REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Banks could owe big if they don't stop funds transfer fraud - A
Maine bank will take the unusual measure of reimbursing a small
construction company whose accounts were emptied of nearly $600,000
FYI - Clueless officials
hamper cybersecurity law-making - Governments need to know what
problems the cybersecurity legislation is meant to address, or they
will face public backlash over the possible intrusions to their
FYI - Syria suffers Internet
'blackout'; cut off from the outside world - Syria, ravished by
civil war and internal conflict, is no longer connected to the wider
Internet, in a move that is reminiscent of the final weeks of the
FYI - Judge Gives Bradley
Manning Permission to Plead Guilty for WikiLeaks Dumps - A military
judge in Maryland has accepted the terms under which alleged
WikiLeaks leaker Bradley Manning has proposed to plead guilty.
FYI - ENISA promotes digital
hacker traps - The European Network and Information Security Agency
(ENISA) recommends that honeypots be used to detect threats at an
early stage; the agency tested 30 current systems and came up with
FYI - Australian cops bust
Romanian credit card thieves - Australia's Federal Police (AFP) has
triumphantly announced it has brought a gang of Romanian credit card
fraudsters to heel, but not before the criminals purloined half a
million credit card numbers from small Australian retailers.
FYI - John McAfee Exposes His
Location in Photo About His Being on Run - Generally speaking, if
you're on the run from the authorities over a homicide, you're
probably best laying low and not making too much noise. Sure, there
is a case for trolling "the man", but it usually comes back to haunt
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Hackers steal and
publish e-mails from U.N. nuclear agency - The IAEA confirms its
servers were breached and a hacking group claims responsibility
demanding an investigation into Israel's alleged nuclear
FYI - Western Connecticut
State notifies 235k over database gaffe - Western Connecticut State
University in Danbury, Conn., was publicly accessible for nearly 3
FYI - Personal info of 1m
compromised in Nationwide breach - The FBI is investigating a breach
at Nationwide Insurance, where hackers recently accessed the
sensitive information of about one million people, including policy
and non-policy holders.
FYI - Malware slurps rocket
data from Japanese space agency - Malware on a computer in the Japan
Aerospace Exploration Agency (JAXA) has been stealing data on the
latest Nipponese solid-fuel rocket system.
Return to the top of the newsletter
WEB SITE COMPLIANCE - We
continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs. (10 of 12)
Test affected systems or procedures prior to implementation.
Testing is an important function in the incident response
process. It helps ensure that reconfigured systems, updated
procedures, or new technologies implemented in response to an
incident are fully effective and performing as expected. Testing can
also identify whether any adjustments are necessary prior to
implementing the updated system, process, or procedure.
During the follow-up process, an institution has the opportunity to
regroup after the incident and strengthen its control structure by
learning from the incident. A number of institutions have included
the following best practice in their IRPs.
Conduct a "lessons-learned" meeting.
1) Successful organizations can use the incident and build from
the experience. Organizations can use a lessons-learned meeting to
2) discuss whether affected controls or procedures need to be
strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the
incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed
for the customer information security risk assessment and
information security program;
5) determine if updated training is necessary regarding any new
procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical
resources to be better prepared going forward.
Return to the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
System Architecture and Design
The Internet can facilitate unchecked and/or undesired access to
internal systems, unless systems are appropriately designed and
controlled. Unwelcome system access could be achieved through IP
spoofing techniques, where an intruder may impersonate a local or
internal system and be granted access without a password. If access
to the system is based only on an IP address, any user could gain
access by masquerading as a legitimate, authorized user by
"spoofing" the user's address. Not only could any user of that
system gain access to the targeted system, but so could any system
that it trusts.
Improper access can also result from other technically permissible
activities that have not been properly restricted or secured. For
example, application layer protocols are the standard sets of rules
that determine how computers communicate across the Internet.
Numerous application layer protocols, each with different functions
and a wide array of data exchange capabilities, are utilized on the
Internet. The most familiar, Hyper Text Transfer Protocol (HTTP),
facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the
transfer, copying, and deleting of files between computers. Telnet
protocol actually enables one computer to log in to another.
Protocols such as FTP and Telnet exemplify activities which may be
improper for a given system, even though the activities are within
the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system
attacks to be launched against systems from anywhere in the world.
Systems can even be accessed and then used to launch attacks against
other systems. A typical attack would be a denial of service attack,
which is intended to bring down a server, system, or application.
This might be done by overwhelming a system with so many requests
that it shuts down. Or, an attack could be as simple as accessing
and altering a Web site, such as changing advertised rates on
certificates of deposit.
Security Scanning Products
A number of software programs exist which run automated security
scans against Web servers, firewalls, and internal networks. These
programs are generally very effective at identifying weaknesses that
may allow unauthorized system access or other attacks against the
system. Although these products are marketed as security tools to
system administrators and information systems personnel, they are
available to anyone and may be used with malicious intent. In some
cases, the products are freely available on the Internet.
Return to the top of the newsletter
- We continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
48. If the institution discloses nonpublic personal information
to nonaffiliated third parties, do the requirements for initial
notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and
for service providers and joint marketing in §13, not apply because
the information is disclosed as necessary to effect, administer, or
enforce a transaction that the consumer requests or authorizes, or
in connection with:
a. servicing or processing a financial product or service requested
or authorized by the consumer; [§14(a)(1)]
b. maintaining or servicing the consumer's account with the
institution or with another entity as part of a private label credit
card program or other credit extension on behalf of the entity; or
c. a proposed or actual securitization, secondary market sale
(including sale of servicing rights) or other similar transaction
related to a transaction of the consumer? [§14(a)(3)]