REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Organizations in dark as employees party on with BYOD - Organizations know that employees’ personal mobile devices are sometimes getting onto their networks, but the extent of the problem could be worse than they thought. http://gcn.com/articles/2012/04/05/byod-sans-report-organizations-in-the-dark.aspx

FYI - UK hacker jailed for nicking PayPal, banking data from MILLIONS - But York-based cybercrook only made £2.4k, court hears - A UK cybercrook has been jailed for 26 months following his conviction for stealing millions of banking and PayPal identities, the Southwark Crown court confirmed to the Reg. http://www.theregister.co.uk/2012/04/04/cybercrook_jailed/

FYI - Weak passwords render major power supplier vulnerable to hackers, audit finds - A federal utility in the Pacific Northwest that powers 30 percent of the region, including key military installations, is vulnerable to computer breaches, according to an internal Energy Department audit. http://www.nextgov.com/nextgov/ng_20120404_8857.php

FYI - VA Ramps Up Security Training - Will Deny Network Access to Those Lacking Updated Education - The Department of Veterans Affairs is ramping up its privacy and security training efforts and plans to eventually deny network access to those who have not had training within the past year. http://www.govinfosecurity.com/articles.php?art_id=4629

FYI - GAO - Federal Reserve Banks: Areas for Improvement in Information Systems Controls. http://www.gao.gov/products/GAO-12-615R

FYI - Are security basics getting lost under the cover of cloud and mobile? - Few would argue that the major themes at the recently wrapped RSA Conference 2012 in San Francisco were cloud, mobile and Big Data. http://www.scmagazine.com/are-security-basics-getting-lost-under-the-cover-of-cloud-and-mobile/article/236285/?DCMP=EMC-SCUS_Newswire 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Sky News admits hacking emails of 'canoe man' John Darwin - Sky News has admitted senior executives authorised a journalist to hack into the emails of John Darwin, the "canoe man" accused of faking his own death in 2002. The broadcaster revealed a member of staff was cleared to carry out the hacking, a breach of the Computer Misuse Act, on two separate occasions that it believed were "in the public interest". http://www.telegraph.co.uk/news/uknews/crime/9188402/Sky-News-admits-hacking-emails-of-canoe-man-John-Darwin.html

FYI - Accused LulzSec member pleads guilty to hacking Sony - Accused LulzSec hacker pleaded guilty today in a federal court in Los Angeles, California, to felony charges associated with the breach of Sony Pictures Entertainment that occurred in mid-2011. http://arstechnica.com/tech-policy/news/2012/04/accused-lulzsec-member-pleads-guilty-to-hacking-sony.ars

FYI - Hackers Access Medicaid Records - Claims for Utah Patients Accessed - Hackers, believed to be from Eastern Europe, recently accessed 24,000 Medicaid claims for Utah patients.
http://www.govinfosecurity.com/articles.php?art_id=4654
http://www.scmagazine.com/number-of-victims-in-state-of-utah-breach-significantly-rises/article/235759/?DCMP=EMC-SCUS_Newswire http://gcn.com/articles/2012/04/09/utah-hackers-medicaid-chip-medical-recoreds-breached.aspx

FYI - Commerce agency still offline 12 weeks after virus hits - What would you do without Google, or some other search engine, always ready to find what you need on the Internet? How could you do your job without e-mail and the attachments it carries? http://gcn.com/articles/2012/04/09/commerce-agency-offline-12-weeks-after-virus-hits.aspx

FYI - New security flaws detected in mobile devices - Those cool mobile devices beloved by consumers carry deep-rooted security flaws that are only now being discovered and addressed. http://www.usatoday.com/tech/news/story/2012-04-08/smartphone-security-flaw/54122468/1

FYI - Intel engineer turned chip spy pleads guilty - The roadmap to jail - A former Intel engineer who worked on the company's Itanium processors for servers and who is accused of stealing documents relating to future processor designs and chip fabrication processes has pleaded guilty to the charges. http://www.theregister.co.uk/2012/04/09/intel_ex_engineer_spy_pleads_guilty/ 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight 

The Board of Directors and senior management are responsible for developing the banking institution's business strategy. An explicit strategic decision should be made as to whether the Board wishes the bank to provide e-banking transactional services before beginning to offer such services. Specifically, the Board should ensure that e-banking plans are clearly integrated within corporate strategic goals, a risk analysis is performed of the proposed e-banking activities, appropriate risk mitigation and monitoring processes are established for identified risks, and ongoing reviews are conducted to evaluate the results of e-banking activities against the institution's business plans and objectives.

In addition, the Board and senior management should ensure that the operational and security risk dimensions of the institution's e-banking business strategies are appropriately considered and addressed. The provision of financial services over the Internet may significantly modify and/or even increase traditional banking risks (e.g. strategic, reputational, operational, credit and liquidity risk). Steps should therefore be taken to ensure that the bank's existing risk management processes, security control processes, due diligence and oversight processes for outsourcing relationships are appropriately evaluated and modified to accommodate e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

LOGGING AND DATA COLLECTION (Part 2 of 2)

When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.

Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:

! Encrypting log files that contain sensitive data or that are transmitting over the network,
! Ensuring adequate storage capacity to avoid gaps in data gathering,
! Securing backup and disposal of log files,
! Logging the data to a separate, isolated computer,
! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
! Setting logging parameters to disallow any modification to previously written data.

The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.

When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10)  Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a)  information from the consumer;

b)  information about the consumer's transactions with the institution or its affiliates;

c)  information about the consumer's transactions with nonaffiliated third parties; and

d)  information from a consumer reporting agency? [§6(c)(2)]