REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Patent trolls and their effect on security - The influence of
computers in our everyday lives cannot be underestimated. The wealth
of knowledge, comfort, and ease afforded to the average individual
is unparalleled in human history. Despite this, there is a dark side
that can threaten even the most casual user and inflict incalculable
CyberCity allows government hackers to train for attacks - CyberCity
has all the makings of a regular town. There’s a bank, a hospital
and a power plant. A train station operates near a water tower. The
coffee shop offers free WiFi.
Obama issues insider threat guidance for gov't agencies - President
Obama has issued a memorandum to the heads of federal agencies,
informing them of new guidance for deterring the information
security threat posed by insiders.
TSA drops ‘insider threat’ label from spyware buy - The
Transportation Security Administration has reissued a June 20
purchase order for spyware that monitors employees’ computer
activities under a new name, explaining that contractors complained
the scope of the earlier descriptor was too constricting.
Texan schoolgirl expelled for refusing to wear RFID tag - A plan by
a San Antonio school district to continuously monitor its students
using RFID has run into legal problems after one of them took a
stand against being forced to use the tracking technology.
- Shylock banking malware can detect remote desktops - Shylock, a
trojan dropper that steals bank account information, is employing a
new trick to avoid detection: hiding from researchers who may be
studying it via remote desktop connections.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- S.C. tax
breach began when employee fell for spear phish - A targeted
phishing email delivered to an employee at the South Carolina
Department Revenue opened the door for attackers to exfiltrate
Social Security numbers and other personal data belonging to
millions of residents, according to a report prepared by a forensic
firm that investigated the mega breach.
Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer
Data - A hacker charged with federal crimes for obtaining the
personal data of more than 100,000 iPad owners from AT&T’s website
was found guilty on Tuesday.
U.S. accused of cyberattack on French government - The United States
denies it was involved in any attack on the French government,
calling it a top ally. The United States has been charged with
launching a cyberattack against France -- a claim the U.S.
government has categorically denied.
Former resident physician kept patient docs without permission -
University of Arkansas for Medical Sciences (UAMS) is alerting
hundreds of patients that a former resident physician stored
confidential medical documents without consent.
Yahoo email hijack possible with $700 XSS exploit - Yahoo reportedly
has yet to fix vulnerable code that is allowing a hacker to sell a
$700 exploit capable of undermining a cross-site scripting (XSS)
issue in Yahoo's website.
info of 1m compromised in Nationwide breach - The FBI is
investigating a breach at Nationwide Insurance, where hackers
recently accessed the sensitive information of about one million
people, including policy and non-policy holders.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (9 of 12)
Organize a public relations program.
Whether a bank is a local, national, or global firm,
negative publicity about a security compromise is a distinct
possibility. To address potential reputation risks associated with a
given incident, some banks have organized public relations programs
and designated specific points of contact to oversee the program. A
well-defined public relations program can provide a specific avenue
for open communications with both the media and the institution's
Recovering from an incident essentially involves restoring systems
to a known good state or returning processes and procedures to a
functional state. Some banks have incorporated the following best
practices related to the recovery process in their IRPs.
Determine whether configurations or processes should be changed.
If an institution is the subject of a security compromise,
the goals in the recovery process are to eliminate the cause of the
incident and ensure that the possibility of a repeat event is
minimized. A key component of this process is determining whether
system configurations or other processes should be changed. In the
case of technical compromises, such as a successful network
intrusion, the IRP can prompt management to update or modify system
configurations to help prevent further incidents. Part of this
process may include implementing an effective, ongoing patch
management program, which can reduce exposure to identified
technical vulnerabilities. In terms of non-technical compromises,
the IRP can direct management to review operational procedures or
processes and implement changes designed to prevent a repeat
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Non-repudiation involves creating proof of the origin or delivery of
data to protect the sender against false denial by the recipient
that the data has been received or to protect the recipient against
false denial by the sender that the data has been sent. To ensure
that a transaction is enforceable, steps must be taken to prohibit
parties from disputing the validity of, or refusing to acknowledge,
legitimate communications or transactions.
Access Control / System Design
Establishing a link between a bank's internal network and the
Internet can create a number of additional access points into the
internal operating system. Furthermore, because the Internet is
global, unauthorized access attempts might be initiated from
anywhere in the world. These factors present a heightened risk to
systems and data, necessitating strong security measures to control
access. Because the security of any network is only as strong as its
weakest link, the functionality of all related systems must be
protected from attack and unauthorized access. Specific risks
include the destruction, altering, or theft of data or funds;
compromised data confidentiality; denial of service (system
failures); a damaged public image; and resulting legal implications.
Perpetrators may include hackers, unscrupulous vendors, former or
disgruntled employees, or even agents of espionage.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
SUBPART C - Exception to Opt Out Requirements for Service
Providers and Joint Marketing
47. If the institution discloses nonpublic personal information to
a nonaffiliated third party without permitting the consumer to opt
out, do the opt out requirements of §7 and §10, and the revised
notice requirements in §8, not apply because:
a. the institution disclosed the information to a
nonaffiliated third party who performs services for or functions on
behalf of the institution (including joint marketing of financial
products and services offered pursuant to a joint agreement as
defined in paragraph (b) of §13); [§13(a)(1)]
b. the institution has provided consumers with the initial notice;
c. the institution has entered into a contract with that party
prohibiting the party from disclosing or using the information
except to carry out the purposes for which the information was
disclosed, including use under an exception in §14 or §15 in the
ordinary course of business to carry out those purposes?