FYI - NIST Guide to Cyber Threat Information Sharing open for comments - NIST has announced the public comment release of Draft Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing.
http://net-security.org/secworld.php?id=17554
http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf

FYI - FFIEC Releases Cybersecurity Assessment Observations, Recommends Participation in Financial Services Information Sharing and Analysis Center - The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today released observations from the recent cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center www.ffiec.gov/press/pr110314.htm

FYI - Comptroller of the Currency Thomas J. Curry today discussed efforts to enhance cybersecurity among community banks during his remarks at the 10th Annual Community Bankers Symposium, hosted by the Federal Reserve Bank of Chicago, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-152.pdf

FYI - BIGGEST THREAT to Europe’s cybersecurity? Hint: not hackers - Largest EVER Europe-wide cybersecurity exercise - Forget cyber-espionage, cyber-warfare and cyber-terrorism. The biggest threat to Europe’s infrastructure cybersecurity are power outages and poor communication. http://www.theregister.co.uk/2014/10/30/the_threats_to_europes_cybersecurity_arent_what_you_think_they_are/

FYI - Deloitte releases paper on vetting leaks, avoiding costly hoax - Deloitte, a major player in financial consulting and enterprise risk services, has released research that can help companies determine if they've been the victim of a data leak – or the casualty of an online hoax. http://www.scmagazine.com/research-helps-companies-determine-if-theyve-suffered-data-leaks/article/380063/

FYI - Virginia police can now force you to unlock your smartphone with your fingerprint - A circuit judge likened police forcing smartphone owners to unlock their device with a fingerprint akin to providing a DNA sample or an actual key. http://www.zdnet.com/virginia-police-can-now-force-you-to-unlock-your-smartphone-with-your-fingerprint-7000035293/

FYI - Microsoft ends retail sales of Windows 7 and 8Windows XP on sale - Microsoft has officially stopped selling retail copies of some versions of Windows 7 and 8. The date to stop selling the software was set some time ago and should help Microsoft move people on to more recent versions of its operating system. http://www.bbc.com/news/technology-29880144

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - White House Says Unclassified Network Hit In Cyberattack - Mitigation efforts have caused temporary outages and loss of connectivity for some staff, but no computers have been damaged, official says. An unclassified portion of the White House network has been hit with what appears to be an ongoing cyberattack. http://www.darkreading.com/attacks-breaches/white-house-says-unclassified-network-hit-in-cyberattack/d/d-id/1317060

FYI - Skimmer used at Cleveland parking garage, payment cards stolen - A skimmer was used at Willard Park Garage under Cleveland City Hall, stealing information on three dozen people and putting hundreds of others at risk. http://www.scmagazine.com/skimmer-used-at-cleveland-parking-garage-payment-cards-stolen/article/381032/

FYI - Thieves Cash Out Rewards, Points Accounts - A number of readers have complained recently about having their Hilton Honors loyalty accounts emptied by cybercrooks. This type of fraud often catches consumers off-guard, but the truth is that the recent spike in fraud against Hilton Honors members is part of a larger trend that’s been worsening for years as more companies offer rewards programs. http://krebsonsecurity.com/2014/11/thieves-cash-out-rewards-points-accounts/

FYI - Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK - Thousands of compromised websites, including a Carnegie Mellon domain, appear to be linked to a campaign that redirects users to exploit kit landing pages. http://www.scmagazine.com/flash-redirect-campaign-impacts-carnegie-mellon-page-leads-to-angler-ek/article/380599/

FYI - Miami health center notifies nearly 8,000 patients of data breach - Miami-based Jessie Trice Community Health Center has notified nearly 8,000 patients that their personal information – including Social Security numbers – was stolen as part of an identity theft criminal operation. http://www.scmagazine.com/miami-health-center-notifies-nearly-8000-patients-of-data-breach/article/381176/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Principle 8: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions.
 
 To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should ensure that adequate information is provided on their websites to allow customers to make informed conclusions about the identity and regulatory status of the bank before they enter into e-banking transactions.
 
 Examples of such information that a bank could provide on its own website include:
 
 1)  The name of the bank and the location of its head office (and local offices if applicable).
 
 2)  The identity of the primary bank supervisory authority(ies) responsible for the supervision of the bank's head office.
 
 3)  How customers can contact the bank's customer service center regarding service problems, complaints, suspected misuse of accounts, etc.
 
 4)  How customers can access and use applicable Ombudsman or consumer complaint schemes.
 
 5)  How customers can obtain access to information on applicable national compensation or deposit insurance coverage and the level of protection that they afford (or links to websites that provide such information).
 
 6)  Other information that may be appropriate or required by specific jurisdictions.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 LOGGING AND DATA COLLECTION (Part 2 of 2)
 
 When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.
 
 Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:
 
 ! Encrypting log files that contain sensitive data or that are transmitting over the network,
 ! Ensuring adequate storage capacity to avoid gaps in data gathering,
 ! Securing backup and disposal of log files,
 ! Logging the data to a separate, isolated computer,
 ! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
 ! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
 ! Setting logging parameters to disallow any modification to previously written data.
 
 The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.
 
 When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

INTERNET PRIVACY - (At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.
 
 Note: This module applies only to customers.
 
 A. Disclosure of Nonpublic Personal Information
 
 1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.
 
 a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions. 
 
 B. Presentation, Content, and Delivery of Privacy Notices
 
 1)  Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices: 
 
 a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
 
 b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and
 
 c.  Include, and adequately describe, all required items of information (§6).
 
 2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:
 
 a)  Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and
 
 b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (§9) and accessibility of or ability to retain the notice (§9(e)).

(At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)