REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.FYI - "Human error" contributes to nearly all cyber incidents, study finds - Even though organizations may have all of the bells and whistles needed in their data security arsenal, it's the human element that continues to fuel cyber incidents occurring, according to one recent study. http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/

FYI - NIST drafts report on cloud computing challenges, requests comments - The National Institute of Standards and Technology (NIST) has released a draft report, NIST Cloud Computing Forensic Science Challenges, that summarized 65 cloud computing challenges that forensic investigators face. http://www.scmagazine.com/nist-drafts-report-on-cloud-computing-challenges-requests-comments/article/360987/

FYI - Senate Intelligence Committee okays cybersecurity bill - The bill has been criticized by civil liberties and privacy groups because of its potential privacy implications - The U.S. Senate Intelligence Committee approved Tuesday a cybersecurity bill that would pave the way for sharing of information between government and the private sector on security threats. http://www.computerworld.com/s/article/9249619/Senate_Intelligence_Committee_okays_cybersecurity_bill?taxonomyId=17

FYI - Romanian man sentenced to 45 months for role in phishing scheme - A Romanian man was sentenced on Tuesday to 45 months in prison for his role in a massive phishing scheme involving several individuals. http://www.scmagazine.com/romanian-man-sentenced-to-45-months-for-role-in-phishing-scheme/article/360356/

FYI - Computing student jailed after failing to hand over crypto keys - sledgehammer once again used to crack a nut - A computer science student accused of hacking offences has been jailed for six months for failing to hand over his encryption passwords, which he had been urged to do in "the interests of national security". http://www.theregister.co.uk/2014/07/08/christopher_wilson_students_refusal_to_give_up_crypto_keys_jail_sentence_ripa/

FYI - Man pleads guilty to bank fraud, 48-hour global operation netted $14 million - A 27-year-old man – arrested in Germany and extradited to the United States in 2012 – pleaded guilty to bank fraud on Friday for his role in a roughly 48-hour operation in 2011 that resulted in criminals withdrawing about $14 million from ATMs in nearly 20 countries. http://www.scmagazine.com/man-pleads-guilty-to-bank-fraud-48-hour-global-operation-netted-14-million/article/360763/

FYI - Security not prioritized in critical infrastructure, though most admit compromise - In a study, most IT execs at critical infrastructure companies revealed that their organization was compromised in the last year, but only 28 percent of them said that security was a top priority across their enterprise. http://www.scmagazine.com/study-security-not-prioritized-in-critical-infrastructure-though-most-admit-compromise/article/360538/

FYI - 77 percent of IT staffers have incorrectly reported the cause of a security incident - When relaying information to executive teams, 77 percent of IT staffers admitted that they incorrectly reported the root cause of a network or security incident, according to a visibility survey released Tuesday. http://www.scmagazine.com/survey-77-percent-of-it-staffers-have-incorrectly-reported-the-cause-of-a-security-incident/article/360993/

FYI - New York suffered 900 data breaches in 2013, AG reports - Public and private organizations in New York state were hit by more than 900 data breaches last year that exposed the personal and financial records of 7.3 million residents, a report released by the State Attorney General. http://www.scmagazine.com/new-york-suffered-900-data-breaches-in-2013-ag-reports/article/361011/

FYI - Document posted to California city website, employee data accessed - In California, the City of Encinitas and San Dieguito Water District is notifying 615 current and former employees that a California Public Employees' Retirement System (CalPERS) payment document containing their personal information – including Social Security numbers – was inadvertently made public on the City's website for about seven weeks, and was accessed by 16 people. http://www.scmagazine.com/document-posted-to-california-city-website-employee-data-accessed/article/361129/

FYI - GAO - Information Security: FDIC Made Progress in Securing Key Financial Systems, but Weaknesses Remain. http://www.gao.gov/products/GAO-14-674

FYI - 72 percent of Chicago fraud victims also data breach victims - Chicagoans who have been affected by data breaches are at a higher risk of becoming victims of fraud than anyone whose information was breached in either Miami and Los Angeles. http://www.scmagazine.com/study-72-percent-of-chicago-fraud-victims-also-data-breach-victims/article/361496/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hotel business center computers see uptick in keylogger malware - Criminals are infecting hotel business center computers with keylogger malware, according to a non-public advisory issued by the U.S. Secret Service on Thursday, and obtained and posted about on Monday. http://www.scmagazine.com/hotel-business-center-computers-see-uptick-in-keylogger-malware/article/360774/

FYI - About 20K impacted in South Carolina college laptop theft - Orangeburg-Calhoun Technical College in South Carolina is notifying roughly 20,000 current and former students and faculty that their personal information – including Social Security numbers – was on a laptop that was stolen from a staffer's office. http://www.scmagazine.com/about-20k-impacted-in-south-carolina-college-laptop-theft/article/360654/

