REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - This week I am attending the ICBA National Convention and Techworld this week in Las Vegas.  If you are attending, I forward to seeing you there.

FYI - Investors Value A Company's Cybersecurity Record - Turns out most U.S. investors are wary of investing in companies that have a history of getting hacked, and they are twice as concerned about those whose customer data was stolen than those whose intellectual property was pilfered. http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breaches/240149279/investors-value-a-company-s-cybersecurity-record

FYI - Cyberattack leaves natural gas pipelines vulnerable to sabotage - A government report says a cyberattack against 23 natural gas pipeline operators stole crucial information that could compromise security. Experts strongly suspect China's military. http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natural-gas-pipelines-vulnerable-to-sabotage?nav=87-frontpage-mostViewed

FYI - Jailed hacker allowed into IT class, hacks prison computers - He is serving five years for creating a hacker's forum site, is somehow invited into an IT class in jail. The consequences are difficult. They're arguing now about who let it happen, but happen it did, with entertaining consequences.
http://news.cnet.com/8301-1009_3-57572282-83/jailed-hacker-allowed-into-it-class-hacks-prison-computers/?tag=nl.e757&s_cid=e757&ttag=e757
http://www.theregister.co.uk/2013/03/04/convicted_hacker_hack_into_prison/

FYI - Tech groups question new do-not-track bill - The new legislation would require all online companies to honor do-not-track requests - New legislation in the U.S. Senate that would allow Internet users to tell companies to stop tracking them is unnecessary and could slow e-commerce growth, some tech groups said. http://www.computerworld.com/s/article/9237266/Tech_groups_question_new_do_not_track_bill?taxonomyId=17

FYI - Judge throws out lawsuit over LinkedIn password breach - A U.S. District Court judge has dismissed a class-action lawsuit brought against LinkedIn as a result of a 2012 password breach. http://www.scmagazine.com/judge-throws-out-lawsuit-over-linkedin-password-breach/article/283447/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Australian Broadcasting Corporation confirms hack - A hacker has claimed to have dumped information from an ABC subdomain in retaliation for the media outlet providing an anti-Islamic MP with air time on its Lateline show. http://www.zdnet.com/au/australian-broadcasting-corporation-confirms-hack-7000011876/

FYI - 185,000 spyware emails were sent to Aaron's computers - Spyware installed on computers leased from furniture renter Aaron's Inc. secretly sent 185,000 emails containing sensitive information back to the company's corporate computers, according to court documents filed Wednesday in a class-action lawsuit. http://www.nbcnews.com/technology/technolog/185-000-spyware-emails-were-sent-aarons-computers-1C8595813

FYI - Bank of America says hackers lifted its data from a partner - Bank of America blames a data breach on another company that revealed internal emails related to monitoring of hacktivist groups including Anonymous. http://www.pcworld.com/article/2029981/bank-of-america-says-hackers-lifted-its-data-from-a-partner.html#tk.nl_today

FYI - CloudFlare security service goes down after router failure - The hour-long outage occurred when the Web security service detected a DDoS attack against one of its customers and tried to defend against it. Web security service CloudFlare was offline for about an hour this morning due to a systemwide failure of its edge routers. http://news.cnet.com/8301-1009_3-57572259-83/cloudflare-security-service-goes-down-after-router-failure/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - Evernote hit in hacking attack, users must reset their passwords - The company believes the attack was a coordinated attempt to compromise its systems - Evernote, which makes business and consumer productivity software for things like taking notes and doing research, is forcing all of its 50 million users to change their passwords after detecting a hacker intrusion on its sytem. http://www.computerworld.com/s/article/9237288/Evernote_hit_in_hacking_attack_users_must_reset_their_passwords?taxonomyId=17

FYI - Bank Muscat hit by $39m ATM cash-out heist - Cybercrooks have pulled off a $39m ATM heist against a bank in Oman using pre-paid travel cards. 12 Bank Muscat prepaid Travel Cards were compromised on February 20, 2013. http://www.theregister.co.uk/2013/03/01/bank_muscat_atm_mega_fraud/

FYI - Attackers use stolen certificate to sign malicious Java applet - Users are being duped into running a malicious Java applet that was signed with a stolen digital certificate and designed to look like a security update. http://www.scmagazine.com/attackers-use-stolen-certificate-to-sign-malicious-java-applet/article/283305/?DCMP=EMC-SCUS_Newswire

FYI - Sensitive data found in dumpster reveals SSNs and health info - A large number of medical documents and files containing private information were found in a dumpster outside of an office complex in Hiram, Ga. http://www.scmagazine.com/sensitive-data-found-in-dumpster-reveals-ssns-and-health-info/article/283478/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 3 of 4)

Due Diligence in Selecting a Service Provider

Once the institution has completed the risk assessment, management should evaluate service providers to determine their ability, both operationally and financially, to meet the institution’s needs. Management should convey the institution’s needs, objectives, and necessary controls to the potential service provider. Management also should discuss provisions that the contract should contain. The appendix to this statement contains some specific factors for management to consider in selecting a service provider.

Contract Issues

Contracts between the institution and service provider should take into account business requirements and key risk factors identified during the risk assessment and due diligence phases. Contracts should be clearly written and sufficiently detailed to provide assurances for performance, reliability, security, confidentiality, and reporting. Management should consider whether the contract is flexible enough to allow for changes in technology and the financial
institution's operations. Appropriate legal counsel should review contracts prior to signing.

Institutions may encounter situations where service providers cannot or will not agree to terms that the institution requests to manage the risk effectively. Under these circumstances, institutions should either not contract with that provider or supplement the service provider’s commitments with additional risk mitigation controls. The appendix to this statement contains some specific considerations for management in contracting with a service provider.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - This concludes the series from the FDIC "Security Risks Associated with the Internet."  Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks.

V. Security Flaws and Bugs 

Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued. 

Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org.  Many other resources are freely available on the Internet. 

Active Content Languages 

Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus. 

Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology. 

VI. Viruses 

Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices (continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1)  categories of information collected;

2)  categories of information disclosed;

3)  categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4)  policies with respect to the treatment of former customers' information;

5)  information disclosed to service providers and joint marketers (Section 13);

6)  an explanation of the opt out right and methods for opting out;

7)  any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8)  policies for protecting the security and confidentiality of information; and

9)  a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).