Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Feds back off on Jan.1 eHealth standards deadline - U.S. health
officials delay enforcement until March 31, 2012 - The U.S. Centers
for Medicare & Medicaid said Thursday that it will delay enforcement
of a deadline for healthcare providers to roll out a new version of
a standard governing how medical transactions are processed.
10 security problems you might not realize you have - IT
administrators are often so busy just trying to keep up with the
obvious security threats that many more problems fly under the
radar. Here are 10 security risks you may have in your organization
that you are not aware of.
Houston federal judge rules feds need search warrant to get
cellphone tracking data - A federal judge in Houston has ruled that
authorities need a search warrant to obtain cellphone records that
can be used to track a person’s movements.
House committee to investigate China's Huawei, ZTE - U.S. lawmakers
have been concerned that Huawei's networking equipment could be used
for espionage - A U.S. House Intelligence Committee is launching an
investigation into Chinese telecommunication equipment suppliers
Huawei and ZTE to determine whether the companies pose a security
threat to the U.S.
Police crackdown on fake shopping sites - More than 2,000 web shops
selling fake or non-existent goods have been shut down by police.
Goods purportedly from GHD, Ugg, Tiffany and Nike had been peddled
by the sites, said the Metropolitan Police E-Crime Unit.
Security spending to increase in 2012, survey shows - While the
nation's economy remains in the tank, the information security
market appears to be avoiding a major slowdown.
Three indicted in New York on ATM skimming charges - Authorities in
New York have busted three men on charges they planted skimming
devices on cash machines in Manhattan to rip off debit card numbers
and make fraudulent transactions. http://www.scmagazineus.com/three-indicted-in-new-york-on-atm-skimming-charges/article/217419/?DCMP=EMC-SCUS_Newswirehttp://www.scmagazineus.com/three-indicted-in-new-york-on-atm-skimming-charges/article/217419/?DCMP=EMC-SCUS_Newswire
RockYou Proposed Settlement Would Leave Decision Standing - The
parties in the Claridge v. RockYou case submitted a proposed
settlement agreement to the court for approval on November 14, 2011.
This case, which was filed shortly after RockYou disclosed a breach
that compromised 32 million log-in credentials, received national
attention in the spring.
Manila AT&T hackers linked to Mumbai terror attack - cops - Four
alleged line-jackers cuffed with aid from FBI - Police in the
Philippines have arrested a group of four suspected hackers accused
of funnelling profits from attacking corporate telephone networks to
an Islamic terrorist group blamed for the attacks on Mumbai three
Text Messages Should Not Be Used in Patient Orders - On Friday, the
Joint Commission issued a statement saying that physicians and other
health care professionals should not use text messages as a way to
share patient health information, Fierce Mobile Healthcare reports.
- GAO - Cybersecurity Human Capital: Initiatives Need Better
Planning and Coordination
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hacker Apparently Triggers Illinois Water Pump Burnout - Attack
illustrates the extent to which industrial control systems are
Internet-connected, yet lack basic password checks or access
controls. Federal authorities are investigating a hack that resulted
in the burnout of a water pump at the Curran-Gardner Township Public
Water District in Illinois. Located west of Springfield, Ill., the
utility serves about 2,200 customers.
Anonymous Hacks Back at Cybercrime Investigators - The Antisec wing
of Anonymous has come out with another document release in its
ongoing assault on law enforcement.
- "Organized' hack targets AT&T wireless subscribers - 'Auto script'
attack fails to breach accounts - Hackers used automatic scripts to
target AT&T wireless subscribers in an unsuccessful attempt to steal
information stored in their online accounts, company officials said.
Sutter Health faces lawsuit after lost computer - Individuals
affected by the massive data breach at Sutter Health, in which the
personal information of 4.2 million patients went missing when an
unencrypted desktop computer was stolen, have filed a class-action
lawsuit against the Northern California-based health care system,
according to a report in The Sacramento Bee.
VCU server hacked to compromise personal data of 175K - Hackers
accessed a sensitive computer server containing the personal
information of faculty and students at Virginia Commonwealth
University (VCU) in Richmond.
Feds Now Say Hacker Didn’t Destroy Water Pump - A report from an
Illinois intelligence fusion center saying that a water utility was
hacked cannot be substantiated, according to an announcement
released Tuesday by the Department of Homeland Security.
- Former UBS banker sentenced for fraud - A former bank executive
has been sentenced to 33 months in prison for committing 84
fraudulent wire transfers that deposited $673,000 of UBS Securities
funds into his personal accounts.
- Hackers steal credit card numbers from cash registers at UC
Riverside - Hackers compromised cash registers at campus dining
locations at the University of California, Riverside to hijack
credit and debit card numbers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a telephone operated
by a consumer, financial institutions need not provide a terminal
receipt when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
Encryption is used to secure communications and data storage,
particularly authentication credentials and the transmission of
sensitive information. It can be used throughout a technological
environment, including the operating systems, middleware,
applications, file systems, and communications protocols.
Encryption is used both as a prevention and detection control. As a
prevention control, encryption acts to protect data from disclosure
to unauthorized parties. As a detective control, encryption is used
to allow discovery of unauthorized changes to data and to assign
responsibility for data among authorized parties. When prevention
and detection are joined, encryption is a key control in ensuring
confidentiality, data integrity, and accountability.
Properly used, encryption can strengthen the security of an
institution's systems. Encryption also has the potential, however,
to weaken other security aspects. For instance, encrypted data
drastically lessens the effectiveness of any security mechanism that
relies on inspections of the data, such as anti - virus scanning and
intrusion detection systems. When encrypted communications are used,
networks may have to be reconfigured to allow for adequate detection
of malicious code and system intrusions.
Although necessary, encryption carries the risk of making data
unavailable should anything go wrong with data handling, key
management, or the actual encryption. The products used and
administrative controls should contain robust and effective controls
to ensure reliability.
Encryption can impose significant overhead on networks and computing
devices. A loss of encryption keys or other failures in the
encryption process can deny the institution access to the encrypted
Financial institutions should employ an encryption strength
sufficient to protect information from disclosure until such time as
the information's disclosure poses no material threat. For instance,
authenticators should be encrypted at a strength sufficient to allow
the institution time to detect and react to an authenticator theft
before the attacker can decrypt the stolen authenticators.
Decisions regarding what data to encrypt and at what points to
encrypt the data are typically based on the risk of disclosure and
the costs and risks of encryption. Generally speaking,
authenticators are always encrypted whether on public networks or on
the financial institution's network. Sensitive information is also
encrypted when passing over a public network, and also may be
encrypted within the institution.
Encryption cannot guarantee data security. Even if encryption is
properly implemented, for example, a security breach at one of the
endpoints of the communication can be used to steal the data or
allow an intruder to masquerade as a legitimate system user.
Return to the top of
INTERNET PRIVACY - We continue our series listing
the regulatory-privacy examination questions. When you answer the
question each week, you will help ensure compliance with the privacy
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with nonaffiliated
third parties and obtain a sample of data shared between the
institution and the third party both inside and outside of the
exceptions. The sample should include a cross-section of
relationships but should emphasize those that are higher risk in
nature as determined by the initial procedures. Perform the
following comparisons to evaluate the financial institution's
compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the data
were shared to those stated in the privacy notice and verify that
what the institution tells consumers (customers and those who are
not customers) in its notices about its policies and practices in
this regard and what the institution actually does are consistent
b. Compare the data shared to a sample of opt out directions and
verify that only nonpublic personal information covered under the
exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather" provisions of
Section 18 apply to certain of these contracts (§13(a)).