NEW - What if you could continuously review your IT operations throughout the year, for less than five dollars a week? You can - by relying on The Weekly IT Security Review by Yennik, Inc.  Readers have been asking us for a method that would allow them to continuously review their IT operations throughout the year.  We have responded by using our expertise to develop The Weekly IT Security Review - and we’re offering it to you for a limited time at the inaugural price of $245, which is 50% off the regular annual price of $490.  Designed especially for IT professionals, this new offering from Yennik, Inc. provides a weekly review of information systems security issues.  For more information and to subscribe visit http://www.yennik.com/it-review/index.html.

FYI - As attacks increase, U.S. struggles to recruit computer security experts - The federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policymakers, at a time when network attacks are rising in frequency and sophistication. http://www.washingtonpost.com/wp-dyn/content/article/2009/12/22/AR2009122203789_pf.html

FYI - Secret code protecting cellphone calls set loose- Universal phone snooping moves forward - Cryptographers have moved closer to their goal of eavesdropping on cellphone conversations after cracking the secret code used to prevent the interception of radio signals as they travel between handsets and mobile operators' base stations. http://www.theregister.co.uk/2009/12/28/gsm_eavesdropping_breakthrough/

FYI - DDoS attack on DNS hits Amazon and others briefly - Internet users in Northern California were unable to reach properties including Amazon.com and Amazon Web Services for a time Wednesday evening, as their DNS provider was targeted by a distributed denial-of-service attack. The attack came as North American consumers rushed to finish online shopping ahead of the end-of-year holiday season. http://www.computerworld.com/s/article/9142681/DDoS_attack_on_DNS_hits_Amazon_and_others_briefly?source=rss_security

FYI - U.S. agencies faulted by GAO for leak of nuclear data - Five government agencies, the National Security Council and two congressional offices all share blame for the inadvertent publication of sensitive information regarding hundreds of civilian nuclear sites, government watchdogs concluded. http://www.washingtonpost.com/wp-dyn/content/article/2009/12/23/AR2009122302970_pf.html

FYI - ID Theft Settlement Gets Preliminary Approval - Federal judge gives preliminary approval to settlement over Countrywide ID theft - A federal judge has given preliminary approval to a settlement between Countrywide Financial Corp., and millions of customers whose detailed financial information was exposed in a security breach. http://abcnews.go.com/Business/wireStory?id=9418695

FYI - Former Jefferson Parish Assistant District Attorney Sentenced for Unauthorized Access to Information by Use of a Computer - A resident of Gretna, Louisiana, was sentenced today in federal court by the Honorable Helen G. Berrigan to two (2) years probation and ordered to pay a $3,000 fine for Unauthorized Access to Information by Use of a Computer, announced U.S. Attorney Jim Letten. http://neworleans.fbi.gov/dojpressrel/pressrel09/no122209.htm

FYI - Citibank refutes reported hack by Russian gang - Citigroup representatives are refuting a published report alleging the financial services firm was the victim of tens of millions of dollars being siphoned out of customer accounts. http://www.scmagazineus.com/citibank-refutes-reported-hack-by-russian-gang/article/160124/

FYI - Howard Schmidt appointed White House cybersecurity coordinator - Howard Schmidt, a former police officer who parlayed a passion for technology into chief security roles at eBay, Microsoft and the White House, was appointed federal cybersecurity coordinator. http://www.scmagazineus.com/howard-schmidt-appointed-white-house-cybersecurity-coordinator/article/160110/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - MBNA confirms data loss after laptop containing personal details of thousands of customers was stolen from vendor - A laptop containing personal details of thousands of MBNA credit card customers has been stolen. http://www.scmagazineuk.com/mbna-confirms-data-loss-after-laptop-containing-personal-details-of-thousands-of-customers-was-stolen-from-vendor/article/160217/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs.  (1of 12)

Incident Response Programs:  Don't Get Caught Without One

Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.

Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.

To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs).  However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - This concludes our coverage of  the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices

Evolution and Obsolescence

As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.

Controlling the Impact of Obsolescence

Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:

1)  What is the upgrade path to the next class of network?
2)  Do the devices support firmware (Flash) upgrades for security patches and upgrades?
3)  How does the vendor distribute security information and patches?

The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.

The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

44.  If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])