|
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
FYI
-
This past week, I was taking some time to be with family and
friends. I will be back in the office Tuesday February 19.
FYI
- DoD Faces Cyber Expert Talent Shortage - The Pentagon may want
thousands of new cyber experts added to its work force, but experts
said the agency lacks any credible means of training that many
recruits, and there aren’t enough already trained to meet the need.
http://www.defensenews.com/apps/pbcs.dll/article?AID=2013302060013
FYI
- PCI council clarifies merchant's cloud security obligations - The
group charged with administering the Payment Card Industry Data
Security Standard (PCI DSS) is now tackling merchants' security and
compliance concerns around cloud usage.
http://www.scmagazine.com/pci-council-clarifies-merchants-cloud-security-obligations/article/279595/?DCMP=EMC-SCUS_Newswire
FYI
- FCC vs. GAO: Haste = waste, or he who hesitates is lost? - The
Federal Communications Commission was dinged in a recent audit for
cutting corners while upgrading network security in response to a
breach.
http://gcn.com/blogs/cybereye/2013/02/gao-fcc-enhanced-security-network-audit.aspx
FYI
- DHS Watchdog OKs ‘Suspicionless’ Seizure of Electronic Devices
Along Border - The Department of Homeland Security’s civil rights
watchdog has concluded that travelers along the nation’s borders may
have their electronics seized and the contents of those devices
examined for any reason whatsoever - all in the name of national
security.
http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/
FYI
- Feds Update Cybersecurity Compliance Handbook - The federal
government has nearly finalized its first major overhaul to the
primary handbook to federal cybersecurity standards in nearly four
years, and its most significant update since the initial release of
that handbook in 2005.
http://www.informationweek.com/government/security/feds-update-cybersecurity-compliance-han/240148126
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Fed confirms but downplays Anonymous Super Bowl banker hack - The
US Federal Reserve has admitted that its systems were hacked during
Sunday's Super Bowl, a breach that led to the leaking of personal
data on hundreds of US banking executives.
http://www.theregister.co.uk/2013/02/06/fed_confirms_downplays_anon_superbowl_hack/
http://www.zdnet.com/anger-rises-as-fed-confirms-anonymous-hack-downplays-us-bank-emergency-system-breach-7000010902/
FYI
- Anonymous reveals ample Fed access, FBI opens criminal
investigationAnonymous published a file revealing significant access
to the Federal Reserve's internal files and servers; amid
accusations of inaction and non-transparency the FBI has opened a
criminal investigation into Sunday's bank hack.
http://www.zdnet.com/anonymous-reveals-ample-fed-access-fbi-opens-criminal-investigation-7000011073/
FYI
- ID theft/fraud ring netted $200 million and counting, feds allege
- In an indictment that reads like an instruction manual for nearly
every type of identity theft and credit card fraud yet invented,
prosecutors alleged on Tuesday that more than a dozen crooks ran
roughshod over America's credit system for six years, stealing
hundreds of millions of dollars and living like kings.
http://redtape.nbcnews.com/_news/2013/02/06/16870609-id-theftfraud-ring-netted-200-million-and-counting-feds-allege?lite
FYI
- Barracuda Issues Security Update, Apologizes To Customers -
Barracuda Networks Monday issued a product update designed to
address some of the security vulnerabilities that have been
identified in some of its appliances, as well as a mea culpa for
building hardcoded, undocumented backdoors into its products.
http://www.informationweek.com/security/vulnerabilities/barracuda-issues-security-update-apologi/240148096
FYI
- Hackers hijack Bit9 to target its customers with malware - Hackers
have breached the security company Bit9 and accessed its
code-signing certificates, enabling intruders to digitally sign
malware to appear as legitimate files, the vendor announced Friday.
http://www.scmagazine.com/hackers-hijack-bit9-to-target-its-customers-with-malware/article/279777/?DCMP=EMC-SCUS_Newswire
FYI
- Hackers said to hit Bush family, exposing sensitive information -
The Smoking Gun has reported that correspondence from both former
President Bushes was among that compromised by unknown hackers.
http://news.cnet.com/8301-1009_3-57568480-83/hackers-said-to-hit-bush-family-exposing-sensitive-information/?tag=nl.e757&s_cid=e757&ttag=e757
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 3 of 3)
Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes. Enhancements may include:
! Incorporating notification procedures to alert customers of known
e-mail and Internet-related fraudulent schemes and to caution them
against responding;
! Establishing a process to notify Internet service providers,
domain name-issuing companies, and law enforcement to shut down
fraudulent Web sites and other Internet resources that may be used
to facilitate phishing or other e-mail and Internet-related
fraudulent schemes;
! Increasing suspicious activity monitoring and employing
additional identity verification controls;
! Offering customers assistance when fraud is detected in
connection with customer accounts;
! Notifying the proper authorities when e-mail and Internet-related
fraudulent schemes are detected, including promptly notifying their
FDIC Regional Office and the appropriate law enforcement agencies;
and
! Filing a Suspicious Activity Report when incidents of e-mail and
Internet-related fraudulent schemes are suspected.
Steps Financial Institutions Can Take to Mitigate Risks
Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and
Internet-related fraudulent schemes, financial institutions should
implement appropriate information security controls as described in
the Federal Financial Institutions Examination Council's (FFIEC)
"Information Security Booklet." Specific actions that should be
considered to prevent and deter e-mail and Internet-related
fraudulent schemes include:
! Improving authentication methods and procedures to protect
against the risk of user ID and password theft from customers
through e-mail and other frauds;
! Reviewing and, if necessary, enhancing practices for protecting
confidential customer data;
! Maintaining current Web site certificates and describing how
customers can authenticate the financial institution's Web pages by
checking the properties on a secure Web page;
! Monitoring accounts individually or in aggregate for unusual
account activity such as address or phone number changes, a large or
high volume of transfers, and unusual customer service requests;
! Monitoring for fraudulent Web sites using variations of the
financial institution's name;
! Establishing a toll-free number for customers to verify requests
for confidential information or to report suspicious e-mail
messages; and
! Training customer service staff to refer customer concerns
regarding suspicious e-mail request activity to security staff.
Conclusion
E-mail and Internet-related fraudulent schemes present a
substantial risk to financial institutions and their customers.
Financial institutions should consider developing programs to
educate customers about e-mail and Internet-related fraudulent
schemes and how to avoid them, consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes, and implement appropriate information security controls to
help mitigate the risks associated with e-mail and Internet-related
fraudulent schemes.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Internet."
Product Certification and Security Scanning Products
Several organizations exist which independently assess and
certify the adequacy of firewalls and other computer system related
products. Typically, certified products have been tested for their
ability to permit and sustain business functions while protecting
against both common and evolving attacks.
Security scanning tools should be run frequently by system
administrators to identify any new vulnerabilities or changes in the
system. Ideally, the scan should be run both with and without the
firewall in place so the firewall's protective capabilities can be
fully evaluated. Identifying the susceptibility of the system
without the firewall is useful for determining contingency
procedures should the firewall ever go down. Some scanning tools
have different versions with varying degrees of intrusion/attack
attempts.
Return to the top of
the newsletter
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
regulations.
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
consumer:
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a reasonable
means to opt out); and
3) a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to opt
out.
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions. |
