REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Task force seeks to update New York state cyber crime laws - A proposal released Tuesday addresses much needed updates to New York State's white collar laws (PDF), which have remained mostly unaltered since 1965. http://www.scmagazine.com/task-force-seeks-to-update-new-york-state-cyber-crime-laws/article/313442/

FYI - Dutch IT companies rebel against security breach notification law - Nederland ICT, the Netherlands' trade association that represents Dutch IT companies with over 250,000 staff between them, is not amused by a Dutch government plan to force tech firms to report security breaches. http://www.zdnet.com/dutch-it-companies-rebel-against-security-breach-notification-law-7000021089/

FYI - Nearly two years after a security researcher published details of the hard-coded credentials that ship with a slew of industrial control system products made by Schneider Electric, the company has released updated firmware that fix the problems. http://threatpost.com/ics-vendor-fixes-hard-coded-credential-bugs-nearly-two-years-after-advisory/102391

FYI - Hundreds of hackers sought for new £500m UK cyber-bomber strike force - Britain must rm -rf its enemies or be rm -rf'ed, declares defence secretary - The UK's Ministry of Defence wants to recruit an army of computer experts to serve as "cyber reservists" to defend national security. http://www.theregister.co.uk/2013/09/30/uk_cyber_reserve_force/

FYI - Appreciate your log data - Log data are like streams of non-stop “tweets” coming from nearly every IT asset in one's infrastructure. http://www.scmagazine.com/appreciate-your-log-data/article/311634/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Lexis-Nexis, D&B and Kroll hacked - Data-stealing botnet found in aggregators' services - Major data aggregators have been compromised “for months”, according to prominent security blogger Brian Krebs, including Lexis-Nexis and Dun & Bradstreet. http://www.theregister.co.uk/2013/09/25/krebs_lexisnexis_db_and_kroll_hacked/

FYI - Ex-Barclays worker fined £3,360 for accessing customer's data - A former employee was found to have accessed the account details of the partner of a friends of hers on 22 occasions, back in 2011. This included finding out how many children the partner had, and telling the friend. http://www.information-age.com/technology/security/123457372/ex-barclays-worker-fined---3-360-for-accessing-customer-s-data

FYI - Human error leads to Virginia Tech computer server breach - A computer server within the Department of Human Resources at Virginia Polytechnic Institute and State University, popularly known as Virginia Tech, was breached as a result of human error. http://www.scmagazine.com/human-error-leads-to-virginia-tech-computer-server-breach/article/313797/?DCMP=EMC-SCUS_Newswire

FYI - LA students bypass security measures on iPads, home use suspended - After only a week with their school district-issued iPads, hundreds of students found a way to bypass security measures placed on the devices. http://www.scmagazine.com/la-students-bypass-security-measures-on-ipads-home-use-suspended/article/313989/?DCMP=EMC-SCUS_Newswire

FYI - Unencrypted laptop stolen from Calif. hospital puts patients at risk - Patients of California-based Santa Clara Valley Medical Center had their medical data compromised when an unencrypted laptop was stolen from the audiology department. http://www.scmagazine.com/unencrypted-laptop-stolen-from-calif-hospital-puts-patients-at-risk/article/313985/?DCMP=EMC-SCUS_Newswire

FYI - Europol nabs cyber crooks behind 21,000-strong hacked server store - Europol has arrested the hacker masterminds behind a notorious cyber black market, selling access to 21,000 compromised servers. http://www.v3.co.uk/v3-uk/news/2297369/europol-nabs-cyber-crooks-behind-21-000-strong-hacked-server-store

FYI - British teen accused of massive Spamhaus DDoS attack arrested months ago - Police secretly arrested a London-based teen last April in connection with the huge DDoS attack on anti-spam organisation Spamhaus, it has been confirmed. http://news.techworld.com/security/3471224/british-teen-accused-of-massive-spamhaus-ddos-attack-arrested-months-ago/

FYI - Iran's Hackers Are Still Chipping Away at U.S. Networks - Even as the presidents of Iran and the U.S. speak to each other (on the phone) for the first time since 1979, it looks like Iran hasn't given up its cyberwar against the U.S. According to the The Wall Street Journal, a group of hackers either working directly for the Iranian government or with its approval accessed an unclassified Navy computer network. http://www.theatlanticwire.com/global/2013/09/irans-hackers-are-still-hacking-away-us-networks/69984/

FYI - Stolen laptop compromises hundreds of Wisconsin hospital patients - Hundreds of patients treated this year at St. Mary's Janesville Hospital in Wisconsin may have had their personal data compromised when a health care laptop was stolen from the car of an employee. http://www.scmagazine.com/stolen-laptop-compromises-hundreds-of-wisconsin-hospital-patients/article/314448/?DCMP=EMC-SCUS_Newswire

FYI - Hackers steal Adobe product source code and credit card data of three million customers - Adobe is warning nearly three million of its customers that their credit card data was breached – and that the intruders also appear to have stolen product source code via “sophisticated attacks.” http://www.scmagazine.com/hackers-steal-adobe-product-source-code-and-credit-card-data-of-three-million-customers/article/314699/?DCMP=EMC-SCUS_Newswire

FYI - Unauthorized user accesses medical records at Iowa-based health system - Nearly two thousand patients may have personal information at risk after an unauthorized user accessed an electronic medical record (EMR) system for Iowa-based UnityPoint Health. http://www.scmagazine.com/unauthorized-user-accesses-medical-records-at-iowa-based-health-system/article/314603/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week concludes our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 6 of  6)

President’s Identity Theft Task Force

On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.

Conclusion

Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION

Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1)  Selecting authentication mechanisms based on the risk associated with the particular application or services;
2)  Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3)  Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum: 

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)