REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - In new attack on mobile handsets, fraudsters target one-time-passwords - security for mobile handsets keeps improving. But then, mobile threats to those handsets keep improving as well. http://www.computerworld.com/s/article/9225226/In_new_attack_on_mobile_handsets_fraudsters_target_one_time_passwords?taxonomyId=17

FYI - FBI Can’t Crack Android Pattern-Screen Lock - Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation. http://www.wired.com/threatlevel/2012/03/fbi-android-phone-lock/

FYI - Secure access, authorization among areas still lacking at IRS - The Internal Revenue Service is again taking fire from a government watchdog. On Friday, the U.S. Government Accountability Office released a fifth consecutive annual report to chronicle security shortfalls at the nation's tax collector. The agency's trouble with GAO dates back to at least 2005. http://www.scmagazine.com/secure-access-authorization-among-areas-still-lacking-at-irs/article/232710/?DCMP=EMC-SCUS_Newswire

FYI - Brit LulzSec suspect charged over NHS, plod web attacks - Tabloid rag and top spooks also among alleged targets - An alleged member of hacker group LulzSec appeared in a London court on Friday charged with conspiracy over cyber-attacks against websites maintained by the CIA and the UK's Serious Organised Crime Agency. http://www.theregister.co.uk/2012/03/19/lulzsec_suspect_court_date/

FYI - Data breach costs drop for first time in study - Despite 2011 bringing no slowdown to breaches, the price of each incident actually fell. http://www.scmagazine.com/data-breach-costs-drop-for-first-time-in-study/article/232934/?DCMP=EMC-SCUS_Newswire

FYI - Malicious Android application loots bank login data - The banking credentials of Android device users are being threatened by a new, self-updating trojan that poses as a one-time password application (OTP). http://www.scmagazine.com/malicious-android-application-loots-bank-login-data/article/232702/?DCMP=EMC-SCUS_Newswire

FYI - IBM X-Force reports that mobile threats are increasing - Mobile device vulnerabilities are at the forefront of cyber criminal trends, according to the annual "IBM X-Force Trend and Risk Report" (PDF) released on Thursday. http://www.scmagazine.com/ibm-x-force-reports-that-mobile-threats-are-increasing/article/233286/?DCMP=EMC-SCUS_Newswire

FYI - The state of BYOD (Bring-your-own-device) - The number of personal mobile devices connecting to the corporate network has more than doubled in the past two years - with nearly half of those devices storing sensitive data, according to a survey from CheckPoint Security. http://www.scmagazine.com/the-state-of-byod/article/233285/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Tennessee insurer to pay $1.5 million for breach-related violations - BlueCross BlueShield agrees to pay HHS for HIPAA violations tied to 2009 breach that exposed data on 1 million members - A 2009 data breach that has already cost BlueCross BlueShield of Tennessee nearly $17 million got a little more expensive Tuesday.
http://www.computerworld.com/s/article/9225170/Tennessee_insurer_to_pay_1.5_million_for_breach_related_violations?taxonomyId=17
http://www.scmagazine.com/bluecross-fine-over-breach-related-to-hipaa-notification-rule/article/232206/?DCMP=EMC-SCUS_Newswire

FYI - FBI says $700K charged in Anonymous' Stratfor attack - During the court case the Antisec hacker busted for stealing data in the Stratfor breach--the FBI says charges made with stolen credit card information equals $700,000. http://news.cnet.com/8301-1009_3-57395944-83/fbi-says-$700k-charged-in-anonymous-stratfor-attack/

FYI - Exploit for gaping Microsoft RDP hole may have gotten help - The security researcher who discovered the dangerous and "wormable" Windows Remote Desktop Protocol (RDP) vulnerability patched earlier this week now believes that Microsoft may have accidentally leaked proof-of-concept exploit code that fell into the hands of Chinese hackers. http://www.scmagazine.com/exploit-for-gaping-microsoft-rdp-hole-may-have-gotten-help/article/232396/

