REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Court Grants Feds Warrantless Access to Utility Records - Utilities must hand over customer records - which include credit card numbers, phone numbers and power consumption data - to the authorities without court warrants if drug agents believe they are “relevant” to an investigation, a federal appeals court says. http://www.wired.com/threatlevel/2012/08/customer-utility-records/

FYI - Appeals court dismisses warrantless wiretapping suit - Lawsuit derailed by government claims of sovereign immunity. - On Tuesday, the United States Court of Appeals for the Ninth Circuit, in San Francisco, tossed one of the few remaining lawsuits fighting the Bush Administration's warrantless wiretapping program. http://arstechnica.com/tech-policy/2012/08/appeals-court-dismisses-warantless-wiretapping-suit/

FYI - Google to pay $22.5M fine over privacy practices- The fine is the largest ever related to an FTC complaint - Google will pay a historic fine to settle U.S. government charges that it violated privacy laws when it tracked via cookies users of Apple's Safari browser. http://www.computerworld.com/s/article/9230126/Update_Google_to_pay_22.5M_fine_over_privacy_practices?taxonomyId=17

FYI - Pentagon proposes more robust role for its cyber-specialists - The Pentagon has proposed that military cyber-specialists be given permission to take action outside its computer networks to defend critical U.S. computer systems - a move that officials say would set a significant precedent. http://www.washingtonpost.com/world/national-security/pentagon-proposes-more-robust-role-for-its-cyber-specialists/2012/08/09/1e3478ca-db15-11e1-9745-d9ae6098d493_story.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Amazon fixes security flaw hackers used against a Wired journalist - Hack exposed shortcomings in Apple, Amazon security. Amazon acted, but Apple... - Days after a devastating cyber attack on the Wired journalist that exposed security flaws in Amazon's and Apple's online services, Amazon has fixed a problem that helped hackers gain control over the journalist's online accounts. http://arstechnica.com/security/2012/08/amazon-fixes-security-flaw-hackers-used-against-wireds-mat-honan/

FYI - Shylock malware injects rogue phone numbers in online banking websites - Fraudsters attempt to trick victims into contacting them instead of their banks - New configurations of the Shylock financial malware inject attacker-controlled phone numbers into the contact pages of online banking websites, according to security researchers from antivirus vendor Symantec. http://www.computerworld.com/s/article/9230087/Shylock_malware_injects_rogue_phone_numbers_in_online_banking_websites?taxonomyId=17

FYI - WikiLeaks undergoing massive denial-of-service attack - The website for news organization WikiLeaks remains down, the victim of a week-long and massive distributed denial-of-service attack. http://www.scmagazine.com/wikileaks-undergoing-massive-denial-of-service-attack/article/254267/?DCMP=EMC-SCUS_Newswire

FYI - Personal data on thousands of University of Arizona students publicly viewable - Students, vendors and others who received payments from the University of Arizona last year had their personal data posted to the school's public server. http://www.scmagazine.com/personal-data-on-thousands-of-university-of-arizona-students-publicly-viewable/article/254252/?DCMP=EMC-SCUS_Newswire

FYI - Hackers Encrypt Health Records and Hold Data for Ransom - As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.  http://www.bloomberg.com/news/2012-08-10/hackers-encrypt-health-records-and-hold-data-for-ransom.html

FYI - Pro-Hezbollah hacker leaks Israeli credit card info - A pro-Hezbollah hacker published personal information and credit card details of dozens of Israelis Wednesday night, all of it apparently stolen from the online storage company Webgate. http://www.jpost.com/NationalNews/Article.aspx?id=280585

FYI - Airport VPN hacked using Citadel malware - The pervasive Citadel trojan, typically reserved for financial theft, was used to beat two-factor authentication and hack into the virtual private network (VPN) of a major international airport, researchers revealed Tuesday. http://www.scmagazine.com/airport-vpn-hacked-using-citadel-malware/article/254604/?DCMP=EMC-SCUS_Newswire

FYI - Stolen laptop at Apria Healthcare exposes patient data - The theft of a laptop of an Apria Healthcare employee could expose health and personal information of several thousand patients of the California-based company. http://www.scmagazine.com/stolen-laptop-at-apria-healthcare-exposes-patient-data/article/254939/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)

1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.

a)  Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.
b)  The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.
c)  All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.

2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.

a)  Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.
b)  Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.
c)  Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.
d)  Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.
e)  Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.
f)  An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
(FYI - This is the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)

Independent diagnostic tests include penetration tests, audits, and assessments. Independence provides credibility to the test results. To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, as well as the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who also are independent of the design, installation, maintenance, and operation of the tested system.

Penetration tests, audits, and assessments can use the same set of tools in their methodologies.  The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.

Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism's effectiveness. Penetration tests generally are not a comprehensive test of the system's security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.

Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.

Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

32. When a customer relationship ends, does the institution continue to apply the customer's opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)]