REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Hackers Compromise Database of South Koreans Who Work for the U.S. Military - Two databases containing the personal information of about 16,000 South Koreans employed by the United States military have been hacked. http://www.nextgov.com/defense/2014/06/hackers-compromise-database-south-koreans-who-work-us-military/85945/

FYI - Get ready for car software updates - Those annoying "Update Required" pop-ups on your smartphone and computer will soon be in your car too. http://money.cnn.com/2014/06/04/technology/security/car-update/index.html

FYI - Hacker passwords not much stronger than the average user's, researcher finds - Hacker passwords are not all that much stronger than those used by the average user. http://www.scmagazine.com/hacker-passwords-not-much-stronger-than-the-average-users-researcher-finds/article/351560/

FYI - New Canadian privacy commissioner comes under fire - Canada's federal privacy commissioner has been replaced in a move that has sparked criticism from activists, academics and political leaders. http://www.scmagazine.com/new-canadian-privacy-commissioner-comes-under-fire/article/354817/

FYI - FAA orders Boeing to protect 737s from computer hackers - The Federal Aviation Administration is ordering Boeing to modify the technology aboard late-model 737 aircraft to prevent computer hackers from damaging the planes. http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/

FYI - We “will be paying no ransom,” vows town hit by Cryptowall ransom malware - Police computers in New Hampshire hamlet crippled by crypto-based ransomware. The town manager of a hamlet in south eastern New Hampshire has defied demands that he pay a ransom to recover police department computer files taken hostage by Cryptowall, a newer piece of malware that encrypts hard drive contents of infected machines until victims pay for them to be decrypted. http://arstechnica.com/security/2014/06/we-will-be-paying-no-ransom-vows-town-hit-by-cryptowall-ransom-malware/

FYI - UK Pitches Business 'Cyber Essentials' - Certification Focuses on Establishing Basic Security Buy-In - That's the pitch to U.K. businesses via a new program called Cyber Essentials. http://www.govinfosecurity.com/uk-pitches-business-cyber-essentials-a-6924

FYI - Cyber crime costs $445 billion globally, GDPs take hit - Cyber crime and economic espionage cost the global economy more than $445 billion annually, which a report from the Center for Strategic and International Studies, says puts cyber crime on par with the economic impact of global drug trafficking. http://www.scmagazine.com/cyber-crime-costs-445-billion-globally-gdps-take-hit/article/354844/

FYI - Survey respondents praise, but neglect, continuous monitoring - Most IT security professionals surveyed in a recent study agree that the best way to fend off the kind of data breaches that struck Target and Michaels is through continuous monitoring of database networks, yet only one-third say they do just that. http://www.scmagazine.com/survey-respondents-praise-but-neglect-continuous-monitoring/article/355322/

FYI - Attackers attempt DDoS extortion on Feedly - Cyber criminals attempted to extort news aggregator service Feedly on Wednesday, asking for money in order for the attack to end a distributed denial-of-service (DDoS) attack that hit the service. http://www.scmagazine.com/attackers-attempt-ddos-extortion-on-feedly/article/355302/

FYI - World Cup travelers: beware of unencrypted Brazilian Wi-Fi nets - The last thing World Cup travelers are probably thinking about is secure internet access in the tournament's host city, São Paulo, Brazil. But they should be. http://www.scmagazine.com/world-cup-travelers-beware-of-unencrypted-brazilian-wi-fi-nets/article/355493/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Highmark fires employee for mailing error, notifies thousands of possible breach - Healthcare company Highmark is notifying about 3,675 Security Blue and Freedom Blue members that a former employee made an error when mailing out health risk assessments, which could have resulted in a compromise of their personal information. http://www.scmagazine.com/highmark-fires-employee-for-mailing-error-notifies-thousands-of-possible-breach/article/351413/  

FYI - Two 14-year-old students hack Bank of Montreal ATM during lunch break - On Wednesday, two 14-year-old Canadian students spent their lunch break hacking an ATM and notifying its owner, Bank of Montreal (BMO).
http://www.scmagazine.com/two-14-year-old-students-hack-bank-of-montreal-atm-during-lunch-break/article/354814/
http://arstechnica.com/security/2014/06/kids-with-operators-manual-alert-bank-officials-we-hacked-your-atm/

FYI - Smart TVs subverted by radio attack - Millions of smart TVs can be hijacked by burying attack code in signals broadcast to the net-connected devices, security experts warn. http://www.bbc.com/news/technology-27761756

FYI - Online gambling site hit by five-vector DDoS attack peaking at 100Gbps - On Friday, cloud-based security services provider Incapsula fought off a 100 gigabits per second (Gbps) distributed denial-of-service (DDoS) attack against an online gambling website that utilized more than five DDoS attack vectors. http://www.scmagazine.com/online-gambling-site-hit-by-five-vector-ddos-attack-peaking-at-100gbps/article/355020/

FYI - Penn State Hershey employee takes data home, puts 1,801 patients at risk - About 1,800 patients of Penn State Hershey Medical Center are being notified that their information had the potential to be compromised because a clinical laboratory technician had been working with the data from home, outside the secured Penn State Hershey system. http://www.scmagazine.com/penn-state-hershey-employee-takes-data-home-puts-1801-patients-at-risk/article/354934/

FYI - P.F. Chang's customer card data possibly exposed - Global restaurant brand P.F. Chang's China Bistro is investigating a possible data breach that could have exposed thousands of diners' credit and debit card data. http://www.scmagazine.com/pf-changs-customer-card-data-possibly-exposed/article/355307/

FYI - College of the Desert breach impacts 1,900 current and former staffers - About 1,900 current and former employees with California-based College of the Desert had personal information - including Social Security numbers - exposed in a spreadsheet that a worker attached to an email, without authorization, and sent to about 78 staffers. http://www.scmagazine.com/college-of-the-desert-breach-impacts-1900-current-and-former-staffers/article/355310/

FYI - Stolen thumb drive contained five years of data on nearly 34K Calif. patients - Nearly 34,000 patients who received X-ray services at California-based Redwood Regional Medical Group are being notified that their personal information was on a thumb drive that was stolen from an employee's locker. http://www.scmagazine.com/stolen-thumb-drive-contained-five-years-of-data-on-nearly-34k-calif-patients/article/355523/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight 

Because the Board of Directors and senior management are responsible for developing the institution's business strategy and establishing an effective management oversight over risks, they are expected to take an explicit, informed and documented strategic decision as to whether and how the bank is to provide e-banking services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context. Effective management oversight is expected to encompass the review and approval of the key aspects of the bank's security control process, such as the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)

Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.

Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.

An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.

Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1)  a consumer provides to a financial institution to obtain a financial product or service from the institution;

2)  results from a transaction between the consumer and the institution involving a financial product or service; or

3)  a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.