FYI - Police arrest online banking fraudster - Victims had accounts compromised over 18-month period - The Metropolitan Police Service's Police Central e-Crime Unit (PCeU) has arrested a man for committing online banking fraud. http://www.csoonline.com/article/702228/police-arrest-online-banking-fraudster?source=CSONLE_nlt_newswatch_2012-03-16

FYI - University of Tampa sustains breach of Social Security numbers - Thousands of University of Tampa (UT) students, faculty and staff have become candidates for identity theft after students and IT personnel discovered publicly available files on the internet containing personal information. http://www.scmagazine.com/university-of-tampa-sustains-breach-of-social-security-numbers/article/233087/?DCMP=EMC-SCUS_Newswire

FYI - Michigan union employees' data exposed - The personal information of more than 1,000 public employees of Wayne County, Mich., was exposed when a spreadsheet containing their data was inadvertently attached to an email blast. http://www.scmagazine.com/michigan-union-employees-data-exposed/article/233268/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management principles (Part 1 of 2)

Based on the early work of the Electronic Banking Group EBG, the Committee concluded that, while traditional banking risk management principles are applicable to e-banking activities, the complex characteristics of the Internet delivery channel dictate that the application of these principles must be tailored to fit many online banking activities and their attendant risk management challenges. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. Further, as the Committee believes that banks should adopt an integrated risk management approach for all banking activities, it is critical that the risk management oversight afforded e-banking activities becomes an integral part of the banking institution's overall risk management framework.

To facilitate these developments, the Committee asked the EBG to identify the key risk management principles that would help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities and, in turn, promote the safe and sound electronic delivery of banking products and services.

These Risk Management Principles for Electronic Banking, which are identified in this Report, are not put forth as absolute requirements or even "best practice" but rather as guidance to promote safe and sound e-banking activities. The Committee believes that setting detailed risk management requirements in the area of e-banking might be counter-productive, if only because these would be likely to become rapidly outdated by the speed of change related to technological and product innovation. Therefore the principles included in the present Report express supervisory expectations related to the overall objective of banking supervision to ensure safety and soundness in the financial system rather than stringent regulations.

The Committee is of the view that such supervisory expectations should be tailored and adapted to the e-banking distribution channel but not be fundamentally different to those applied to banking activities delivered through other distribution channels. Consequently, the principles presented below are largely derived and adapted from supervisory principles that have already been expressed by the Committee or national supervisors over a number of years. In some areas, such as the management of outsourcing relationships, security controls and legal and reputational risk management, the characteristics and implications of the Internet distribution channel introduce a need for more detailed principles than those expressed to date.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

ELECTRONIC AND PAPER - BASED MEDIA HANDLING

Sensitive information is frequently contained on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation. Protection of that data requires protection of the media. The theft, destruction, or Information Security other loss of the media could result in the exposure of corporate secrets, breaches in customer confidentiality, alteration of data, and the disruption of business activities. The policies and procedures necessary to protect media may need revision as new data storage technologies are contemplated for use and new methods of attack are developed. The sensitivity of the data (as reflected in the data classification) dictates the extent of procedures and controls required. Many institutions find it easier to store and dispose of all media consistently without having to segregate out the most sensitive information. This approach also can help reduce the likelihood that someone could infer sensitive information by aggregating a large amount of less sensitive information. Management must address three components to secure media properly: handling and storage, disposal, and transit.

HANDLING AND STORAGE

IT management should ensure secure storage of media from unauthorized access. Controls could include physical and environmental controls including fire and flood protection, limited access (e.g., physical locks, keypad, passwords, biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring all employees have authorization to access the minimum level of data required to perform their responsibilities. More sensitive media like system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive media, including the printouts of sensitive information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice  (Part 1 of 2)

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable:  (Part 1 of 2)

a)  the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b)  the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c)  the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d)  the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]