REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Comptroller Highlights Regulators' Work To Minimize Risks of Cyberattacks - Comptroller of the Currency Thomas J. Curry today discussed what regulators are doing to meet the challenge of cyberattacks. During his remarks before The New England Council, the Comptroller emphasized the need for banks to implement robust programs to mitigate cybersecurity risk particularly those posed by over reliance on third-party service providers. http://www.occ.treas.gov/news-issuances/news-releases/2014/nr-occ-2014-73.html

FYI - Justice Is Fast-Tracking Cyber Hires - The Justice Department is recruiting cyber professionals under special rules to fill vacancies more quickly now that funding constraints have eased somewhat, the department's top network security official said. http://www.nextgov.com/cybersecurity/2014/05/justice-fast-tracking-cyber-hires/84511/

FYI - NIST standard puts security at start of critical systems development - The National Institute of Standards and Technology (NIST) is developing a set of standards that would help developers build security into critical systems “from the ground up.” http://www.scmagazine.com/nist-standard-puts-security-at-start-of-critical-systems-development/article/346988/

FYI - Companies more aware of insider threat, but lack policies, tools - Organizations have heightened their awareness of insider security threats, but still struggle with how to mitigate the risk of the “human factor” and protect information assets. http://www.scmagazine.com/report-companies-more-aware-of-insider-threat-but-lack-policies-tools/article/347779/

FYI - LifeLock snaps shut Wallet mobile app over credit card leak fears - Wipes servers clean of user data after PCI DSS issues - LifeLock has withdrawn its Wallet App and deleted user data over concerns the technology falls short of user data protection rules under the payment card industry's Data Security Standard (PCI DSS). http://www.theregister.co.uk/2014/05/19/lifelock_yanks_mobile_app/

FYI - Joint Chiefs chairman voices concerns about nation’s cybersecurity posture - The nation’s top military officer said the United States lacks a strategy for cybersecurity, and data integrity remains one of the biggest security concerns for the Defense Department. http://fedscoop.com/joint-chiefs-chairman-voices-concerns-nations-cybersecurity-posture/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Former Subway sandwich franchisee cops to $40,000 gift-card hack scheme - Man used LogMeIn to access point-of-sale terminals of other shops, feds say. A former Subway sandwich shop franchisee pled guilty to taking part in a scheme to hack point-of-sale terminals for at least 13 stores and obtaining gift cards worth $40,000. http://arstechnica.com/security/2014/05/former-subway-sandwich-franchisee-cops-to-40000-gift-card-hack-scheme/

FYI - Hackers exploit vulnerability to breach Pennsylvania payroll company - An undisclosed number of individuals may have had personal information - including Social Security numbers and payment information - compromised after hackers took advantage of a vulnerability in systems belonging to Paytime Inc., a Pennsylvania payroll company. http://www.scmagazine.com/hackers-exploit-vulnerability-to-breach-pennsylvania-payroll-company/article/347371/

FYI - Student data inadvertently posted online, accessible via Google search - An undisclosed number of Pennsylvania-based Lake Erie College of Osteopathic Medicine (LECOM) students are being notified that their personal information - including Social Security numbers - was in spreadsheets that were inadvertently posted online by Hubbard-Bert, a benefits administrator for LECOM. http://www.scmagazine.com/student-data-inadvertently-posted-online-accessible-via-google-search/article/347497/

FYI - Philippine branch of Anonymous hacks Chinese govt sites - Close to 200 Chinese government websites have been defaced by a Philippine branch of the hacktivist collective Anonymous. http://www.scmagazine.com/philippine-branch-of-anonymous-hacks-chinese-govt-sites/article/347773/

FYI - Maricopa County data breach costs reaching the $20 million mark - Costs associated with the Maricopa County Community College District (MCCCD) data breach that occurred in April 2013 continue to rise and have nearly reached the $20 million mark. http://www.scmagazine.com/maricopa-county-data-breach-costs-reaching-the-20-million-mark/article/347678/

FYI - Lowe's employee info accessible online for about 10 months - About 35,000 current and former employees of home improvement retailer Lowe's are being notified that their personal information - including Social Security numbers - was inadvertently made accessible via the internet for roughly 10 months by SafetyFirst, a third-party vendor that maintains the data. http://www.scmagazine.com/lowes-employee-info-accessible-online-for-about-10-months/article/347676/

FYI - eBay hacked, all users asked to change passwords - eBay is asking all its users to change their passwords after attackers compromised employee credentials and gained unauthorized access to a database that stored personal information. http://www.scmagazine.com/ebay-hacked-all-users-asked-to-change-passwords/article/347967/

FYI - Control system of U.S. utility company hacked - The Department of Homeland Security (DHS) alerted critical infrastructure operators to recent breaches within the sector – including the hack of a U.S. public utility that was vulnerable to brute-force attacks. http://www.scmagazine.com/dhs-control-system-of-us-utility-company-hacked/article/347990/

FYI - Thousands of staffers impacted in American Institutes for Research server hack - About 6,500 current and former employees of the American Institutes for Research (AIR) may have had unencrypted information – including Social Security numbers and payment card information – compromised after unauthorized access was gained to one of the organization's servers. http://www.scmagazine.com/thousands-of-staffers-impacted-in-american-institutes-for-research-server-hack/article/347977/

FYI - A billion shortened URLs go down following DoS attack - Popular link-shortening service is.gd has experienced a prolonged denial-of-service attack (DoS) that has resulted in a majority of its shortened URLs to go down. http://www.scmagazine.com/a-billion-shortened-urls-go-down-following-dos-attack/article/347958/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

INTRUSION DETECTION SYSTEMS

Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDS) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDS help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.

Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDS automate the review of logs and audit data, which increases the reviews' overall efficiency by reducing costs and the time and level of skill necessary to review the logs.

Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.

Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the users or systems normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.

Although IDS may be an integral part of an institutions overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDS often have overlapping features with other security products, such as firewalls. IDS provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDS need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.

IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - REMOTE ACCESS

Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.

Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:

! Disallow remote access by policy and practice unless a compelling business justification exists.
! Disable remote access at the operating system level if a business need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
! Configure modems not to answer inbound calls, if modems are for outbound use only.
! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter

INTERNET PRIVACY - This concludes our series listing the regulatory-privacy examination questions.  Next week, we will begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Other Exceptions to Notice and Opt Out Requirements

50.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a.  with the consent or at the direction of the consumer; [§15(a)(1)]
b.
1.  to protect the confidentiality or security of records; [§15(a)(2)(i)]
2.  to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3.  for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
4.  to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
5.  to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c.  to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]
d.  in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e.  to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f.  in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g.  to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h.  to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i.  to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")