REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The FDA takes steps to strengthen cybersecurity of medical devices - To strengthen the safety of medical devices, the U.S. Food and Drug Administration today finalized recommendations to manufacturers for managing cybersecurity risks to better protect patient health and information. http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm

FYI - The Unpatchable Malware That Infects USBs Is Now on the Loose - t’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

FYI - Marriott fined $600k for deliberate JAMMING of guests' Wi-Fi hotspots - The Marriott has been fined $600,000 by the FCC for paralyzing guests' personal Wi-Fi hotspots, forcing them to use the hotel giant's expensive network instead. http://www.theregister.co.uk/2014/10/03/marriott_jamming_wifi_fcc/

FYI - Group infects more than 500K systems, targets banking credentials in U.S. - Researchers with security company Proofpoint have identified a Russian-speaking cybercrime group that has infected more than 500,000 systems and is targeting online credentials for major banks in the U.S and Europe. http://www.scmagazine.com/banking-credentials-targeted-by-russian-cybercrime-group/article/375914/

FYI - ISACA announces entry-level cybersecurity certificate - Global IT association ISACA has created a new cybersecurity certificate that's intended for those looking to break into the field. http://www.scmagazine.com/isaca-announces-the-new-cybersecurity-fundamentals-certificate/article/375808/

FYI - US spying scandal will 'break the Internet,' says Google's Schmidt - US government surveillance is destroying the digital economy, a roundtable of execs from Google, Microsoft, Facebook and other tech companies tell Sen. Ron Wyden. http://www.cnet.com/news/us-spying-scandal-will-break-the-internet-says-googles-schmidt/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Chase breach affects 76 million accounts, raises questions about detection failure - As JPMorgan Chase issued an apology to customers and acknowledges that the data breach discovered this summer lasted much longer and affected more customers than previously believed, serious questions—that industry insiders say require immediate answers—are being posed about how the breach could have gone undetected for so long. http://www.scmagazine.com/the-chase-breach-lasted-for-two-months-and-impacted-76-million-household-accounts-and-seven-million-business-accounts/article/375377/

FYI - After Chase disclosure, bank regulator rallies execs to shore up defenses - Now that JPMorgan Chase has revealed that a cyberattack it sustained impacts the accounts of 76 million households and seven million businesses, a New York bank regulator has taken action to make sure the heads of financial institutions are aware of their responsibility in thwarting future attacks within the sector. http://www.scmagazine.com/the-chase-data-breach-has-prompted-a-regulator-to-meet-with-chief-executives-of-regulated-firms/article/375675/

FYI - FHSU former student data inadvertently posted online - Fort Hays State University in Kansas is notifying more than a hundred former students that an employee inadvertently made their personal information – including Social Security numbers – available online. http://www.scmagazine.com/fhsu-former-student-data-inadvertently-posted-online/article/375229/

FYI - Unauthorized employee may have accessed AT&T customer info - The personal information of AT&T might have been compromised when an employee viewed account information without proper authorization, according to a letter the company sent to victims.
http://www.scmagazine.com/att-customer-personal-information-possibly-compromised/article/375670/
http://www.theregister.co.uk/2014/10/06/att_cops_to_insider_data_breach/

FYI - Unencrypted laptop stolen from Community Technology Alliance - California-based Community Technology Alliance (CTA) is notifying more than a thousand individuals that their personal information – including Social Security numbers – was on an unencrypted, password protected laptop that was stolen. http://www.scmagazine.com/unencrypted-laptop-stolen-from-community-technology-alliance/article/375678/

FYI - ATM malware 'Tyupkin' found on over 50 machines in Europe, spreads to U.S. - New malware, called “Tyupkin,” has been used by criminals to withdraw millions in cash from ATM machines running 32-bit Windows platforms – and researchers warn that the threat has continued to evolve in recent months. http://www.scmagazine.com/new-tyupkin-malware-has-spread-to-atms-in-the-us-and-other-countries/article/375948/

FYI - Touchstone Medical Imaging patient data accessible online - Tennessee-based Touchstone Medical Imaging is notifying an undisclosed number of patients that their personal information – including Social Security numbers – had inadvertently been made accessible via the internet. http://www.scmagazine.com/touchstone-medical-imaging-patient-data-accessible-online/article/375949/

FYI - Valeritas notifies all employees of possible data breach - Medical treatment solutions developer Valeritas is notifying all staffers that security settings were inadvertently removed from a folder containing their personal information – including Social Security numbers – and it was possible for other employees to access the data. http://www.scmagazine.com/possible-valeritas-data-breach/article/376137/

FYI - Malware on NDSCS computers that stored data on 15K students and staffers - North Dakota State College of Science (NDSCS) is notifying more than 15,000 current and former students and employees that malware was discovered on numerous computers that contained their personal information – including Social Security numbers. http://www.scmagazine.com/malware-on-ndscs-computers/article/376446/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Principle 4: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.
 
 In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.
 
 In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 PERSONNEL SECURITY
 
 AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND AUTHORIZED USE
 
 Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution's reputation, violate customer privacy and associated rights, and violate regulatory requirements.  Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.
 
 JOB DESCRIPTIONS
 
 Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable use policies and protect the institution's assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.
 
 TRAINING
 
 Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and should strengthen compliance with the security policy. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials would typically review the acceptable - use policy and include issues like desktop security, log - on requirements, password administration guidelines, etc. Training should also address social engineering, and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 2 of 3)
 
 B. Presentation, Content, and Delivery of Privacy Notices 
 
 1)  Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:
 
 a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));
 
 b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and
 
 c.  Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.
 
 2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:
 
 a.  Timeliness of delivery (§§4(a), 7(c), 8(a)); and
 
 b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).
 
 c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).