REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - White House offers incentives for critical infrastructure companies participating in cyber security program - The White House has released a tentative list of incentives that it hopes will stir the private sector to voluntary adopt the “Cyber Security Framework” – a set of “core practices” to be implemented next year that aims to help the nation mitigate attacks on critical infrastructure. http://www.scmagazine.com/white-house-offers-incentives-for-critical-infrastructure-companies-participating-in-cyber-security-program/article/306472/

FYI - Ukrainian Carder in $5 Million Ring Sentenced to 14-Plus Years in Prison - A Ukrainian carder who operated a gang that authorities dubbed the Western Express Cybercrime Group has been sentenced to between 14 and 40 years in state prison following a 10-week trial in New York. http://www.wired.com/threatlevel/2013/08/carder-eskalibur-sentenced/

FYI - Student attempting to rig election wins one year in jail - Former California State University San Marcos undergrad tried to earn himself the role of student body president by rigging the election, but instead earned himself a year behind bars. http://www.scmagazine.com/student-attempting-to-rig-election-wins-one-year-in-jail/article/306314/

FYI - City of London calls halt to smartphone tracking bins - The City of London Corporation has asked a company to stop using recycling bins to track the smartphones of passers-by. http://www.bbc.co.uk/news/technology-23665490

FYI - TSP Board Switches Tech Contractors - The board that oversees the Thrift Savings Plan has tapped Science Applications International Corporation to manage TSP technology and record keeping over incumbent vendor Serco Inc., with a contract valued at up to $227 million for the next six years. http://www.nextgov.com/cybersecurity/2013/08/tsp-board-switches-tech-contractors/68567/?oref=ng-channeltopstory

FYI - White House Unveils CIO Council 2.0 - The White House released a plan on Friday to significantly streamline its top council of information technologists. http://www.nextgov.com/cio-briefing/2013/08/white-house-unveils-cio-council-20/68405/?oref=ng-dropdown

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Chinese Hacking Team Caught Taking Over Decoy Water Plant - A hacking group accused of being operated by the Chinese army now seems to be going after industrial control systems. http://www.technologyreview.com/news/517786/chinese-hacking-team-caught-taking-over-decoy-water-plant/

FYI - $1.5 million Cyberheist Ruins Escrow Firm - A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds. http://krebsonsecurity.com/2013/08/1-5-million-cyberheist-ruins-escrow-firm/

FYI - "Hand of Thief" trojan sniffs out banking credentials of Linux users - Not long after the Windows-targeting banking trojan KINS hit the market, saboteurs have introduced new financial malware capable of infecting Linux users. http://www.scmagazine.com/hand-of-thief-trojan-sniffs-out-banking-credentials-of-linux-users/article/306737/?DCMP=EMC-SCUS_Newswire

FYI - Hacker battles encryption, nabs card info from online retailer - Smartphone Experts, a Florida-based online retailer of smartphone accessories, was the victim of a hack in July that compromised customer card information. http://www.scmagazine.com/hacker-battles-encryption-nabs-card-info-from-online-retailer/article/306721/?DCMP=EMC-SCUS_Newswire

FYI - The Chinese hacker group that hit the N.Y. Times is back with updated tools - The Chinese hacker group that broke into the computer network of The New York Times and other high-profile organizations, including defense contractors, has launched new attacks following a few months of inactivity. http://www.computerworld.com/s/article/9241577/The_Chinese_hacker_group_that_hit_the_N.Y._Times_is_back_with_updated_tools?taxonomyId=17

FYI - New York Times website back online after brief outage - The website for The New York Times has returned online after being down for nearly two hours. http://www.scmagazine.com/new-york-times-website-back-online-after-brief-outage/article/307390/?DCMP=EMC-SCUS_Newswire

FYI - Lost flash drive compromises data for thousands of students - More than 20,000 students across 36 schools in the Boston Public School (BPS) system had their data compromised when the district's ID card vendor Plastic Card Systems lost a flash drive containing the information. http://www.scmagazine.com/lost-flash-drive-compromises-data-for-thousands-of-students/article/307298/?DCMP=EMC-SCUS_Newswire

FYI - Deja vu all over again? DOE to workers: We've been hacked - For the second time this year, the Energy Department tells employees their personal information may have been exposed in a cyberattack. http://news.cnet.com/8301-1009_3-57598756-83/deja-vu-all-over-again-doe-to-workers-weve-been-hacked/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Attention, parents: Baby monitor hacked; default password to blame? - The device was reportedly controlled by the hacker, who also had off-color remarks to make to the sleeping child. http://news.cnet.com/8301-1009_3-57598499-83/attention-parents-baby-monitor-hacked-default-password-to-blame/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 9 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY STRATEGY (1 of 2)

Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include

1)  Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
2)  Layered controls that establish multiple control points between threats and organization assets, and
3)  Policies that guide officers and employees in implementing the security program.

An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.

The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

7. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]