REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Government Employees Cause Nearly 60% of Public Sector Cyber Incidents - About 58 percent of cyber incidents reported in the public sector were caused by government employees, according to an annual data breach report compiled by Verizon. http://www.nextgov.com/cybersecurity/2014/04/government-employees-cause-nearly-60-public-sector-cyber-incidents/82933/

FYI - Bank of England to helm pen-testing effort for UK's finance sector - The Bank of England, which helped oversee a cyber readiness exercise last year for London's finance sector, now plans to lead a large-scale penetration testing effort, according to reports. http://www.scmagazine.com/report-bank-of-england-to-helm-pen-testing-effort-for-uks-finance-sector/article/343946/

FYI - Data Breach report dishes recommendations for authentication changes - For enterprises building a large part of their authentication strategy on passwords, this year's Verizon Data Breach Investigations Report has a clear message: Cut it out! http://www.zdnet.com/data-breach-report-dishes-recommendations-for-authentication-changes-7000028717/

FYI - Feds warn health care sector of looming cyber attacks - The FBI has sent a private industry notification (PIN) to health care providers warning them that the security systems they have in place are behind those of other sectors, making them prime targets for cyber attacks. http://www.scmagazine.com/feds-warn-health-care-sector-of-looming-cyber-attacks/article/344026/

FYI - It’s Insanely Easy to Hack Hospital Equipment - When Scott Erven was given free rein to roam through all of the medical equipment used at a large chain of Midwest health care facilities, he knew he would find security problems–but he wasn’t prepared for just how bad it would be. http://www.wired.com/2014/04/hospital-equipment-vulnerable/

FYI - Secretary of State website breach cost Oregonians $176,662 - Taxpayers in Oregon were on the hook for about $176,662 to cover costs associated with a February breach of the Secretary of State's website, according to a story in The Oregonian. http://www.scmagazine.com/secretary-of-state-website-breach-cost-oregonians-176662/article/344950/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Japan airport staff dash to replace passcodes after security cock-up - Haneda employee drops key codes ahead of Obama visit - The dangers of writing passwords down on paper were laid bare in the Japanese airport of Haneda this week after a member of staff managed to lose a note containing key security codes ahead of US president Barack Obama’s arrival today. http://www.theregister.co.uk/2014/04/23/tokyo_haneda_passcode_loss_obama/

FYI - AOL imposes stricter email rules to stem spoofing attack - AOL instructs mailbox providers to reject any email allegedly associated with an AOL domain that didn't originate from an AOL server.
http://www.cnet.com/news/aol-imposes-stricter-email-rules-to-stem-spoofing-attack/
http://www.nbcnews.com/tech/security/youve-got-hacked-aol-confirms-significant-number-mail-users-hit-n91701

FYI - Tufts Health Plan data stolen, 8,830 members impacted - Massachusetts-based Tufts Health Plan is notifying roughly 8,830 current and former Tufts Medicare Preferred members that their personal information - including Social Security numbers - was stolen. http://www.scmagazine.com/tufts-health-plan-data-stolen-8830-members-impacted/article/344185/

FYI - Data on nearly 10K Snelling Staffing employees made available online - The personal information - including Social Security numbers - of almost 10,000 current and former employees of Texas-based Snelling Staffing was made available on the internet by a former employee that made an error when setting up a cloud-based server at home. http://www.scmagazine.com/data-on-nearly-10k-snelling-staffing-employees-made-available-online/article/344562/

FYI - 200 million records stolen in Q1 breaches - Nearly 200 million records - or 93,000 records per hour - were stolen between January and March of 2014, an increase of 233 percent over the same quarter last year, according to the recently released SafeNet Breach Level Index. http://www.scmagazine.com/index-200-million-records-stolen-in-q1-breaches/article/344845/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Host-Versus Network-Based Vulnerability Assessment Tools

As in intrusion detection systems, which are discussed later in this appendix, there are generally two types of vulnerability assessment tools: host-based and network-based.  Another category is sometimes used for products that assess vulnerabilities of specific applications (application-based) on a host.  A host is generally a single computer or workstation that can be connected to a computer network.  Host-based tools assess the vulnerabilities of specific hosts.  They usually reside on servers, but can be placed on specific desktop computers, routers, or even firewalls. 

Network-based vulnerability assessment tools generally reside on the network, specifically analyzing the network to determine if it is vulnerable to known attacks.  Both host- and network-based products offer valuable features, and the risk assessment process should help an institution determine which is best for its needs.  Information systems personnel should understand the types of tools available, how they operate, where they are located, and the output generated from the tools.

Host-based vulnerability assessment tools are effective at identifying security risks that result from internal misuse or hackers using a compromised system.  They can detect holes that would allow access to a system such as unauthorized modems, easily guessed passwords, and unchanged vendor default passwords.  The tools can detect system vulnerabilities such as poor virus protection capabilities; identify hosts that are configured improperly; and provide basic information such as user log-on hours, password/account expiration settings, and users with dial-in access.  The tools may also provide a periodic check to confirm that various security policies are being followed.  For instance, they can check user permissions to access files and directories, and identify files and directories without ownership.

Network-based vulnerability assessment tools are more effective than host-based at detecting network attacks such as denial of service and Internet Protocol (IP) spoofing.  Network tools can detect unauthorized systems on a network or insecure connections to business partners.  Running a host-based scan does not consume network overhead, but can consume processing time and available storage on the host.  Conversely, frequently running a network-based scan as part of daily operations increases network traffic during the scan.  This may cause inadvertent network problems such as router crashes.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)

Additional operating system access controls include the following actions:

! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
! Ensure effective authentication methods are used to restrict system access to both users and applications.
! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
! Restrict operating system access to specific terminals in physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
! Segregate operating system access, where possible, to limit full or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time of access.
! Update operating systems with security patches and using appropriate change control mechanisms.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b.  the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]