REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Why Auditors' InfoSec Advice Is Ignored - Rapid Pace of Change Makes Compliance a Big Challenge - As director of information security issues at the U.S. Government Accountability Office, Gregory Wilshusen dispenses advice to agencies to improve their security - recommendations that aren't always heeded. http://www.govinfosecurity.com/blogs/auditors-infosec-advice-ignored-p-1652

FYI - Microsoft slashes Windows XP custom support prices just days before axing public patches - Reduces after-retirement support costs for large enterprises as much as 95% - Just days before Microsoft retired Windows XP from public support, the company drastically reduced the price of custom support agreements that give large companies and government agencies another year of XP patches, experts reported today. http://www.computerworld.com/s/article/9247708/Microsoft_slashes_Windows_XP_custom_support_prices_just_days_before_axing_public_patches

FYI - Canadian mounties have arrested a teenager who, they say, used the Heartbleed Internet bug to hack into the country's tax agency. Shortly after the Internet bug was revealed to the world last week, the Canada Revenue Agency suffered a data breach that leaked the Social Insurance Numbers of about 900 taxpayers. The agency was forced to shut down its website temporarily to prevent further theft of sensitive personal information. http://money.cnn.com/2014/04/16/technology/security/canada-heartbleed/index.html

FYI - Bill would restrict Calif. retailers from storing certain payment data - Two California legislators have introduced a bill that would severely limit how sensitive card data is stored by retailers. http://www.scmagazine.com/bill-would-restrict-calif-retailers-from-storing-certain-payment-data/article/343355/

FYI - Federal watchdog says SEC security issues put financial data at risk - A congressional watchdog has tasked the U.S. Securities and Exchange Commission (SEC) with addressing a number of security weaknesses impacting its system. http://www.scmagazine.com/federal-watchdog-says-sec-security-issues-put-financial-data-at-risk/article/343345/

FYI - Research shows vulnerabilities go unfixed longer in ASP - While there is no significant difference between the number of security vulnerabilities found, on average, in widely used programming languages, like .Net, Java and ASP, the number of days it takes to make fixes can differ noticeably, a WhiteHat Security report reveals. http://www.scmagazine.com/research-shows-vulnerabilities-go-unfixed-longer-in-asp/article/343357/

FYI - Attack exercise reveals threat-sharing roadblock within health orgs - Health care participants in an industry wide attack exercise expressed concerns about effectively communicating threat intelligence within their organization. http://www.scmagazine.com/attack-exercise-reveals-threat-sharing-roadblock-within-health-orgs/article/343566/

FYI - Bank of England to helm pen-testing effort for UK's finance sector - The Bank of England, which helped oversee a cyber readiness exercise last year for London's finance sector, now plans to lead a large-scale penetration testing effort, according to reports. http://www.scmagazine.com/report-bank-of-england-to-helm-pen-testing-effort-for-uks-finance-sector/article/343946/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers - Following an investigation with two independent security firms that dates back to January, arts and crafts retailer Michaels Stores confirmed on Thursday that, much like retail giant Target, its U.S. stores had experienced a payment card breach. http://www.scmagazine.com/pos-malware-risks-millions-of-payment-cards-for-michaels-aaron-brothers-shoppers/article/343180/

FYI - Hackers steal 500k details from Harley Medical Group - Names and addresses of prospective Harley Medical Group clients, as well as details of the cosmetic procedures they were considering, have been stolen by hackers - The personal details of nearly half a million people considering cosmetic surgery may have been accessed by hackers, it has emerged. http://www.telegraph.co.uk/technology/internet-security/10770922/Hackers-steal-500k-patient-records-from-Harley-Medical-Group.html

FYI - French hard-drive maker LaCie cops to YEAR LONG card data leak - And it didn't find out until the FBI broke the news - French hard drive maker LaCie has held its hands up to a year-long credit card breach. http://www.theregister.co.uk/2014/04/16/lacie_breach/

