REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Hackers having less success in draining bank accounts - Financially minded cyber criminals are attempting to hijack corporate bank accounts at increasing rates, but they are finding less luck in actually getting money out of them, according to a Financial Services Information Sharing and Analysis Center (FS-ISAC) study released Thursday. http://www.scmagazine.com/hackers-having-less-success-in-draining-bank-accounts/article/245775/?DCMP=EMC-SCUS_Newswire

FYI - Music site joins LinkedIn, eHarmony as victim of password theft - In the span of about 24 hours, three major websites have requested that their users change their passwords following apparent heists of millions of credentials. http://www.scmagazine.com/music-site-joins-linkedin-eharmony-as-victim-of-password-theft/article/244828/?DCMP=EMC-SCUS_Newswire

FYI - O2 and Be Broadband are latest to block The Pirate Bay - O2 is set to block its customers from accessing file-sharing site The Pirate Bay from 0001 BST on Friday, the internet service provider has said. http://www.bbc.co.uk/news/technology-18358483

FYI - NHS fights record £325k ICO fine after clap records appear on eBay - An NHS Trust is disputing a record fine the Information Commissioner's Office has levelled on it for leaving tons of data on patients and staff on hard drives that were sold on eBay instead of being destroyed. http://www.theregister.co.uk/2012/06/06/nhs_trust_disputes_ico_fine/

FYI - DOE publishes electric grid cybersecurity model - After five months of development, the Energy Department published May 31 the Electricity Subsector Cybersecurity Capability Maturity Model. http://www.fiercegovernmentit.com/story/doe-publishes-electric-grid-cybersecurity-model/2012-06-04

FYI - The unforeseen risks of the cloud - While it has revolutionized collaboration, the cloud can also bring with it potentially serious security ramifications, like intellectual property theft or data breaches. http://www.scmagazine.com/the-unforeseen-risks-of-the-cloud/article/244422/?DCMP=EMC-SCUS_Newswire

FYI - European data chiefs warns of Big Brother implications with smart meter roll out - The European data protection supervisor (EDPS) has warned that the deployment of smart meters across member states threatens to create an intrusive system of mass monitoring unless robust safeguards are introduced. http://www.v3.co.uk/v3-uk/news/2183404/european-chiefs-warns-brother-implications-smart-meter-roll

FYI - The IT staff of the future will speak business, not just technology - Until recently, organizations had two major operational and technical forces to deal with: networking and security. http://www.scmagazine.com/the-it-staff-of-the-future-will-speak-business-not-just-technology/article/245401/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Potential leak of 6.5+ million LinkedIn password hashes - Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them. https://isc.sans.edu/diary.html?storyid=13390

FYI - Auto dealer, debt collector settle with FTC over data breaches - The Federal Trade Commission has settled with two companies over allegations that they leaked sensitive data of individuals via file-sharing networks. http://www.scmagazine.com/auto-dealer-debt-collector-settle-with-ftc-over-data-breaches/article/244994/?DCMP=EMC-SCUS_Newswire

FYI - Fourteen busted on online banking theft charges - Fourteen people from South Florida have been charged in connection to a bank fraud ring in which the accounts of unsuspecting customers were accessed to transfer money. http://www.scmagazine.com/fourteen-busted-on-online-banking-theft-charges/article/245246/?DCMP=EMC-SCUS_Newswire

FYI - University of North Florida gets breached again, data on 23K students at risk - For the second time in two years, hackers gained access to a University of North Florida (UNF) server holding the confidential information of students. http://www.scmagazine.com/university-of-north-florida-gets-breached-again-data-on-23k-students-at-risk/article/245238/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 4: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.

In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.

In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Operational Anomalies

Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]