REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The Rise Of Medical Identity Theft In Healthcare - If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft. http://www.studentdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healthcare/

FYI - Experian settles class action suit for $8 million - A California judge has put a preliminary stamp of approval on an $8 million settlement in a class action suit against Experian, according to a report in Top Class Actions. http://www.scmagazine.com/experian-settles-class-action-suit-for-8-million/article/345412/

FYI - Study finds CISO appointment, business continuity shrinks breach costs - By appointing a CISO, breached organizations stand to fare better in their response efforts, lessening their costs by $10 per compromised record, an annual study found. http://www.scmagazine.com/study-finds-ciso-appointment-business-continuity-shrinks-breach-costs/article/345623/

FYI - Shareholder sues Wyndham board members over data breaches - Security and tech executives like Target's former CIO won't be the only ones in the cross-hairs after a data breach - corporate board members and other executives may soon bear some of the liability if a lawsuit filed by a Wyndham Worldwide Corporation shareholder sets a precedent. http://www.scmagazine.com/shareholder-sues-wyndham-board-members-over-data-breaches/article/345989/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Voice phishing scheme lets hackers steal personal data from banks - Cybercriminals used a combination of SMS and voice phishing techniques to obtain debit card details from bank customers - Cybercriminals stole debit card information from customers of dozens of financial institutions in a phishing campaign that combined rogue text messages and with VoIP calls. http://www.computerworld.com/s/article/9248027/

FYI - Data on students and staffers exposed in UNC Wilmington breach - An undisclosed number of employees, graduate students and adjunct instructors with the University of North Carolina Wilmington (UNCW) may have had personal information - including Social Security numbers - compromised after unauthorized access was gained to an applications server. http://www.scmagazine.com/data-on-students-and-staffers-exposed-in-unc-wilmington-breach/article/345376/

FYI - Miami teen charged with hacking school website, altering grades - A Miami teenager was arrested after reportedly confessing to his high school principal that he had hacked into the school website and altered students' grades, according to WFOR-TV, the Miami ABC affiliate. http://www.scmagazine.com/miami-teen-charged-with-hacking-school-website-altering-grades/article/345512/

FYI - Systems admin for Navy nuclear department faces hacking charge - A former Navy member, who served as systems administrator in a nuclear reactor department, faces a federal charge for his alleged involvement in a hacking conspiracy. http://www.scmagazine.com/systems-admin-for-navy-nuclear-department-faces-hacking-charge/article/345798/

FYI - Hackers steal $50k from Australian real estate agency - Cyber criminals have stolen $50,000 from an Australian real estate agency after one of its employees was duped by social engineering. http://www.scmagazine.com/hackers-steal-50k-from-australian-real-estate-agency/article/345810/

FYI - Insider breach affects about 2,400 UMass Memorial Medical patients - About 2,400 patients of University of Massachusetts Memorial Medical Center (UMMMC) are being notified that their personal information - including Social Security numbers - was accessed by a former employee and may have been used to open commercial accounts. http://www.scmagazine.com/insider-breach-affects-about-2400-umass-memorial-medical-patients/article/345695/

FYI - SSNs on postcards sent to 5,000 former Molina Healthcare members - More than 5,000 former members of New Mexico-based Molina Healthcare were sent postcards that may have inadvertently been printed, by contractor Creel Printing, with their Social Security numbers. http://www.scmagazine.com/ssns-on-postcards-sent-to-5000-former-molina-healthcare-members/article/345885/

FYI - French telecom company's customer information breached again - French telecoms corporation Orange said more than a million of its users' personal information was stolen last month in a phishing attack. http://www.scmagazine.com/french-telecom-companys-customer-information-breached-again/article/346087/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

PENETRATION ANALYSIS (Part 1 of 2)

After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.

A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.

The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.

A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 1 of 2)

Sensitive or mission - critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their database should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.

Some security software programs will integrate access control for the operating system and some applications. That software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application's access controls. Examples of such security software products for mainframe computers include RACF, CA - ACF2, and CA - TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketing in §13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a.  servicing or processing a financial product or service requested or authorized by the consumer; [§14(a)(1)]

b.  maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§14(a)(2)]

c.  a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§14(a)(3)]