REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - OpenSSL to prenotify distros of severe security fixes - The OpenSSL project has unveiled its first security policy on how the project will handle security fixes, and to whom it will disclose vulnerabilities prior to releases. Given the blowback from the Heartbleed vulnerability revealed earlier this year, the OpenSSL project has released its first security policy that details how the project handles security issues. http://www.zdnet.com/openssl-to-prenotify-distros-of-severe-security-fixes-7000033409/

FYI - Current Awareness of the Cybersecurity Framework - Recognizing the critical importance of widespread voluntary usage of the Framework in order to achieve the goals of the Executive Order, and that usage initially depends upon awareness, NIST solicits information about awareness of the Framework and its intended uses among organizations. https://www.federalregister.gov/articles/2014/08/26/2014-20315/experience-with-the-framework-for-improving-critical-infrastructure-cybersecurity#h-9

FYI - FCC fines Verizon for violating customers' privacy - Verizon is in hot water with federal regulators for showing customers ads based on their personal information without first obtaining consent. http://money.cnn.com/2014/09/03/technology/mobile/verizon-fcc/index.html

FYI - Home Depot is sued following payment card breach - An Illinois Home Depot shopper is suing the home improvement retailer following a breach of its customer payment information. http://www.scmagazine.com/home-depot-is-sued-following-payment-card-breach/article/370853/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Home Depot investigates possible payment card breach - “At this point, I can confirm that we're looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” according to a statement emailed to SCMagazine.com on Tuesday by Paula Drake, a Home Depot spokesperson.
http://www.scmagazine.com/home-depot-investigates-possible-payment-card-breach/article/369366/
http://arstechnica.com/security/2014/09/home-depot-confirms-breach-but-stays-mum-as-to-size/

FYI - Goodwill announces breach, more than 800K payment cards compromised - In a letter to customers dated Tuesday, Jim Gibbons, president and CEO of Goodwill Industries International (GII), announced that payment card data was accessed following a malware attack on a third-party vendor used in about 10 percent of stores. http://www.scmagazine.com/goodwill-announces-breach-more-than-800k-payment-cards-compromised/article/369837/

FYI - Is Apple Telling All It Knows? - Recently the entire social network world, the general print media, entertainment news TV, and, really, almost every outlet that feels it is in the news business has been awash in articles about the leak of nude and compromising photographs of a large group of celebrities. http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-knows/a/d-id/1306923

FYI - Unencrypted thumb drive containing patient data stolen from Duke University Health System - Duke University Health System (DUHS) is notifying an undisclosed number of patients that their personal information was on an unencrypted thumb drive that was stolen from an administrative office on July 1. http://www.scmagazine.com/unencrypted-thumb-drive-containing-patient-data-stolen-from-duke-university-health-system/article/370033/

FYI - Access gained to California university web server storing personal information - More than 6,000 individuals are being notified by California State University, East Bay, that their personal information – including Social Security numbers – may have been compromised by an unknown third-party. http://www.scmagazine.com/access-gained-to-california-university-web-server-storing-personal-information/article/370206/

FYI - National Research Council breached - Canada's National Research Council has written to partner companies informing them of a breach of its cybersecurity systems. http://www.scmagazine.com/national-research-council-breached/article/370202/

FYI - Payment card breach possibly tied to Florida Beef 'O' Brady's locations - The North Port Police Department stated that unauthorized payment card purchases made in Massachusetts, New York and Texas may be tied to Beef ‘O' Brady's sports bar locations in Florida, according to a Tuesday abc-7.com report. http://www.scmagazine.com/payment-card-breach-possibly-tied-to-florida-beef-o-bradys-locations/article/370850/

FYI - Computer hardware containing patient data stolen from Ohio plastic surgery office - More than 6,000 patients of Beachwood-Westlake Plastic Surgery and Medical Spa in Ohio are being notified that their personal information was on computer hardware that was stolen during an office burglary. http://www.scmagazine.com/computer-hardware-containing-patient-data-stolen-from-ohio-plastic-surgery-office/article/370808/

