REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Fake tech gear has infiltrated the U.S. government - A record
number of tech products used by the U.S. military and dozens of
other federal agencies are fake. That opens up a myriad of national
security risks, from dud missiles to short-circuiting airplane parts
BlackBerry 10 is FIPS certified in advance of platform's release -
After several federal agencies said they will stop using BlackBerry
devices and switch to iPhones, Research In Motion took the unusual
step today of announcing a tough security certification for
BlackBerry 10 in advance of the device's launch next quarter.
Patent troll sues just about the whole tech biz over 4 years- Lots
and lots of billygoats you know went over its bridge - A patent
holding firm has made it its business to sue just about every tech
firm anyone has heard of in its quest to make money from an
encryption patent, it has emerged.
Cyber attacks have changed, but Australia is doing something about
it: SANS - Australia knows how to fix things and is doing something
about it, at least when it comes to online security.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stuxnet Infected Chevron’s IT Network - Stuxnet, a sophisticated
computer virus created by the United States and Israel, to spy on
and attack Iran’s nuclear enrichment facilities in Natanz also
infected Chevron ’s network in 2010, shortly after it escaped from
its intended target.
Backup tapes missing from health facilities in Mass. and R.I. -
Unencrypted backup tapes, containing the personal information of
several thousand patients who visited two Women & Infants Hospital
walk-in facilities, have gone missing.
SEC staffers leave computers open to cyber attack, report says - The
agency was forced to hire a third-party firm and pay it at least
$200,000 to determine if any breaches occurred. Staffers in the
SEC's Trading and Markets Division left their computers totally
unprotected from possible security attacks, forcing the organization
to scramble to determine if any sensitive data was stolen, Reuters
reported, citing unidentified sources with knowledge of the
Stolen laptop results in theft of 100k patient records - A laptop
containing the unencrypted personal records of Alere Home Monitoring
customers was stolen from an employee's car.
- Adobe Connect forum pulled offline after database breach -
Connectusers.com, an Adobe customer forum for its Connect
online-conferencing service, was pulled offline by Adobe after the
forum's database was breached.
- Anonymous targets Israeli sites, offers Gazans internet help -
Anonymous hacktivists have united to stand with Gaza after Israeli
forces on Wednesday launched a military operation against the
- Sensitive NASA data at risk following stolen laptop - A laptop
containing the unencrypted personal information belonging to NASA
workers was stolen from an employee's car.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (7 of 12)
Define what constitutes an incident.
An initial step in the development of a response program is
to define what constitutes an incident. This step is important as it
sharpens the organization's focus and delineates the types of events
that would trigger the use of the IRP. Moreover, identifying
potential security incidents can also make the possible threats seem
more tangible, and thus better enable organizations to design
specific incident-handling procedures for each identified threat.
The ability to detect that an incident is occurring or has occurred
is an important component of the incident response process. This is
considerably more important with respect to technical threats, since
these can be more difficult to identify without the proper technical
solutions in place. If an institution is not positioned to quickly
identify incidents, the overall effectiveness of the IRP may be
affected. Following are two detection-related best practices
included in some institutions' IRPs.
Identify indicators of unauthorized system access.
Most banks implement some form of technical solution, such
as an intrusion detection system or a firewall, to assist in the
identification of unauthorized system access. Activity reports from
these and other technical solutions (such as network and application
security reports) serve as inputs for the monitoring process and for
the IRP in general. Identifying potential indicators of unauthorized
system access within these activity or security reports can assist
in the detection process.
Involve legal counsel.
Because many states have enacted laws governing
notification requirements for customer information security
compromises, institutions have found it prudent to involve the
institution's legal counsel when a compromise of customer
information has been detected. Legal guidance may also be warranted
in properly documenting and handling the incident.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We begin a new series
from the FDIC "Security Risks Associated with the Internet." While
this Financial Institution Letter was published in December 1997,
the issues still are relevant.
This FDIC paper alerts financial institutions to the fundamental
technological risks presented by use of the Internet. Regardless of
whether systems are maintained in-house or services are outsourced,
bank management is responsible for protecting systems and data from
The Internet is inherently insecure. By design, it is an open
network which facilitates the flow of information between computers.
Technologies are being developed so the Internet may be used for
secure electronic commerce transactions, but failure to review and
address the inherent risk factors increases the likelihood of system
or data compromise. Five areas of concern relating to both
transactional and system security issues, as discussed below, are:
Data Privacy and Confidentiality, Data Integrity, Authentication,
Non-repudiation, and Access Control/System Design.
Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic
mail, travel openly over the Internet and can be monitored or read
by others. Given the volume of transmissions and the numerous paths
available for data travel, it is unlikely that a particular
transmission would be monitored at random. However, programs, such
as "sniffer" programs, can be set up at opportune locations on a
network, like Web servers (i.e., computers that provide services to
other computers on the Internet), to simply look for and collect
certain types of data. Data collected from such programs can include
account numbers (e.g., credit cards, deposits, or loans) or
Due to the design of the Internet, data privacy and confidentiality
issues extend beyond data transfer and include any connected data
storage systems, including network drives. Any data stored on a Web
server may be susceptible to compromise if proper security
precautions are not taken.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
45. If the institution receives information from a
nonaffiliated financial institution other than under an exception in
§14 or §15, does the institution refrain from disclosing the
a. to the affiliates of the financial institution from which it
received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the same
disclosure restrictions as the recipient institution;
c. to any other person, if the disclosure would be lawful if made
directly to that person by the institution from which the recipient
institution received the information? [§11(b)(1)(iii)]