REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data - The hackers who raided the credit-card payment system of Neiman Marcus Group set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation. http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data

FYI - Critical Infrastructure Security Incidents Go Unnoticed - Many security incidents that affect components of the nation's critical infrastructure go unnoticed due to a lack of sufficient detection or logging capabilities, according to a new report from the Industrial Control Systems Cyber Emergency Response Team. http://www.govinfosecurity.com/report-cyberthreat-detection-lacking-a-6516

FYI - HSBC Requires Dual Authentication - Bank Mandates Use for High-Risk Online Transactions - In a groundbreaking effort to boost security, HSBC Bank USA is now requiring its retail banking customers to use dual-factor authentication for certain sensitive online banking transactions. http://www.bankinfosecurity.com/interviews/hsbc-requires-dual-authentication-i-2189

FYI - NIST Unveils Crypto Standards Proposal - Feedback Sought on Development Process - Because of concerns of possible National Security Agency meddling with its cryptographic standards, the National Institute of Standards and Technology has issued a draft report proposing revisions in how it develops cryptographic standards. http://www.govinfosecurity.com/nist-unveils-crypto-standards-proposal-a-6519

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cyberattack victim gaming website offers $13,000 to bring hackers to justice - Online gaming website Wurm, a recent victim of a cyberattack, has offered a bounty not for the discovery of bugs -- but of hackers. http://www.zdnet.com/cyberattack-victim-gaming-website-offers-13000-to-bring-hackers-to-justice-7000026553/

FYI - Data breach at University of Maryland exposes 300K records - School president apologies for a "sophisticated" security breach that exposed the sensitive personal information faculty, staff, and students at the school since 1998. The sensitive personal information for more than 300,000 faculty, staff, and students at the University of Maryland were stolen in a "sophisticated" cyberattack on the school's recently bolstered security defenses. http://news.cnet.com/8301-1009_3-57619169-83/data-breach-at-university-of-maryland-exposes-300k-records/

FYI - The Target Data Hack Cost Banks More Than $200 Million - The gargantuan theft of data from credit and debit cards used at Target stores during last year's holiday shopping season is now believed to have cost financial institutions more than $200 million. http://www.nextgov.com/cybersecurity/2014/02/target-data-hack-cost-banks-more-200-million/78965/?oref=ng-channeltopstory

FYI - Roughly 1,100 Indianapolis patients impacted following laptop theft - More than a thousand patients of St. Vincent Indianapolis hospital are being notified that their personal information may have been compromised after a password-protected laptop containing the data was stolen. http://www.scmagazine.com/roughly-1100-indianapolis-patients-impacted-following-laptop-theft/article/335421/

FYI - EC-Council website defaced by hacker - A hacker has defaced the website of the EC-Council, a member-supported organization that offers training for the Certified Ethical Hacker (CEH) program. http://www.scmagazine.com/ec-council-website-defaced-by-hacker/article/335399/

FYI - IRS exposing Social Security numbers online - This tax season you may have more to worry about than how much you owe. A new study from Identity Finder finds the IRS is not properly protecting social security numbers in some tax returns. http://www.pcworld.com/article/2099986/study-irs-exposing-social-security-numbers-online.html#tk.nl_today

FYI - Neiman Marcus Downsizes Breach Estimate - Investigation Finds Far Fewer Payment Cards Compromised - Neiman Marcus has revised downward its estimate of the number of payment cards compromised in its breach last year. http://www.govinfosecurity.com/neiman-marcus-downsizes-breach-estimate-a-6532

FYI - Harvard student thrown off 14,000-core super ... for mining Dogecoin - Wow. Very misuse. Much banned. 'For fairly obvious reasons' - A Harvard University student is in hot water for using the Ivy League school's 14,000-core supercomputer to mine Dogecoins. http://www.theregister.co.uk/2014/02/22/harvard_student_abuses_supercomputer_to_mine_dogecoin/

FYI - Source code for data-stealing Android app leaks - Mobile malware, which often disguises itself as an Android "security app," may threaten a greater number of users now that its source code has leaked. http://www.scmagazine.com/source-code-for-data-stealing-android-app-leaks/article/335201/

Return to the top of the newsletter

WEB SITE COMPLIANCE -  Over the next few weeks we will cover the FDIC's paper "Risk Assessment Tools and Practices or Information System Security" dated July 7, 1999. This is our first selection for your reading.

Whether financial institutions contract with third-party providers for computer services such as Internet banking, or maintain computer services in-house, bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technologies and computer networks. If a bank is relying on a third-party provider, management must generally understand the provider's information security program to effectively evaluate the security system's ability to protect bank and customer data.

The FDIC has previously issued guidance on information security concerns such as data privacy and confidentiality, data integrity, authentication, non-repudiation, and access control/system design. This paper is designed to supplement Financial Institution Letter 131-97, "Security Risks Associated With the Internet," dated December 18, 1997, and to complement the FDIC's safety and soundness electronic banking examination procedures. Related guidance can be found in the FFIEC Information Systems Examination Handbook.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewalls

A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as a choke point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network IDS systems.

Financial institutions have four primary firewall types from which to choose: packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types. The selection of firewall type is dependent on many characteristics of the security zone, such as the amount of traffic, the sensitivity of the systems and data, and applications.  Over the next few weeks we will discussed the different types of firewalls.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]