FYI - Online banking warning surprises some experts - Jennifer Bayuk is an tech security consultant, speaker and book author. She is the former chief information security officer of Bear Stearns.CAPTIONCourtesy bayuk.comThe American Bankers Association's advice to small and mid-sized businesses to only use a dedicated PC for online banking has surprised some tech security experts. http://content.usatoday.com/communities/technologylive/post/2010/01/online-banking-precaution-for-small-and-mid-sized-businesses-draws-attention-/1?loc=interstitialskip

FYI - Gonzalez pleads guilty to Heartland, Hannaford, 7-11 hack - Retail hacker Albert Gonzalez on Tuesday was back in court, where he admitted to conspiring to hack into the networks of Heartland Payment Systems and several other companies. http://www.scmagazineus.com/gonzalez-pleads-guilty-to-heartland-hannaford-7-11-hack/article/160355/

FYI - TJX sniffer author jailed for two years - First of the gang - The malware coder who wrote the sniffer program used in the infamous TJX credit card heist has been jailed for two years. http://www.theregister.co.uk/2009/12/29/tjx_sniffer_vxer_jailed/

FYI - Encryption protecting most mobile phones cracked - Computer security researchers say they have cracked the encryption algorithm used to protect most cell phone communications, potentially allowing attackers to listen in on the calls of billions of individuals. http://www.scmagazineus.com/encryption-protecting-most-mobile-phones-cracked/article/160327/

FYI - IT security forecast 2010: Hope for the best and prepare for the worst - It's that time of year again. Time to recap the things which happened in the past year and give our predictions for what will happen in the future. Are you ready for prognostications of doom...and malware in our phones and our microwaves and cars? Or can we finally dispense with that tradition, once and for all? http://www.scmagazineus.com/it-security-forecast-2010-hope-for-the-best-and-prepare-for-the-worst/article/160407/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ex-exec of matchmaking firm 'stole personal data' - A former executive of matchmaking service firm Web in Chiba Prefecture allegedly stole personal data of about 16,000 people who registered with the firm and tried to sell it to other matchmaking firms, it has been learned. http://news.asiaone.com/News/AsiaOne%2BNews/Crime/Story/A1Story20091226-188083.html

FYI - Hacker accesses Eastern Washington University's network - A hacker accessed the computer network of Eastern Washington University in Cheney, Wash., placing sensitive student information at risk. http://www.scmagazineus.com/hacker-accesses-eastern-washington-universitys-network/article/160560/

FYI - 30K Penn State records breached due to malware - Penn State University officials are working to notify tens of thousands of individuals whose records may have been compromised. http://www.scmagazineus.com/30k-penn-state-records-breached-due-to-malware/article/160330/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (2 of 12)

The Importance of an Incident Response Program

A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.

First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.  Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.

Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999.  These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs.  This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.  Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.

Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We begin a new series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.

This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.

Security Risks 

The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design. 

Data Privacy and Confidentiality 

Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords. 

Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

45.  If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:

a.  to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]

b.  to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and

c.  to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]