FYI - Pittsburgh hospital employees hit by tax fraud following breach - Up to 27,000 Pittsburgh hospital workers' personal information could be at-risk following a company data breach. http://www.scmagazine.com/pittsburgh-hospital-employees-hit-by-tax-fraud-following-breach/article/343336/

FYI - AOL Mail hack furthers spam campaign using spoofed accounts - AOL has confirmed that it working to address an issue impacting its Mail service, where users are being spammed by spoofed accounts. http://www.scmagazine.com/aol-mail-hack-furthers-spam-campaign-using-spoofed-accounts/article/343754/

FYI - Iowa State server breach exposes SSNs of nearly 30,000 - Nearly 30,000 current and former students of Iowa State University are being warned that their Social Security numbers were exposed due to a server breach. http://www.scmagazine.com/iowa-state-server-breach-exposes-ssns-of-nearly-30000/article/343732/

FYI - Three laptops stolen from New York podiatry office, 6,475 at risk - Nearly 6,500 patients of Sims and Associates Podiatry may have had personal information – including Social Security numbers – compromised after three laptops containing the patient data were stolen from the New York office. http://www.scmagazine.com/three-laptops-stolen-from-new-york-podiatry-office-6475-at-risk/article/343644/

FYI - Fate of unencrypted drive unknown, PHI of 5,500 in Virginia at risk - More than 5,500 patients of Virginia-based NOVA Chiropractic & Rehab Center of Sterling may have had personal information – including Social Security numbers – compromised after an unencrypted thumb drive containing the data was possibly thrown away. http://www.scmagazine.com/fate-of-unencrypted-drive-unknown-phi-of-5500-in-virginia-at-risk/article/343831/

FYI - DDoS attack almost crashes children's hospital website - Boston Children's Hospital's website almost went down earlier this week in what appears to be a distributed denial-of-service (DDoS) attack. http://www.scmagazine.com/ddos-attack-almost-crashes-childrens-hospital-website/article/344100/

FYI - Second burglary breach within a month for Coordinated Health - A password protected laptop that contained personal information - including Social Security numbers - of more than 700 Coordinated Health patients was stolen from an employee's car in Pennsylvania, making it the health group's second burglary-related data breach to occur within a month. http://www.scmagazine.com/second-burglary-breach-within-a-month-for-coordinated-health/article/344022/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

VULNERABILITY ASSESSMENT TOOLS

Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.

In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.

Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them. Some tools can automatically fix vulnerabilities after detection.

FYI - Please remember that we perform vulnerability-penetration testing and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 1 of 2)

Financial institutions must control access to system software within the various network clients and servers as well as stand-alone systems. System software includes the operating system and system utilities. The computer operating system manages all of the other applications running on the computer. Common operating systems include IBM OS/400 and AIX, LINUX, various versions of Microsoft Windows, and Sun Solaris. Security administrators and IT auditors need to understand the common vulnerabilities and appropriate mitigation strategies for their operating systems. Application programs and data files interface through the operating system. System utilities are programs that perform repetitive functions such as creating, deleting, changing, or copying files. System utilities also could include numerous types of system management software that can supplement operating system functionality by supporting common system tasks such as security, system monitoring, or transaction processing.

System software can provide high-level access to data and data processing. Unauthorized access could result in significant financial and operational losses. Financial institutions must restrict privileged access to sensitive operating systems. While many operating systems have integrated access control software, third - party security software is available for most operating systems. In the case of many mainframe systems, these programs are essential to ensure effective access control and can often integrate the security management of both the operating system and the applications. Network security software can allow institutions to improve the effectiveness of the administration and security policy compliance for a large number of servers often spanning multiple operating system environments. The critical aspects for access control software, whether included in the operating system or additional security software, are that management has the capability to:

! Restrict access to sensitive or critical system resources or processes and have the capability, depending on the sensitivity to extend protection at the program, file, record, or field level;
! Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters; and
! Filter logs for potential security events and provide adequate reporting and alerting capabilities.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

46.  Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a.  to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; ['12(b)(1)] or

b.  to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? ['12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. ['12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. ['12(c)(2)])