|
FYI
- Third of employees use company devices for social media and online
shopping - That fancy laptop all employees receive at the start of
their employment? As it turns out they aren't using it solely for
work-related activities, according to a new study.
http://www.scmagazine.com/employees-use-company-devices-for-non-work-related-activity/article/384775/
FYI
- Target to judge: Banks’ losses in our card breach aren’t our
problem - Files in federal court to have banks’ data breach suit
thrown out. Target’s massive data breach, in which criminals were
able to drop malware onto point-of-sale systems and compromise at
least 40 million credit and debit cards, is now the subject of a
federal lawsuit by banks who issued those cards.
http://arstechnica.com/tech-policy/2014/11/target-to-judge-banks-losses-in-our-card-breach-arent-our-problem/
FYI
- Hackers to probe cyber crime defences at British banks - In the
next few months hackers will try to penetrate the cyber defences of
Britain's major banks and steal information about millions of
customers. But for once they'll be welcome.
http://www.dailymail.co.uk/wires/reuters/article-2840995/Hackers-probe-cyber-crime-defences-British-banks.html
FYI
- USPS draws ire of Congress over data breach response - The United
States Postal Service (USPS) was scolded by members of a
congressional subcommittee in a hearing over its response to the
recent data breach that impacted its network and employees.
http://www.scmagazine.com/congress-criticizes-usps-data-breach-response/article/384520/
FYI
- Private investigator fined €5,000 for accessing data - A private
investigator has been convicted on two charges of illegally
obtaining information from the Pulse system and fined a total of
€5,000.
http://www.irishtimes.com/news/crime-and-law/private-investigator-fined-5-000-for-accessing-garda-data-1.2012999
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Foreign Governments Have Hacked U.S. Grid, NSA Head Says - Several
foreign governments have hacked into U.S. energy, water and fuel
distribution systems and might damage essential services, the top
national security official said.
http://www.bloomberg.com/news/2014-11-20/foreign-governments-have-hacked-u-s-power-system-nsa-head-says.html
FYI
- Brigham Young University-Idaho student hacks transcript, earns $7k
in scholarships - A Brigham Young University-Idaho (BYU) student
broke into his school's computer system to alter his grades and
ultimately use his altered transcript to receive thousands of
dollars in academic scholarships.
http://www.scmagazine.com/student-hacks-academic-transcript/article/384746/
FYI
- Breach impacts about 10,000 employees in Maryland school system -
Prince George's County Public Schools (PGCPS) in Maryland is
notifying roughly 10,000 employees that their personal information –
including Social Security numbers – was inadvertently included in a
report that was shared internally via email, and also disseminated
outside of the PGCPS email domain.
http://www.scmagazine.com/breach-impacts-about-10000-employees-in-maryland-school-system/article/385003/
FYI
- Attackers Hijack Craigslist Domain Name - Users looking to visit
online classifieds titan Craigslist on Sunday evening were
redirected to a site hosted at the domain DigitalGangster(dot)Com,
as a result of a DNS hijack.
http://www.securityweek.com/attackers-hijack-craigslist-domain-name
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Principle 11: Banks should develop appropriate incident
response plans to manage, contain and minimize problems arising from
unexpected events, including internal and external attacks, that may
hamper the provision of e-banking systems and services.
Effective incident response mechanisms are critical to minimize
operational, legal and reputational risks arising from unexpected
events such as internal and external attacks that The current and
future capacity of critical e-banking delivery systems should be
assessed on an ongoing basis may affect the provision of e-banking
systems and services. Banks should develop appropriate incident
response plans, including communication strategies, that ensure
business continuity, control reputation risk and limit liability
associated with disruptions in their e-banking services, including
those originating from outsourced systems and operations.
To ensure effective response to unforeseen incidents, banks should
develop:
1) Incident response plans to address recovery of e-banking
systems and services under various scenarios, businesses and
geographic locations. Scenario analysis should include consideration
of the likelihood of the risk occurring and its impact on the bank.
E-banking systems that are outsourced to third-party service
providers should be an integral part of these plans.
2) Mechanisms to identify an incident or crisis as soon as it
occurs, assess its materiality, and control the reputation risk
associated with any disruption in service.
3) A communication strategy to adequately address external market
and media concerns that may arise in the event of security breaches,
online attacks and/or failures of e-banking systems.
4) A clear process for alerting the appropriate regulatory
authorities in the event of material security breaches or disruptive
incidents occur.
5) Incident response teams with the authority to act in an
emergency and sufficiently trained in analyzing incident
detection/response systems and interpreting the significance of
related output.
6) A clear chain of command, encompassing both internal as well as
outsourced operations, to ensure that prompt action is taken
appropriate for the significance of the incident. In addition,
escalation and internal communication procedures should be developed
and include notification of the Board where appropriate.
7) A process to ensure all relevant external parties, including
bank customers, counterparties and the media, are informed in a
timely and appropriate manner of material e-banking disruptions and
business resumption developments.
8) A process for collecting and preserving forensic evidence to
facilitate appropriate post-mortem reviews of any e-banking
incidents as well as to assist in the prosecution of attackers.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A maxim of security is "prevention is ideal, but detection is a
must." Security systems must both restrict access and protect
against the failure of those access restrictions. When those systems
fail, however, an intrusion occurs and the only remaining protection
is a detection - and - response capability. The earlier an intrusion
is detected, the greater the institution's ability to mitigate the
risk posed by the intrusion. Financial institutions should have a
capability to detect and react to an intrusion into their
information systems.
INTRUSION DETECTION
Preparation for intrusion detection generally involves identifying
data flows to monitor for clues to an intrusion, deciding on the
scope and nature of monitoring, implementing that monitoring, and
establishing a process to analyze and maintain custody over the
resulting information. Additionally, legal requirements may include
notifications of users regarding the monitoring and the extent to
which monitoring must be performed as an ordinary part of ongoing
operations.
Adequate preparation is a key prerequisite to detection. The best
intrusion detection systems will not identify an intrusion if they
are not located to collect the relevant data, do not analyze correct
data, or are not configured properly. Even if they detect an
intrusion, the information gathered may not be usable by law
enforcement if proper notification of monitoring and preservation of
data integrity has not taken place.
Return to the top of
the newsletter
INTERNET PRIVACY - This is the last time will will publish this section on
Internet Privacy. You will find the entire regulation PART
332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at
http://www.fdic.gov/regulations/laws/rules/2000-5550.html.
We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Account number sharing
A. If available, review a sample of telemarketer scripts used
when making sales calls to determine whether the scripts indicate
that the telemarketers have the account numbers of the institution's
consumers (§12).
B. Obtain and review a sample of contracts with agents or service
providers to whom the financial institution discloses account
numbers for use in connection with marketing the institution's own
products or services. Determine whether the institution shares
account numbers with nonaffiliated third parties only to perform
marketing for the institution's own products and services. Ensure
that the contracts do not authorize these nonaffiliated third
parties to directly initiate charges to customer's accounts
(§12(b)(1)).
C. Obtain a sample of materials and information provided to the
consumer upon entering a private label or affinity credit card
program. Determine if the participants in each program are
identified to the customer when the customer enters into the program
(§12(b)(2)).
(This is the last time will will publish this section on
Internet Privacy. You will find the entire regulation PART
332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at
http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)
|
