REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.FYI - "Human error" contributes to nearly all cyber incidents, study finds - Even though organizations may have all of the bells and whistles needed in their data security arsenal, it's the human element that continues to fuel cyber incidents occurring, according to one recent study. http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/

FYI - FCC to push network providers on cybersecurity - If private companies don't improve their security efforts, the agency will step in with regulations, FCC Chairman Wheeler says - The U.S. Federal Communications Commission is threatening to step in with regulations if network providers don't take steps to improve cybersecurity. http://www.computerworld.com/s/article/9249061/FCC_to_push_network_providers_on_cybersecurity

FYI - Bank of England plans to shove cyber-microscope up nation's bankers - BoE and pals will use govt intelligence to stage pen-tests at financial powerhouses - The Bank of England today announced it plans to penetrate Blighty’s banks to test the security of their critical computer systems. http://www.theregister.co.uk/2014/06/10/bank_of_england_plans_cyber_assaults_on_nations_financial_institutions/

FYI - Local cops in 15 US states confirmed to use cell tracking devices - Stingray use is widespread: Baltimore, Chicago, and even Anchorage have them. A new map released Thursday by the American Civil Liberties Union shows that fake cell towers, also known as stingrays, are used by state and local law enforcement in 15 states. http://arstechnica.com/tech-policy/2014/06/local-cops-in-15-us-states-confirmed-to-use-cell-tracking-devices/

FYI - Target finally gets its first CISO - That it often takes a data breach to get one is a sad reality for many companies, analyst says - Target has hired a chief information security officer (CISO), a move that's noteworthy mainly because it is the first time the company has ever had anyone in this role, even though it is one of the largest retailers in the U.S.
http://www.computerworld.com/s/article/9249037/Target_finally_gets_its_first_CISO?taxonomyId=17
http://www.computerworld.com/s/article/9249129/Target_top_security_officer_reporting_to_CIO_seen_as_a_mistake?taxonomyId=17

FYI - Teen arrested and charged for Bell Canada hack - The Royal Canadian Mounted Police has arrested a teenage for allegedly hacking into the system of a third-party supplier of Bell Canada, accessing customer data, and posting it online. http://www.scmagazine.com/teen-arrested-and-charged-for-bell-canada-hack/article/355752/

FYI - Former Microsoft employee draws three-month prison term for leaking code - A U.S. district court judge has sentenced a former Microsoft employee to three months in prison for stealing company trade secrets. http://www.scmagazine.com/former-microsoft-employee-draws-three-month-prison-term-for-leaking-code/article/355869/

FYI - Ruling Raises Stakes for Cyberheist Victims - A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases. http://krebsonsecurity.com/2014/06/ruling-raises-stakes-for-cyberheist-victims/

FYI - Top Canadian court: Cops need warrant to get names from ISPs - Decision could scupper nascent cyberbullying, privacy bills - Canadian ISPs can no longer simply hand over customer information without a warrant after the country’s Supreme Court ruled that internet users were entitled to a "reasonable" expectation of privacy. http://www.theregister.co.uk/2014/06/16/canada_supreme_court_privacy_isp_warrant/

FYI - GAO - Areas for Improvement in the Federal Reserve Banks' Information Systems Controls, GAO-14-691R - http://www.gao.gov/products/GAO-14-691R

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Credit Card Breach at P.F. Chang’s - Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide. http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

FYI - Feedly and Evernote struck by denial of service cyber-attacks - The news aggregator Feedly says it has come under a "distributed denial of service" attack from cyber criminals, which is preventing users from accessing its service. http://www.bbc.com/news/technology-27790068

FYI - Email sent to wrong address, data on more than 35K Calif. students at risk - More than 35,000 Riverside Community College District (RCCD) students in California are being notified that their personal information - including Social Security numbers - was included in an email that was sent to the wrong external email address. http://www.scmagazine.com/email-sent-to-wrong-address-data-on-more-than-35k-calif-students-at-risk/article/356227/

FYI - San Diego hospital breach investigation reveals second incident, both human error - Nearly 20,000 patients of Rady Children's Hospital (RCH) in San Diego are being notified that their personal information was erroneously included in emails sent to job applicants. http://www.scmagazine.com/san-diego-hospital-breach-investigation-reveals-second-incident-both-human-error/article/356497/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Security Controls 

While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorization privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information. 

Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort.  Regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)

Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.

Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.

Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.

Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.