FYI - Cybersecurity Awareness Resources - As part of the FDIC's Community Banking Initiative, the agency is adding to its cybersecurity awareness resources for financial institutions. These include a Cybersecurity Awareness video and three new vignettes for the Cyber Challenge, which consists of exercises that are intended to encourage discussions of operational risk issues and the potential impact of information technology disruptions on common banking functions. https://www.fdic.gov/news/news/financial/2015/fil15055.html

FYI - Could Hello Barbie become the plaything of hackers? Turns out toys are vulnerable, too - Mattel's chatty doll could listen in on your kids, while a hacker has already swiped children's pictures and personal info from toymaker VTech. Experts say Internet-connected toys are rife with security problems. http://www.cnet.com/news/could-hello-barbie-become-the-plaything-of-hackers-turns-out-toys-are-vulnerable-to-hacks-too/

FYI - Moody's: Cyber risks will impact credit ratings - Moody's will begin to place more weight on considerations related to cyber risks when issuing credit ratings. The company released a report, “Cross Sector – Global: Cyber Risk of Growing Importance to Credit Analysis,” outlining their plans to assess cyber issues as part of the credit rating process. http://www.scmagazine.com/moodys-cyber-risks-will-impact-credit-ratings/article/456276/

FYI - Americans come in second for cyber banking safety - When it comes to online banking, Americans are the second most security focused nation behind Great Britain, according to an ESET survey. http://www.scmagazine.com/survey-finds-americans-online-banking-habits-could-be-more-secure/article/456465/

FYI - Former RoadRunner Wireless worker arrested for hacking company - A Rio Rancho, N.M., man was arrested for allegedly hacking into his former employer's Roadrunner Wireless‘s servers and posing as a company technician. http://www.scmagazine.com/former-roadrunner-wireless-worker-arrested-for-hacking-company/article/457044/

FYI - Bank of England worried about cyber-threats - Market crashes in China and Greek political uncertainty loomed over the financial world this summer. Now as it begins to look more stable, the Bank of England (BOE) worries about finance risks more than ever with cyber-security the number two worry for bankers. http://www.scmagazine.com/bank-of-england-worried-about-cyber-threats/article/457181/

FYI - OPM launches site for victims to check if personal information stolen - The Office of Personnel Management (OPM) launched a website for potential victims to check whether their personal information was stolen as part of the massive hack in June. The personal information of 21.5 million and at least 5.6 million fingerprints were stolen as a result of the attack. http://www.scmagazine.com/opm-launches-site-for-victims-to-check-if-personal-information-stolen/article/457442/

FYI - Target reaches preliminary $39.4M settlement with banks - Target Corp. has reached a preliminary settlement with banks affected by the retailer's 2013 breach, agreeing to pay out $39.4 million to the financial institutions. http://www.scmagazine.com/target-reaches-preliminary-394m-settlement-with-banks/article/457452/

FYI - Commercial Bank Examination Manual, October 2015 update.  www.federalreserve.gov/boarddocs/supmanual/cbem/cbem.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 5M affected in VTech breach; security concerns raised with popular holiday items - A cybercriminal stole a database on Nov. 14 from the Hong Kong-based toymaker VTech that contained the information of nearly five million people including more than 200,000 children even as security issues with other popular holiday items have raised concerns. http://www.scmagazine.com/hong-kong-based-toymakers-breach-impacts-nearly-five-million/article/456597/

FYI - China-based hacks hit Interior Dept. in 2013, inspector says - Foreign cyber spies and other hackers have infiltrated the Department of the Interior 19 times in recent years, according to a recent government watchdog report. http://thehill.com/policy/cybersecurity/261313-ig-chinese-hackers-hit-interior-department-in-2013

FYI - Hack of toy maker VTech exposes 5 million customers - A hacker got into a customer database for the Learning Lodge app store, where parents can download apps, games and e-books for VTech toys. VTech, a Chinese company that makes popular electronic toys for kids, had its app store hacked. http://www.cnet.com/news/hack-of-toy-maker-vtech-exposes-families/

