REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Appeals Court Sides With Bush Wiretapping - A federal appeals court is refusing to reconsider its August ruling in which it said the federal government may spy on Americans’ communications without warrants and without fear of being sued. http://www.wired.com/threatlevel/2012/12/al-haramain-en-banc/

FYI - S.C. inspector general calls for statewide security program - Following the massive breach that affected 80 percent of South Carolina taxpayers, the state's Inspector General Patrick Maley has recommended several corrective security actions. http://www.scmagazine.com/sc-inspector-general-calls-for-statewide-security-program/article/271321/

FYI - Fraudsters plan spring strike on U.S. banks - Researchers believe that a fraud scheme to launch malware against customers at 30 U.S. banks is still moving forward, though organizers behind the plot are laying low before they strike next spring. http://www.scmagazine.com/fraudsters-plan-spring-strike-on-us-banks/article/272569/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Nine out of 10 hospitals lost personal data in last two years - Take out a quarter and flip it four times. It's unlikely the coin will land on heads (or tails) four times in a row -- a one-in-16 chance to be exact. Yet tossing four consecutive heads or tails is a likelier outcome than being a hospital that hasn't been breached over the past two years. http://www.scmagazine.com/nine-out-of-10-hospitals-lost-personal-data-in-last-two-years/article/271795/?DCMP=EMC-SCUS_Newswire

FYI - 'Eurograbber' Lets Attackers Steal 36 Million Euros From Banks, Customers - Cybercriminals combine new Trojan with SMS malware to crack online banking systems - Researchers say they have identified and thwarted a malware attack that enabled attackers to steal more than 36 million euros from more than 30,000 online banking customers in Europe. http://www.darkreading.com/authentication/167901072/security/news/240143960/eurograbber-lets-attackers-steal-36-million-euros-from-banks-customers.html

FYI - US and UK spooks alerted over massive Swiss data leak - Rogue IT admin plundered state secrets - The Swiss intelligence agency (NDB) has been warning its US and UK counterparts that it may have lost terabytes of their secret information, thanks to one of its IT administrators pulling an inside job. http://www.theregister.co.uk/2012/12/04/swiss_intelligence_data_loss/

FYI - Foreign hackers targeted former military chief Mullen: report - Foreign hackers targeted the computers of Mike Mullen, ex-chairman of the Joint Chiefs of Staff, the Wall Street Journal reported on Wednesday, calling it the latest in a pattern of attacks on computers of former high-ranking U.S. officials. http://www.nbcnews.com/technology/technolog/foreign-hackers-targeted-former-military-chief-mullen-report-1C7455842

FYI - Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches - Hacking group Team Ghostshell Monday announced its latest string of exploits, as well as the release of 1.6 million accounts and records gathered as part of what it has dubbed Project WhiteFox. https://www.informationweek.com/security/attacks/team-ghostshell-hackers-claim-nasa-inter/240144111

FYI - Ransom hackers encrypt medical centre's entire database - Attackers demand £2,600 to release data - An Australian medical centre is reported to be considering paying a ransom demand of $4,000 AUD (£2,600) after blackmailers broke into the organisation’s servers and encrypted its entire patient database. http://news.techworld.com/security/3415635/ransom-hackers-encrypt-medical-centres-entire-database/

FYI - Team GhostShell leaks data from 1.6 million accounts - Team GhostShell, an Anonymous-related hacktivist group, has claimed that it leaked 1.6 million account details and records gleaned from dozens of organizations and businesses, including NASA, the FBI, the Credit Union National Association (CUNA) and the Institute of Makers of Explosives (IME). http://www.scmagazine.com/team-ghostshell-leaks-data-from-16-million-accounts/article/272377/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (11 of 12)

Last week's best practices focused on the more common criteria that have been noted in actual IRPs, but some banks have developed other effective incident response practices. Examples of these additional practices are listed below. Organizations may want to review these practices and determine if any would add value to their IRPs given their operating environments.

Additional IRP Best Practices

1) Test the incident response plan (via walkthrough or tabletop exercises) to assess thoroughness.
2) Implement notices on login screens for customer information systems to establish a basis for disciplinary or legal action.
3) Develop an incident grading system that quantifies the severity of the incident, helps determine if the incident response plan needs to be activated, and specifies the extent of notification escalation.
4) Provide periodic staff awareness training on recognizing potential indicators of unauthorized activity and reporting the incident through proper channels. Some institutions have established phone numbers and e-mail distribution lists for reporting possible incidents.
5) Inform users about the status of any compromised system they may be using.
6) Establish a list of possible consultants, in case the bank does not have the expertise to handle or investigate the specific incident (especially regarding technical compromises).
7) Establish evidence-gathering and handling procedures aimed at preserving evidence of the incident and aiding in prosecution activities.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls 

A primary concern in controlling system access is the safeguarding of user IDs and passwords.  The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism. 

The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder. 

Security Flaws and Bugs / Active Content Languages 

Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications. 

Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.  

Viruses / Malicious Programs 

Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49.  If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a.  required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or

b.  required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]

  1.  carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§14(b)(2)(i)]
  2.  administer or service benefits or claims; [§14(b)(2)(ii)]
  3.  confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [§14(b)(2)(iii)]
  4.  accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
  5.  underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§14(b)(2)(v)] or
  6.  in connection with:
      i.  the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
      ii.  the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
      iii.  the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]