REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Banks could owe big if they don't stop funds transfer fraud - A Maine bank will take the unusual measure of reimbursing a small construction company whose accounts were emptied of nearly $600,000 by hackers. http://www.scmagazine.com/banks-could-owe-big-if-they-dont-stop-funds-transfer-fraud/article/270624/?DCMP=EMC-SCUS_Newswire

FYI - Clueless officials hamper cybersecurity law-making - Governments need to know what problems the cybersecurity legislation is meant to address, or they will face public backlash over the possible intrusions to their personal rights. http://www.zdnet.com/clueless-officials-hamper-cybersecurity-law-making-7000008140/

FYI - Syria suffers Internet 'blackout'; cut off from the outside world - Syria, ravished by civil war and internal conflict, is no longer connected to the wider Internet, in a move that is reminiscent of the final weeks of the Gaddafi regime.
http://www.zdnet.com/syria-suffers-internet-blackout-cut-off-from-the-outside-world-7000008100/
http://www.wired.co.uk/news/archive/2012-11/30/syria-offline?page=all

FYI - Judge Gives Bradley Manning Permission to Plead Guilty for WikiLeaks Dumps - A military judge in Maryland has accepted the terms under which alleged WikiLeaks leaker Bradley Manning has proposed to plead guilty. http://www.wired.com/threatlevel/2012/11/manning-plea-terms-accepted/

FYI - ENISA promotes digital hacker traps - The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage; the agency tested 30 current systems and came up with concrete recommendations. http://www.h-online.com/security/news/item/ENISA-promotes-digital-hacker-traps-1759415.html

FYI - Australian cops bust Romanian credit card thieves - Australia's Federal Police (AFP) has triumphantly announced it has brought a gang of Romanian credit card fraudsters to heel, but not before the criminals purloined half a million credit card numbers from small Australian retailers. http://www.theregister.co.uk/2012/11/29/australian_federal_police_bust_romanian_credit_card_fraudsters/

FYI - John McAfee Exposes His Location in Photo About His Being on Run - Generally speaking, if you're on the run from the authorities over a homicide, you're probably best laying low and not making too much noise. Sure, there is a case for trolling "the man", but it usually comes back to haunt you. https://isc.sans.edu/diary.html?storyid=14623

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal and publish e-mails from U.N. nuclear agency - The IAEA confirms its servers were breached and a hacking group claims responsibility demanding an investigation into Israel's alleged nuclear proliferation program. http://news.cnet.com/8301-1009_3-57555539-83/hackers-steal-and-publish-e-mails-from-u.n-nuclear-agency/

FYI - Western Connecticut State notifies 235k over database gaffe - Western Connecticut State University in Danbury, Conn., was publicly accessible for nearly 3 1/2 years. http://www.scmagazine.com/western-connecticut-state-notifies-235k-over-database-gaffe/article/270604/?DCMP=EMC-SCUS_Newswire

FYI - Personal info of 1m compromised in Nationwide breach - The FBI is investigating a breach at Nationwide Insurance, where hackers recently accessed the sensitive information of about one million people, including policy and non-policy holders.
http://www.scmagazine.com/personal-info-of-1m-compromised-in-nationwide-breach/article/270448/?DCMP=EMC-SCUS_Newswire
http://www.theregister.co.uk/2012/11/30/jaxa_data_loss/

FYI - Malware slurps rocket data from Japanese space agency - Malware on a computer in the Japan Aerospace Exploration Agency (JAXA) has been stealing data on the latest Nipponese solid-fuel rocket system. http://www.theregister.co.uk/2012/11/30/jaxa_data_loss/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (10 of 12)

Test affected systems or procedures prior to implementation.

Testing is an important function in the incident response process. It helps ensure that reconfigured systems, updated procedures, or new technologies implemented in response to an incident are fully effective and performing as expected. Testing can also identify whether any adjustments are necessary prior to implementing the updated system, process, or procedure.

Follow-up

During the follow-up process, an institution has the opportunity to regroup after the incident and strengthen its control structure by learning from the incident. A number of institutions have included the following best practice in their IRPs.

Conduct a "lessons-learned" meeting.

1) Successful organizations can use the incident and build from the experience. Organizations can use a lessons-learned meeting to
2) discuss whether affected controls or procedures need to be strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed for the customer information security risk assessment and information security program;
5) determine if updated training is necessary regarding any new procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical resources to be better prepared going forward.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

System Architecture and Design

The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts. 

Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture. 

The open architecture of the Internet also makes it easy for system attacks to be launched  against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit. 

Security Scanning Products 

A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketing in §13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a.  servicing or processing a financial product or service requested or authorized by the consumer; [§14(a)(1)]

b.  maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§14(a)(2)]

c.  a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§14(a)(3)]