Online banking warning surprises some experts - Jennifer Bayuk is an
tech security consultant, speaker and book author. She is the former
chief information security officer of Bear Stearns.CAPTIONCourtesy
bayuk.comThe American Bankers Association's advice to small and
mid-sized businesses to only use a dedicated PC for online banking
has surprised some tech security experts.
Gonzalez pleads guilty to Heartland, Hannaford, 7-11 hack - Retail
hacker Albert Gonzalez on Tuesday was back in court, where he
admitted to conspiring to hack into the networks of Heartland
Payment Systems and several other companies.
TJX sniffer author jailed for two years - First of the gang - The
malware coder who wrote the sniffer program used in the infamous TJX
credit card heist has been jailed for two years.
Encryption protecting most mobile phones cracked - Computer security
researchers say they have cracked the encryption algorithm used to
protect most cell phone communications, potentially allowing
attackers to listen in on the calls of billions of individuals.
IT security forecast 2010: Hope for the best and prepare for the
worst - It's that time of year again. Time to recap the things which
happened in the past year and give our predictions for what will
happen in the future. Are you ready for prognostications of
doom...and malware in our phones and our microwaves and cars? Or can
we finally dispense with that tradition, once and for all?
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Ex-exec of matchmaking firm 'stole personal data' - A former
executive of matchmaking service firm Web in Chiba Prefecture
allegedly stole personal data of about 16,000 people who registered
with the firm and tried to sell it to other matchmaking firms, it
has been learned.
Hacker accesses Eastern Washington University's network - A hacker
accessed the computer network of Eastern Washington University in
Cheney, Wash., placing sensitive student information at risk.
30K Penn State records breached due to malware - Penn State
University officials are working to notify tens of thousands of
individuals whose records may have been compromised.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (2 of 12)
of an Incident Response Program
A bank's ability to respond to security incidents in a planned and
coordinated fashion is important to the success of its information
security program. While IRPs are important for many reasons, three
are highlighted in this article.
First, though incident prevention is important, focusing solely on
prevention may not be enough to insulate a bank from the effects of
a security breach. Despite the industry's efforts at identifying and
correcting security vulnerabilities, every bank is susceptible to
weaknesses such as improperly configured systems, software
vulnerabilities, and zero-day exploits. Compounding the problem is
the difficulty an organization experiences in sustaining a "fully
secured" posture. Over the long term, a large amount of resources
(time, money, personnel, and expertise) is needed to maintain
security commensurate with all potential vulnerabilities.
Inevitably, an organization faces a point of diminishing returns
whereby the extra resources applied to incident prevention bring a
lesser amount of security value. Even the best information security
program may not identify every vulnerability and prevent every
incident, so banks are best served by incorporating formal incident
response planning to complement strong prevention measures. In the
event management's efforts do not prevent all security incidents
(for whatever reason), IRPs are necessary to reduce the sustained
damage to the bank.
Second, regulatory agencies have recognized the value of IRPs and
have mandated that certain incident response requirements be
included in a bank's information security program. In March 2001,
the FDIC, the Office of the Comptroller of the Currency (OCC), the
Office of Thrift Supervision (OTS), and the Board of Governors of
the Federal Reserve System (FRB) (collectively, the Federal bank
regulatory agencies) jointly issued guidelines establishing
standards for safeguarding customer information, as required by the
Gramm-Leach-Bliley Act of 1999. These standards require banks to
adopt response programs as a security measure. In April 2005, the
Federal bank regulatory agencies issued interpretive guidance
regarding response programs. This additional guidance describes
IRPs and prescribes standard procedures that should be included in
IRPs. In addition to Federal regulation in this area, at least 32
states have passed laws requiring that individuals be notified of a
breach in the security of computerized personal information.
Therefore, the increased regulatory attention devoted to incident
response has made the development of IRPs a legal necessity.
Finally, IRPs are in the best interests of the bank. A
well-developed IRP that is integrated into an overall information
security program strengthens the institution in a variety of ways.
Perhaps most important, IRPs help the bank contain the damage
resulting from a security breach and lessen its downstream effect.
Timely and decisive action can also limit the harm to the bank's
reputation, reduce negative publicity, and help the bank identify
and remedy the underlying causes of the security incident so that
mistakes are not destined to be repeated.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We begin a new series
from the FDIC "Security Risks Associated with the Internet." While
this Financial Institution Letter was published in December 1997,
the issues still are relevant.
This FDIC paper alerts financial institutions to the fundamental
technological risks presented by use of the Internet. Regardless of
whether systems are maintained in-house or services are outsourced,
bank management is responsible for protecting systems and data from
The Internet is inherently insecure. By design, it is an open
network which facilitates the flow of information between computers.
Technologies are being developed so the Internet may be used for
secure electronic commerce transactions, but failure to review and
address the inherent risk factors increases the likelihood of system
or data compromise. Five areas of concern relating to both
transactional and system security issues, as discussed below, are:
Data Privacy and Confidentiality, Data Integrity, Authentication,
Non-repudiation, and Access Control/System Design.
Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic
mail, travel openly over the Internet and can be monitored or read
by others. Given the volume of transmissions and the numerous paths
available for data travel, it is unlikely that a particular
transmission would be monitored at random. However, programs, such
as "sniffer" programs, can be set up at opportune locations on a
network, like Web servers (i.e., computers that provide services to
other computers on the Internet), to simply look for and collect
certain types of data. Data collected from such programs can include
account numbers (e.g., credit cards, deposits, or loans) or
Due to the design of the Internet, data privacy and confidentiality
issues extend beyond data transfer and include any connected data
storage systems, including network drives. Any data stored on a Web
server may be susceptible to compromise if proper security
precautions are not taken.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
45. If the institution receives information from a
nonaffiliated financial institution other than under an exception in
§14 or §15, does the institution refrain from disclosing the
a. to the affiliates of the financial institution from which it
received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the same
disclosure restrictions as the recipient institution;
c. to any other person, if the disclosure would be lawful if made
directly to that person by the institution from which the recipient
institution received the information? [§11(b)(1)(iii)]