|
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
FYI
- Banking trojan on offer again, this time with sky-high price tag -
Members of the Carberp crime network have returned to the market,
and are offering the banking malware at a steep price for serious
suitors: $40,000 per trojan kit.
http://www.scmagazine.com/banking-trojan-on-offer-again-this-time-with-sky-high-price-tag/article/272725/?DCMP=EMC-SCUS_Newswire
FYI
- Penetrating Sealed Networks - Not long ago, if your computer
network was cut off from the Internet, devoid of wireless routers
and hunkered behind locked doors, you were safe. But not anymore.
http://www.defensenews.com/article/20121216/DEFREG02/312160002/Cyber-8217-s-Next-Chapter-Penetrating-Sealed-Networks?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE
FYI
- Agencies seek more guidance on mobile technology - Government
agencies want more guidance on how to safely and smartly adopt new
mobile technology programs, such as bring-your-own-device plans, an
interagency group of chief information officers said Wednesday.
http://www.nextgov.com/cloud-computing/2012/12/agencies-seek-more-guidance-mobile/60121/?oref=ng-HPtopstory
FYI
- ‘Non-Harmful’ Phone Spoofing OK, Appeals Court Says - A federal
appeals court is nullifying a Mississippi law that forbids phone
spoofing of any type, ruling that Congress has authorized so-called
“non-harmful” spoofing.
http://www.wired.com/threatlevel/2012/12/phone-spoofing/
FYI
- Japan police offer first-ever reward for wanted hacker - Japan's
National Police Agency has posted a US$36,000 reward for a case in
which it wrongly arrested men with hacked PCs - Japanese police are
looking for an individual who can code in C#, uses a "Syberian Post
Office" to make anonymous posts online, and knows how to surf the
web without leaving any digital tracks -- and they're willing to
pay.
http://www.computerworld.com/s/article/9234658/Japan_police_offer_first_ever_reward_for_wanted_hacker?taxonomyId=17
FYI
- FCC releases Smartphone Security Checker - The Federal
Communications Commission this week released an online tool that
offers a number of best practices for securing mobile devices. Known
as the Smartphone Security Checker.
http://www.scmagazine.com/fcc-releases-smartphone-security-checker/article/273384/?DCMP=EMC-SCUS_Newswire
FYI
-
FDIC Report Provides Overview of Mobile Payments Services -
Mobile payments have the potential to significantly change how
consumers pay for goods and services. "Mobile Payments: An Evolving
Landscape," which appears in the Winter 2012 issue of Supervisory
Insights released today, describes the range of mobile payments
options, identifies the risks associated with their use, and looks
at how banks that offer mobile payments services can ensure
compliance with existing laws and regulations.
www.fdic.gov/news/news/press/2012/pr12147.html
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- 'Dexter' Directly Attacks Point-of-Sale Systems - Attackers employ
custom malware rather than physical skimmers to steal payment card
information from PoS systems in 40 countries - Point-of-sale (PoS)
systems at major retailers, hotel chains, and restaurants worldwide
have been hit by new custom malware that targets the PoS.
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240144190/dexter-directly-attacks-point-of-sale-systems.html
FYI
- Calif. Medicaid program exposes 14,000 SSNs - The California
Medical Assistance Program (Medi-Cal) accidentally posted online the
sensitive information of several thousand individuals.
http://www.scmagazine.com/calif-medicaid-program-exposes-14000-ssns/article/272757/?DCMP=EMC-SCUS_Newswire
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We conclude the series
regarding FDIC Supervisory Insights regarding
Incident Response
Programs. (12 of 12)
What the Future Holds
In addition to meeting regulatory requirements and addressing
applicable industry best practices, several characteristics tend to
differentiate banks. The most successful banks will find a way to
integrate incident response planning into normal operations and
business processes. Assimilation efforts may include expanding
security awareness and training initiatives to reinforce incident
response actions, revising business continuity plans to incorporate
security incident responses, and implementing additional security
monitoring systems and procedures to provide timely incident
notification. Ultimately, the adequacy of a bank's IRP reflects on
the condition of the information security program along with
management's willingness and ability to manage information
technology risks. In essence, incident response planning is a
management process, the comprehensiveness and success of which
provide insight into the quality and attentiveness of management. In
this respect, the condition of a bank's IRP, and the results of
examiner review of the incident response planning process, fit well
within the objectives of the information technology examination as
described in the Information Technology-Risk Management Program.