FYI - Teenager set off major cyber attack - A 17-year-old boy from Bergen on Norway’s west coast has been arrested and charged for a massive cyber attack earlier this week that crippled the websites of major banks, airlines, telecoms and finance firms. He had also impersonated the hacker group Anonymous Norway, claiming it was behind the attacks when it wasn’t. http://www.newsinenglish.no/2014/07/11/teenager-set-off-major-cyber-attack/

FYI - About 18K doctors may have had Social Security numbers exposed - About 18,000 doctors are being notified that the Blue Shield of California inadvertently included their Social Security numbers in rosters it is required to provide to the Department of Managed Health Care (DMHC), which are viewable by the public. http://www.scmagazine.com/about-18k-doctors-may-have-had-social-security-numbers-exposed/article/360550/

FYI - Penn State College of Medicine breach risks alumni Social Security numbers - More than 1,000 Penn State College of Medicine alumni's Social Security numbers might have been compromised after malware was found on a university computer. http://www.scmagazine.com/penn-state-college-of-medicine-breach-risks-alumni-social-security-numbers/article/360509/

FYI - Russian hackers compromise CNET servers - Popular technology news and review site CNET was hacked this weekend in an attack that might have compromised the account information of more than one million users.
http://www.scmagazine.com/russian-hackers-compromise-cnet-servers/article/360869/
http://www.cnet.com/news/cnet-attacked-by-russian-hacker-group/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Subcontractor breach impacts 1,700 in Dominion Resources employee wellness plan - About 1,700 people in the employee wellness program for Virginia-based Dominion Resources are being notified that their personal information was accessed by an attacker who gained entry to the systems of a subcontractor. http://www.scmagazine.com/subcontractor-breach-impacts-1700-in-dominion-resources-employee-wellness-plan/article/361348/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management principles (Part 1 of 2)

Based on the early work of the Electronic Banking Group EBG, the Committee concluded that, while traditional banking risk management principles are applicable to e-banking activities, the complex characteristics of the Internet delivery channel dictate that the application of these principles must be tailored to fit many online banking activities and their attendant risk management challenges. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. Further, as the Committee believes that banks should adopt an integrated risk management approach for all banking activities, it is critical that the risk management oversight afforded e-banking activities becomes an integral part of the banking institution's overall risk management framework.

To facilitate these developments, the Committee asked the EBG to identify the key risk management principles that would help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities and, in turn, promote the safe and sound electronic delivery of banking products and services.

These Risk Management Principles for Electronic Banking, which are identified in this Report, are not put forth as absolute requirements or even "best practice" but rather as guidance to promote safe and sound e-banking activities. The Committee believes that setting detailed risk management requirements in the area of e-banking might be counter-productive, if only because these would be likely to become rapidly outdated by the speed of change related to technological and product innovation. Therefore the principles included in the present Report express supervisory expectations related to the overall objective of banking supervision to ensure safety and soundness in the financial system rather than stringent regulations.

The Committee is of the view that such supervisory expectations should be tailored and adapted to the e-banking distribution channel but not be fundamentally different to those applied to banking activities delivered through other distribution channels. Consequently, the principles presented below are largely derived and adapted from supervisory principles that have already been expressed by the Committee or national supervisors over a number of years. In some areas, such as the management of outsourcing relationships, security controls and legal and reputational risk management, the characteristics and implications of the Internet distribution channel introduce a need for more detailed principles than those expressed to date.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION TYPES

Three types of encryption exist: the cryptographic hash, symmetric encryption, and asymmetric encryption.

A cryptographic hash reduces a variable - length input to a fixed-length output. The fixed-length output is a unique cryptographic representation of the input. Hashes are used to verify file and message integrity. For instance, if hashes are obtained from key operating system binaries when the system is first installed, the hashes can be compared to subsequently obtained hashes to determine if any binaries were changed. Hashes are also used to protect passwords from disclosure. A hash, by definition, is a one - way encryption. An attacker who obtains the password cannot run the hash through an algorithm to decrypt the password. However, the attacker can perform a dictionary attack, feeding all possible password combinations through the algorithm and look for matching hashes, thereby deducing the password. To protect against that attack, "salt," or additional bits, are added to the password before encryption. The addition of the bits means the attacker must increase the dictionary to include all possible additional bits, thereby increasing the difficulty of the attack.

Symmetric encryption is the use of the same key and algorithm by the creator and reader of a file or message. The creator uses the key and algorithm to encrypt, and the reader uses both to decrypt. Symmetric encryption relies on the secrecy of the key. If the key is captured by an attacker either when it is exchanged between the communicating parties, or while one of the parties uses or stores the key, the attacker can use the key and the algorithm to decrypt messages, or to masquerade as a message creator.

Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When one key is used to encrypt, only the other key can decrypt. Therefore, only one key (the private key) must be kept secret. The key that is exchanged (the public key) poses no risk if it becomes known. For instance, if individual A has a private key and publishes the public key, individual B can obtain the public key, encrypt a message to individual A, and send it. As long as individual A keeps his private key secure from discovery, only individual A will be able to decrypt the message.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1)  an initial notice of its privacy policies;

2)  an opt out notice (including, among other things, a reasonable means to opt out); and

3)  a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.