REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The case for forecasting cyberattacks - Recent data from states that 96 percent of data breaches are uncovered by third parties - not internal security teams - and that victimized organizations are breached for 416 days, or about 13 months, on average. http://www.usatoday.com/story/cybertruth/2014/01/08/the-case-for-forecasting-cyberattacks/4373651/

FYI - The Internet of Things Is Wildly Insecure - And Often Unpatchable - We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself - as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them. http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/

FYI - Hacker economics: Opportunity costs and attacker attention spans - When we think about criminal hackers, we picture a techie who lives and breathes code. The game player, puzzle solver, master of manipulation. But more recently, another picture comes to mind. When you get right down to it, hackers are people, too. http://www.scmagazine.com/hacker-economics-opportunity-costs-and-attacker-attention-spans/article/327357/?DCMP=EMC-SCUS_Newswire&spMailingID=7707249&spUserID=MjI5OTI3MzMyMQS2&spJobID=112407671&spReportId=MTEyNDA3NjcxS0

FYI - ACLU appeals judge's decision to throw out NSA lawsuit - The civil liberties group asks an appeals court to review the judge's order finding a phone records collection program legal - The American Civil Liberties Union will appeal a judge's decision to throw out the civil liberties group's lawsuit challenging National Security Agency surveillance. http://www.computerworld.com/s/article/9245126/ACLU_appeals_judge_39_s_decision_to_throw_out_NSA_lawsuit?taxonomyId=17

FYI - Senators Seek Hearing - Session Would Consider If Stronger Data Safeguards Needed - Three Democratic senators are calling on the Senate Banking Committee to examine whether stronger cybersecurity standards are needed to protect consumer data following a breach at Target stores that affected as many as 40 million debit and credit cards. http://www.bankinfosecurity.com/target-breach-senators-seek-hearing-a-6325

FYI - Cyberwarfare Is Top Threat Facing US - Cyberwarfare is the most serious threat facing the United States, according to almost half of US national security leaders who responded to the inaugural Defense News Leadership Poll. http://www.defensenews.com/article/20140105/DEFREG02/301050011

FYI - Possible link discovered that ties together Wi-Fi routers with backdoors - A manufacturer of broadband and wireless networking equipment may be the link that ties together a number of Wi-Fi routers that contain backdoors, some of which are vulnerable to remote attacks, according to a researcher. http://www.scmagazine.com/possible-link-discovered-that-ties-together-wi-fi-routers-with-backdoors/article/328125/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Predictably, Snapchat user database maliciously exposed - Snapchat is a textbook example of why responsible disclosure is a failure. On January 1, 2014, an anonymous user announced the release of SnapchatDB and 4.6 million usernames and matched phone numbers in a Hacker News post. http://www.zdnet.com/predictably-snapchat-user-database-maliciously-exposed-7000024697/

FYI - Poker website hack impacts 50K active accounts, officials say - Officials with World Poker Tour Amateur Poker League (WPTAPL) have confirmed that a small portion of data was hacked on its website, subsequently compromising roughly 50,000 active accounts. http://www.scmagazine.com/poker-website-hack-impacts-50k-active-accounts-officials-say/article/328117/?DCMP=EMC-SCUS_Newswire&spMailingID=7707249&spUserID=MjI5OTI3MzMyMQS2&spJobID=112407671&spReportId=MTEyNDA3NjcxS0

FYI - Undisclosed number of T-Mobile customers impacted in data breach - An undisclosed number of T-Mobile customers may have had personal information compromised after an unauthorized party gained access to a file stored on servers that are owned and managed by a T-Mobile supplier. http://www.scmagazine.com/undisclosed-number-of-t-mobile-customers-impacted-in-data-breach/article/327905/?DCMP=EMC-SCUS_Newswire&spMailingID=7707249&spUserID=MjI5OTI3MzMyMQS2&spJobID=112407671&spReportId=MTEyNDA3NjcxS0

FYI - Malicious ads infect thousands of Yahoo site visitors per hour - A Netherlands-based security firm detected an influx of Yahoo.com visitors being redirected to infected domains by way of malicious ads. http://www.scmagazine.com/malicious-ads-infect-thousands-of-yahoo-site-visitors-per-hour/article/328135/?DCMP=EMC-SCUS_Newswire&spMailingID=7707249&spUserID=MjI5OTI3MzMyMQS2&spJobID=112407671&spReportId=MTEyNDA3NjcxS0
http://www.computerworld.com/s/article/9245178/Malware_from_Yahoo_ads_did_not_affect_US_and_Mac_and_mobile_users?taxonomyId=17

FYI - The county sheriff who keylogged his wife - Oh, you mean this keylogger? - The keylogger would record his wife's e-mails and her instant messaging chats as she typed them out letter by letter, along with the usernames and passwords she used for various online services. http://arstechnica.com/tech-policy/2014/01/the-county-sheriff-who-keylogged-his-wife/

FYI - World of Warcraft users hit by account-hijacking malware attack - Infection spread by trojanized add-on, able to defeat two-factor authentication. World of Warcraft players have been hit with a malicious trojan that hijacks accounts even when they're protected by two-factor authentication, officials have warned. http://arstechnica.com/security/2014/01/world-of-warcraft-users-hit-by-account-hijacking-malware-attack/

FYI - Trojan identified that steals World of Warcraft account credentials - An unknown number of World of Warcraft players were forced to halt their virtual sword swinging and spell casting in order to combat a trojan designed to compromise account credentials – even those with two-factor authentication enabled. http://www.scmagazine.com/trojan-identified-that-steals-world-of-warcraft-account-credentials/article/328292/?DCMP=EMC-SCUS_Newswire&spMailingID=7714968&spUserID=MjI5OTI3MzMyMQS2&spJobID=112744774&spReportId=MTEyNzQ0Nzc0S0

FYI - Programming error leads to 50K Medicaid cards mailed to wrong addresses - It was a computer programming error in the North Carolina Department of Health and Human Services (NCDHHS) that led to the Medicaid cards of almost 50,000 children being mailed to wrong addresses. http://www.scmagazine.com/programming-error-leads-to-50k-medicaid-cards-mailed-to-wrong-addresses/article/328199/?DCMP=EMC-SCUS_Newswire&spMailingID=7714968&spUserID=MjI5OTI3MzMyMQS2&spJobID=112744774&spReportId=MTEyNzQ0Nzc0S0

FYI - Hacker Guccifer strikes again, nabbing 'Downton Abbey' script - Not only did the hacker get a hold of Julian Fellowes' season 4 finale, he also breached the accounts of Leonardo DiCaprio, Tina Brown, George W. Bush, Robert Redford, and dozens more. http://news.cnet.com/8301-1009_3-57616839-83/hacker-guccifer-strikes-again-nabbing-downton-abbey-script/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Stolen laptop compromises more than 12,000 New Mexico patients - A laptop stolen from the office of a New Mexico Oncology Hematology Consultants (NMOHC) employee may have led to a compromise of unsecured protected health information (PHI) for more than 12,000 individuals. http://www.scmagazine.com/stolen-laptop-compromises-more-than-12000-new-mexico-patients/article/328394/?DCMP=EMC-SCUS_Newswire&spMailingID=7725918&spUserID=MjI5OTI3MzMyMQS2&spJobID=112921904&spReportId=MTEyOTIxOTA0S0

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network Configuration

Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.

A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.

Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote-access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:

! Identifying the various applications and user-groups accessed via the network;

! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);

! Mapping the internal and external connectivity between various network segments;

! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and

! Determining the most appropriate network configuration to ensure adequate security and performance.

With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a "demilitarized zone" (DMZ).

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]