An IRP is a critical component of a well-formed and effective
information security program and has the potential to provide
tangible value and benefit to a bank. Similar to the importance of a
business continuity planning program as it relates to the threat of
natural and man-made disasters, sound IRPs will be necessary to
combat new and existing data security threats facing the banking
community. Given the high value placed on the confidential customer
information held within the financial services industry, coupled
with the publicized success of known compromises, one can reasonably
assume that criminals will continue to probe an organization's
defenses in search of weak points. The need for response programs is
real and has been recognized as such by not only state and Federal
regulatory agencies (through passage of a variety of legal
requirements), but by the banking industry itself. The challenges
each bank faces are to develop a reasonable IRP providing
protections for the bank and the consumer and to
incorporate the IRP into a comprehensive, enterprise-wide
information security program. The most successful banks will exceed
regulatory requirements to leverage the IRP for business advantages
and, in turn, improved protection for the banking industry as a
whole.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Internet."
Utilization of the Internet presents numerous issues and risks which
must be addressed. While many aspects of system performance will
present additional challenges to the bank, some will be beyond the
bank's control. The reliability of the Internet continues to
improve, but situations including delayed or misdirected
transmissions and operating problems involving Internet Service
Providers (ISPs) could also have an effect on related aspects of the
bank's business.
The risks will not remain static. As technologies evolve, security
controls will improve; however, so will the tools and methods used
by others to compromise data and systems. Comprehensive security
controls must not only be implemented, but also updated to guard
against current and emerging threats. Security controls that address
the risks will be presented over the next few weeks.
SECURITY MEASURES
The FDIC paper discusses the primary interrelated technologies,
standards, and controls that presently exist to manage the risks of
data privacy and confidentiality, data integrity, authentication,
and non-repudiation.
Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues
surrounding data privacy, confidentiality, and data integrity.
Encryption technology is also employed in digital signature
processes, which address the issues of authentication and
non-repudiation. Certificate authorities and digital certificates
are emerging to address security concerns, particularly in the area
of authentication. The function of and the need for encryption,
digital signatures, certificate authorities, and digital
certificates differ depending on the particular security issues
presented by the bank's activities. The technologies,
implementation standards, and the necessary legal infrastructure
continue to evolve to address the security needs posed by the
Internet and electronic commerce.
Return to the top of
the newsletter
INTERNET PRIVACY -
This concludes our series
listing the regulatory-privacy examination questions. Next week, we
will begin our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
agencies.
Other Exceptions to Notice and Opt Out Requirements
50. If the institution discloses nonpublic personal information to
nonaffiliated third parties, do the requirements for initial notice
in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for
service providers and joint marketers in §13, not apply because the
institution makes the disclosure:
a. with the consent or at the direction of the consumer;
[§15(a)(1)]
b.
1. to protect the confidentiality or security of records;
[§15(a)(2)(i)]
2. to protect against or prevent actual or potential fraud,
unauthorized transactions, claims, or other liability;
[§15(a)(2)(ii)]
3. for required institutional risk control or for resolving
consumer disputes or inquiries; [§15(a)(2)(iii)]
4. to persons holding a legal or beneficial interest relating to
the consumer; [§15(a)(2)(iv)] or
5. to persons acting in a fiduciary or representative capacity on
behalf of the consumer; [§15(a)(2)(v)]
c. to insurance rate advisory organizations, guaranty funds or
agencies, agencies rating the institution, persons assessing
compliance, and the institution's attorneys, accountants, and
auditors; [§15(a)(3)]
d. in compliance with the Right to Financial Privacy Act, or to law
enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA or
from a consumer report reported by a consumer reporting agency;
[§15(a)(5)]
f. in connection with a proposed or actual sale, merger, transfer,
or exchange of all or a portion of a business or operating unit, if
the disclosure of nonpublic personal information concerns solely
consumers of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or legal
requirements; [§15(a)(7)(i)]
h. to comply with a properly authorized civil, criminal, or
regulatory investigation, or subpoena or summons by Federal, state,
or local authorities; [§15(a)(7)(ii)] or
i. to respond to judicial process or government regulatory
authorities having jurisdiction over the institution for
examination, compliance, or other purposes as authorized by law?
[§15(a)(7)(iii)]
(Note: the regulation gives the following as an example of
the exception described in section a of this question: "A consumer
may specifically consent to [an institution's] disclosure to a
nonaffiliated insurance company of the fact that the consumer has
applied to [the institution] for a mortgage so that the insurance
company can offer homeowner's insurance to the consumer.") |