FYI - Amazon force-resets some account passwords, citing password leak - It's not clear how many accounts are affected. Amazon has force-reset an unknown number of accounts, after passwords may have been compromised. http://www.zdnet.com/article/amazon-is-resetting-account-passwords-for-some-accounts/

FYI - Hilton Data Breach Focuses Attention On Growing POS Malware Threat - Analysts expect an increase in POS attacks against retailers and others during this holiday shopping season. http://www.darkreading.com/attacks-breaches/hilton-data-breach-focuses-attention-on-growing-pos-malware-threat/d/d-id/1323326

FYI - Breach at IT Automation Firm LANDESK - LANDESK, a company that sells software to help organizations securely and remotely manage their fleets of desktop computers, servers and mobile devices, alerted employees last week that a data breach may have exposed their personal information. But LANDESK employees contacted by this author say the breach may go far deeper for the company and its customers. http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/

FYI - 'Hacker Buba' holds UAE bank to ransom - One mysterious hacker has blackmailed a UAE bank threatening to release the account information of some of their most important clients over Twitter. http://www.scmagazine.com/hacker-buba-holds-uae-bank-to-ransom/article/456760/ 

FYI - Aramada Collective demands ransom from Greek banks - A hacking group dubbing itself the Armada Collective has claimed responsibility for striking three Greek banks with distributed denial of service (DDoS) attacks and has threatened to continue to do so unless paid a ransom. http://www.scmagazine.com/aramada-collective-demands-ransom-from-greek-banks/article/457072/

FYI - It isn't over .... Adele fans' security breached - Some fans buying tickets for Adele's European tour were shocked to see the payment details and addresses from other people's shopping baskets other than their own while attempting to check out. http://www.scmagazine.com/it-isnt-over-adele-fans-security-breached/article/457192/

FYI - Hackers use Dropbox to target Hong Kong media - Hong Kong activists have been targetted via Dropbox according to FireEye, with the Chinese government the top suspects. Hong Kong journalists and activist groups were targeted by Chinese hackers, according to information from FireEye. http://www.scmagazine.com/hackers-use-dropbox-to-target-hong-kong-media/article/457479/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 8 of 10)
 
 B. RISK MANAGEMENT TECHNIQUES
 
 Implementing Weblinking Relationships
 
 The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.
 
 Disclaimers and Disclosures
 
 Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.
 
 In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.
 
 A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.
 
 In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Testing.
 
 Management should ensure that information system networks are tested regularly. The nature, extent, and frequency of tests should be proportionate to the risks of intrusions from external and internal sources. Management should select qualified and reputable individuals to perform the tests and ensure that tests do not inadvertently damage information systems or reveal confidential information to unauthorized individuals. Management should oversee the tests, review test results, and respond to deficiencies in a timely manner. In accordance with OCC's "Technology Risk Management: PC Banking," management should ensure that an objective, qualified source conducts a penetration test of Internet banking systems at least once a year or more frequently when appropriate.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4 - COMMON THREATS: A BRIEF OVERVIEW
 
 Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. Losses can stem, for example, from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks. Precision in estimating computer security-related losses is not possible because many losses are never discovered, and others are "swept under the carpet" to avoid unfavorable publicity. The effects of various threats varies considerably: some affect the confidentiality or integrity of data while others affect the availability of a system.
 
 This chapter presents a broad view of the risky environment in which systems operate today. The threats and associated losses presented in this chapter were selected based on their prevalence and significance in the current computing environment and their expected growth. This list is not exhaustive, and some threats may combine elements from more than one area. This overview of many of today's common threats may prove useful to organizations studying their own threat environments; however, the perspective of this chapter is very broad. Thus, threats against particular systems could be quite different from those discussed here.
 
 To control the risks of operating an information system, managers and users need to know the vulnerabilities of the system and the threats that may exploit them. Knowledge of the threat environment allows the system manager to implement the most cost-effective security measures. In some cases, managers may find it more cost-effective to simply tolerate the expected losses. Such decisions should be based on the results of a risk analysis.