FYI - Google says Gmail credential dump not result of company breach - After Gmail usernames and passwords for nearly five million accounts were leaked online, Google quickly moved to calm user concerns and confirmed that the majority of the credentials wouldn't be very useful to those aiming to hijack accounts with the information. http://www.scmagazine.com/google-says-gmail-credential-dump-not-result-of-company-breach/article/371092/

FYI - Canadian computer dealer claims Ernst & Young breach - While a used computer dealer based in Canada has accused Ernst & Young of a data breach, legal documents filed by the company in court indicate that the company is uncertain that the breach is real, according to a report in Network World. http://www.scmagazine.com/canadian-computer-dealer-claims-ernst-young-breach/article/371104/

FYI - Central Utah Clinic notifies over 30K patients of potential HIPAA breach - More than 30,000 patients of the Central Utah Clinic in Provo, Utah might have had their personal health information viewed by an unauthorized intruder who broke into one of the clinic's servers. http://www.scmagazine.com/central-utah-clinic-notifies-over-30k-patients-of-potential-hipaa-breach/article/370959/

FYI - National Research Council breached - Canada's National Research Council has written to partner companies informing them of a breach of its cybersecurity systems. http://www.scmagazine.com/national-research-council-breached/article/370202/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking.  Over the next number of weeks we will cover the principles of Security Controls.
 
 Security Controls - Principle 1: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 1 of 2)
 
 It is essential in banking to confirm that a particular communication, transaction, or access request is legitimate. Accordingly, banks should use reliable methods for verifying the identity and authorization of new customers as well as authenticating the identity and authorization of established customers seeking to initiate electronic transactions.
 
 Customer verification during account origination is important in reducing the risk of identity theft, fraudulent account applications and money laundering. Failure on the part of the bank to adequately authenticate customers could result in unauthorized individuals gaining access to e-banking accounts and ultimately financial loss and reputational damage to the bank through fraud, disclosure of confidential information or inadvertent involvement in criminal activity.
 
 Establishing and authenticating an individual's identity and authorization to access banking systems in a purely electronic open network environment can be a difficult task. Legitimate user authorization can be misrepresented through a variety of techniques generally known as "spoofing." Online hackers can also take over the session of a legitimate authorized individual through use of a "sniffer" and carry out activities of a mischievous or criminal nature. Authentication control processes can in addition be circumvented through the alteration of authentication databases.
 
 Accordingly, it is critical that banks have formal policy and procedures identifying appropriate methodology(ies) to ensure that the bank properly authenticates the identity and authorization of an individual, agent or system by means that are unique and, as far as practical, exclude unauthorized individuals or systems. Banks can us a variety of methods to establish authentication, including PINs, passwords, smart cards, biometrics, and digital certificates. These methods can be either single factor or multi-factor (e.g. using both a password and biometric technology to authenticate). Multi-factor authentication generally provides stronger assurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION
 
 Outsourced Development
 
 Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:
 
 ! Verifying credentials and contracting only with reputable providers;
 ! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
 ! Obtaining fidelity coverage;
 ! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
 ! Establishing security requirements, acceptance criterion, and test plans;
 ! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
 ! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
 ! Performing security tests to verify that the security requirements are met before implementing the software in production.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Examination Procedures (Part 1 of 3)
 
 A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:
 
 1)  Notices (initial, annual, revised, opt out, short-form, and simplified);
 
 2)  Institutional privacy policies and procedures, including those to: 
      a)  process requests for nonpublic personal information, including requests for aggregated data; 
      b)  deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders); 
      c)  prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and 
      d)  prevent the unlawful disclosure of account numbers;
 
 3)  Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;
 
 4)  Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);
 
 5)  Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);
 
 6)  Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and
 
 7)  Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.
 
 8)  Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.
 
 9)  Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).