row has broken out in New
Zealand after a blogger exposed serious security flaws in that
country’s job-seeker network.
- Hackers Breach 53 Universities and Dump Thousands of Personal
Records Online - Hackers published online Monday thousands of
personal records from 53 universities, including Harvard, Stanford,
Cornell, Princeton, Johns Hopkins, the University of Zurich and
other universities around the world.
- Cyberthieves steal $400,000 from Bank of America - The account --
now frozen -- is used to pay city government workers in Burlington,
Wash., via direct deposit.
- University of Georgia latest target of data breach - The
University of Georgia (UGA) is investigating a data breach that may
have led to compromised information of current and former school
employees – marking the school's second breach in just over a year.
- New cyber attacks on U.S. banks; Iran suspected - Cyber attacks on
U.S. banks continued this week from suspected hackers believed to be
supported by the Iranian government, according to U.S.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (3of 12)
Elements of an Incident Response Program
Although the specific content of an IRP will differ among financial
institutions, each IRP should revolve around the minimum procedural
requirements prescribed by the Federal bank regulatory agencies.
Beyond this fundamental content, however, strong financial
institution management teams also incorporate industry best
practices to further refine and enhance their IRP. In general, the
overall comprehensiveness of an IRP should be commensurate with an
institution's administrative, technical, and organizational
The minimum required procedures addressed in the April 2005
interpretive guidance can be categorized into two broad areas:
"reaction" and "notification." In general, reaction procedures are
the initial actions taken once a compromise has been identified.
Notification procedures are relatively straightforward and involve
communicating the details or events of the incident to interested
parties; however, they may also involve some reporting
requirements. Below lists the minimum required procedures of an IRP
as discussed in the April 2005 interpretive guidance.
Develop reaction procedures for:
1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that
have been accessed or misused; and
3)containing and controlling the security incident.
Establish notification procedures for:
1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious
Activity Reports [SARs], if necessary); and
3) affected customers.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our coverage of
the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Using "Wired Equivalent Privacy" (WEP) by itself to provide wireless
network security may lead a financial institution to a false sense
of security. Information traveling over the network appears secure
because it is encrypted. This appearance of security, however, can
be defeated in a relatively short time.
Through these types of attacks, unauthorized personnel could gain
access to the financial institution's data and systems. For example,
an attacker with a laptop computer and a wireless network card could
eavesdrop on the bank's network, obtain private customer
information, obtain access to bank systems and initiate unauthorized
transactions against customer accounts.
Another risk in implementing wireless networks is the potential
disruption of wireless service caused by radio transmissions of
other devices. For example, the frequency range used for 802.11b
equipment is also shared by microwave ovens, cordless phones and
other radio-wave-emitting equipment that can potentially interfere
with transmissions and lower network performance. Also, as wireless
workstations are added within a relatively small area, they will
begin to compete with each other for wireless bandwidth, decreasing
the overall performance of the wireless network.
Risk Mitigation Components -- Wireless Internal Networks
A key step in mitigating security risks related to the use of
wireless technologies is to create policies, standards and
procedures that establish minimum levels of security. Financial
institutions should adopt standards that require end-to-end
encryption for wireless communications based on proven encryption
methods. Also, as wireless technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless network devices.
For wireless internal networks, financial institutions should adopt
standards that require strong encryption of the data stream through
technologies such as the IP Security Protocol (IPSEC). These methods
effectively establish a virtual private network between the wireless
workstation and other components of the network. Even though the
underlying WEP encryption may be broken, an attacker would be faced
with having to defeat an industry-proven security standard.
Financial institutions should also consider the proximity of their
wireless networks to publicly available places. A wireless network
that does not extend beyond the confines of the financial
institution's office space carries with it far less risk than one
that extends into neighboring buildings. Before bringing a wireless
network online, the financial institution should perform a limited
pilot to test the effective range of the wireless network and
consider positioning devices in places where they will not broadcast
beyond the office space. The institution should also be mindful that
each workstation with a wireless card is a transmitter. Confidential
customer information may be obtained by listening in on the
workstation side of the conversation, even though the listener may
be out of range of the access device.
The financial institution should consider having regular independent
security testing performed on its wireless network environment.
Specific testing goals would include the verification of appropriate
security settings, the effectiveness of the wireless security
implementation and the identification of rogue wireless devices that
do not conform to the institution's stated standards. The security
testing should be performed by an organization that is technically
qualified to perform wireless testing and demonstrates appropriate
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice;
c. it has given the consumer a reasonable opportunity to opt out
before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)])