REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Why the Security of USB Is Fundamentally Broken - Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic.
http://www.zdnet.com/badusb-big-bad-usb-security-problems-ahead-7000032211/
http://www.wired.com/2014/07/usb-security/

FYI - Black Hat keynote talks cyber policies for field's future - At a time where cyber security has become more relevant than ever to senior leadership at companies, experts challenged practitioners to simplify their focus, while taking up a radical approach, to remain effective as a field. http://www.scmagazine.com/black-hat-keynote-talks-cyber-policies-for-fields-future/article/364988/

FYI - CIA Admits to Improperly Hacking Senate Computers - The Central Intelligence Agency improperly and covertly hacked into computers used by Senate staffers to investigate the spy agency's Bush-era interrogation practices, according to an internal investigation. http://www.nextgov.com/cybersecurity/2014/07/cia-admits-improperly-hacking-senate-computers/90203/?oref=ng-channeltopstory

FYI - Homeland Security wants corporate board of directors more involved in cyber-security - Setting corporate cyber-security policy and taking actions around it must be a top concern for the board of directors at any company, not just the information-technology division, the Department of Homeland Security (DHS) indicated as a high-level official there backed a private-sector effort to raise awareness at the board level. http://www.computerworld.com.au/article/551194/homeland_security_wants_corporate_board_directors_more_involved_cyber-security/

FYI - House Wants Agency CIOs to Vouch for Security of Their Websites - Federal websites that collect personally identifiable information would have to be certified as secure by an agency chief information officer under legislation the House passed Monday evening. http://www.nextgov.com/cio-briefing/2014/07/house-wants-cios-certify-fed-websites-collect-personal-info/89921/?oref=ng-channelriver

FYI - 2014 Women in IT Security: Making headway - It's no secret that women are greatly outnumbered by their male counterparts in the field, and that other gaps, such as those in pay, remain a hurdle for women aiming to reach new heights in their careers. http://www.scmagazine.com/2014-women-in-it-security-making-headway/article/360874/

FYI - A Contrarian View on Data Breaches - Weighing Risk of Exposing Weaknesses, Executives Rethink Merits of Going Public With Attacks - Urban Outfitters Inc. hired Dawn-Marie Hutchinson last year to keep hackers out of its computers. If crooks were to get in, Ms. Hutchinson doesn't think the teen retailer should immediately tell the world. http://online.wsj.com/articles/a-contrarian-view-on-data-breaches-1407194237

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Canada's NRC breach work of Chinese state-sponsored actor - Canada's National Research Council network was recently breached by a “highly sophisticated Chinese state-sponsored actor,” according to a statement issued by office of the Canadian government's CIO. http://www.scmagazine.com/canadas-nrc-breach-work-of-chinese-state-sponsored-actor/article/364214/

FYI - Script fails, thousands of Mozilla developer emails, passwords possibly exposed - It is not uncommon for data breaches to be the result of programming errors - that is exactly what happened to Mozilla when a data sanitization process for the Mozilla Developer Network (MDN) failed and the email addresses and encrypted passwords of thousands of users ended up on a publicly accessible server. http://www.scmagazine.com/script-fails-thousands-of-mozilla-developer-emails-passwords-possibly-exposed/article/364452/

FYI - P.F. Chang's update says 33 restaurant locations affected - P.F. Chang's China Bistro restaurant chain issued an update on its June security breach earlier today and stated that the the breach affected point-of-sale (POS) systems at 33 locations. http://www.scmagazine.com/pf-changs-update-says-33-restaurant-locations-affected/article/364465/

FYI - Florida bank notifies roughly 72,500 customers of breach - Early in July, Florida-based TotalBank began notifying a reported 72,500 customers that their personal information - including banking information and possibly Social Security numbers - may have been compromised by an unauthorized individual who obtained access to the TotalBank computer network. http://www.scmagazine.com/florida-bank-notifies-roughly-72500-customers-of-breach/article/364469/

FYI - Sandwich Chain Jimmy John’s Investigating Breach Claims - Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation. http://krebsonsecurity.com/2014/07/sandwich-chain-jimmy-johns-investigating-breach-claims/

FYI - More than a billion unique credentials pilfered by Russian hackers - A group of Russian hackers, dubbed “CyberVor,” are sitting on the biggest cache of stolen credentials to date, according to a Tuesday post by Hold Security. http://www.scmagazine.com/more-than-a-billion-unique-credentials-pilfered-by-russian-hackers/article/364976/

FYI - Insider breach at Las Vegas brain and spine surgery center - In July, Las Vegas-based Western Regional Center for Brain & Spine Surgery (WRCBSS) began notifying patients that their personal information - including Social Security numbers - might have been stolen by a former employee and used for fraudulent purposes. http://www.scmagazine.com/insider-breach-at-las-vegas-brain-and-spine-surgery-center/article/364837/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight 

The Board of Directors and senior management are responsible for developing the banking institution's business strategy. An explicit strategic decision should be made as to whether the Board wishes the bank to provide e-banking transactional services before beginning to offer such services. Specifically, the Board should ensure that e-banking plans are clearly integrated within corporate strategic goals, a risk analysis is performed of the proposed e-banking activities, appropriate risk mitigation and monitoring processes are established for identified risks, and ongoing reviews are conducted to evaluate the results of e-banking activities against the institution's business plans and objectives.

In addition, the Board and senior management should ensure that the operational and security risk dimensions of the institution's e-banking business strategies are appropriately considered and addressed. The provision of financial services over the Internet may significantly modify and/or even increase traditional banking risks (e.g. strategic, reputational, operational, credit and liquidity risk). Steps should therefore be taken to ensure that the bank's existing risk management processes, security control processes, due diligence and oversight processes for outsourcing relationships are appropriately evaluated and modified to accommodate e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

CONTROLS TO PROTECT AGAINST MALICIOUS CODE

Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.

Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.

Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.

Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.

Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.

Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."

Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.

An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices (continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1)  categories of information collected;

2)  categories of information disclosed;

3)  categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4)  policies with respect to the treatment of former customers' information;

5)  information disclosed to service providers and joint marketers (Section 13);

6)  an explanation of the opt out right and methods for opting out;

7)  any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8)  policies for protecting the security and confidentiality of information; and

9)  a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).