|
December 8, 2002
FYI - Cybersecurity
is on everyone's mind. Threats run the gamut, from domestic to
foreign, internal to external, from teenage hackers to sophisticated
rings with malicious intentions. So, how should corporations protect
themselves? And how do they implement security measures without
breaking the bank? http://www.newsfactor.com/perl/story/20084.html
FYI
- Lax Security: ID Theft Made Easy - The people
charged last week with stealing the identities of at least 30,000
Americans weren't criminal masterminds. They simply took
advantage of sloppy security practices that allowed them easy and
unrestricted access to sensitive data. http://www.wired.com/news/privacy/0%2C1848%2C56623%2C00.html
FYI
- Woman sentenced in multimillion-dollar
software sting - A 52-year-old Taiwanese
woman who pleaded no contest in one of the U.S.'s largest software
piracy cases was sentenced to nine years in prison, one of the
longest sentences ever in the U.S. for a case involving software
piracy. http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,76194,00.html
INTERNET
COMPLIANCE - Disclosures/Notices (Part 2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
Potential Threats To Consider
Serious hackers, interested computer novices, dishonest vendors or
competitors, disgruntled current or former employees, organized
crime, or even agents of espionage pose a potential threat to an
institution's computer security. The Internet provides a wealth of
information to banks and hackers alike on known security flaws in
hardware and software. Using almost any search engine, average
Internet users can quickly find information describing how to break
into various systems by exploiting known security flaws and software
bugs. Hackers also may breach security by misusing vulnerability
assessment tools to probe network systems, then exploiting any
identified weaknesses to gain unauthorized access to a system.
Internal misuse of information systems remains an ever-present
security threat.
Many break-ins or insider misuses of information occur due to poor
security programs. Hackers often exploit well-known weaknesses and
security defects in operating systems that have not been
appropriately addressed by the institution. Inadequate maintenance
and improper system design may also allow hackers to exploit a
security system. New security risks arise from evolving attack
methods or newly detected holes and bugs in existing software and
hardware. Also, new risks may be introduced as systems are altered
or upgraded, or through the improper setup of available
security-related tools. An institution needs to stay abreast of new
security threats and vulnerabilities. It is equally important to
keep up to date on the latest security patches and version upgrades
that are available to fix security flaws and bugs. Information
security and relevant vendor Web sites contain much of this
information.
Systems can be vulnerable to a variety of threats, including the
misuse or theft of passwords. Hackers may use password cracking
programs to figure out poorly selected passwords. The passwords may
then be used to access other parts of the system. By monitoring
network traffic, unauthorized users can easily steal unencrypted
passwords. The theft of passwords is more difficult if they are
encrypted. Employees or hackers may also attempt to compromise
system administrator access (root access), tamper with critical
files, read confidential e-mail, or initiate unauthorized e-mails or
transactions.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
45. If the institution receives information from a
nonaffiliated financial institution other than under an exception in
§14 or §15, does the institution refrain from disclosing the
information except:
a. to the affiliates of the financial institution from which
it received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the
same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)]
and
c. to any other person, if the disclosure would be lawful if
made directly to that person by the institution from which the
recipient institution received the information? [§11(b)(1)(iii)]
|
