FYI - Year
2010 bug wreaks havoc on German payment cards - Son of Y2K also hits
SpamAssasin, Symantec - A delayed Y2K bug has bitten hard at some 30
million holders of German debit and credit cards, making it
impossible for them to use automatic teller machines and
point-of-sale terminals since New Year's Day.
FYI - Y2.01K bug trips up Symantec -
Schoolboy error causes red faces - Symantec's Endpoint Protection
Manager has been hit by a classic date bug and fell over at the end
of the year, accepting no definition updates dated since then.
FYI - Cyber Attack Simulation Planned
Next Month - A financial sector group aims to help organizations
learn how to respond when hit with a cyber attack. A financial
services industry group is planning to simulate a series of cyber
attacks to test how well banks, payment processors and retailers
deal with online threats.
FYI - Flaw could allow attacker to
decrypt protected USB drives - Several flash drive manufacturers
recently issued warnings about a flaw which could allow an attacker
to access encrypted data on a supposedly secure USB drive.
FYI - Documents refute TSA privacy
claims on body scanners, group says - Body imaging technologies can
store, transmit images of airline passengers, EPIC says - The
Transportation Security Administration is overstating the privacy
protections applied in the use of whole body scanners at U.S.
airports, a leading privacy advocacy group warned today.
FYI - Heartland settles with Visa;
funds to go to issuing banks - Heartland Payment Systems and Visa
have agreed on a $60 million settlement related to the payment
processor's record-breaking data breach, revealed one year ago.
FYI - South Korean military bans USB
flash drives - Citing recent hacking attempts, military plans to
develop new data sharing system - In response to recent hacking
attempts, the South Korean military plans to ban the use of USB
flash drives, according to a report today on the China View Web
FYI - More flash drive firms warn of
security flaw; NIST investigates - The drives were certified to meet
NIST standards - SanDisk Corp. and Verbatim Corp. have joined
Kingston Technology Inc. in warning customers about a potential
security threat posed by a flaw in the hardware-based AES 256-bit
encryption on their USB flash drives.
FYI - Three GIAC Security
Certifications Gain More Clout - Now accredited by ANSI, GCIH was
recently ranked as the No. 1 security certification that
organizations pay a salary premium for, according to IT employment
analysts with Foote Partners.
FYI - Companies must consider security
when choosing a cloud provider - 2009 was a growth year for cloud
computing, with the trend capturing significant attention in both
the press and from major companies around the world. As CIOs began
to sink their teeth into cloud computing's business applications,
the stage for large-scale adoption in 2010 was set.
FYI - Henry tapped to run FBI's
Washington Field Office - Shawn Henry, one of the most recognizable
names in cybercrime enforcement, has been promoted to head of the
FBI's Washington Field Office, considered one of the agency's most
coveted posts, the FBI said.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- FBI investigating online New York
school district theft - A New York school district has reverted to
using paper checks after cybercriminals tried to steal about $3.8
million from its online accounts just before Christmas, prompting an
FYI - Twitter hackers compromise
Chinese search engine - The same band of hackers responsible for the
DNS records hijack of Twitter last month launched an apparent
similar attack on leading Chinese search engine Baidu, according to
Return to the top of
COMPLIANCE - We
continue the series regarding FDIC Supervisory Insights regarding
Response Programs. (3of 12)
Elements of an Incident
Although the specific content of an
IRP will differ among financial institutions, each IRP should
revolve around the minimum procedural requirements prescribed by the
Federal bank regulatory agencies. Beyond this fundamental content,
however, strong financial institution management teams also
incorporate industry best practices to further refine and enhance
their IRP. In general, the overall comprehensiveness of an IRP
should be commensurate with an institution's administrative,
technical, and organizational complexity.
The minimum required
procedures addressed in the April 2005 interpretive guidance can be
categorized into two broad areas: "reaction" and "notification." In
general, reaction procedures are the initial actions taken once a
compromise has been identified. Notification procedures are
relatively straightforward and involve communicating the details or
events of the incident to interested parties; however, they may also
involve some reporting requirements. Below lists the minimum
required procedures of an IRP as discussed in the April 2005
Develop reaction procedures for:
1) assessing security incidents that have occurred;
identifying the customer information and information systems that
have been accessed or misused; and
3)containing and controlling
the security incident.
Establish notification procedures for:
1) the institution's primary Federal regulator;
law enforcement agencies (and filing Suspicious Activity Reports [SARs],
if necessary); and
3) affected customers.
Return to the
top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Potentially, the open architecture
of the Internet can allow those with specific knowledge and tools to
alter or modify data during a transmission. Data integrity could
also be compromised within the data storage system itself, both
intentionally and unintentionally, if proper access controls are not
maintained. Steps must be taken to ensure that all data is
maintained in its original or intended form.
Essential in electronic commerce is
the need to verify that a particular communication, transaction, or
access request is legitimate. To illustrate, computer systems on the
Internet are identified by an Internet protocol (IP) address, much
like a telephone is identified by a phone number. Through a variety
of techniques, generally known as "IP spoofing" (i.e.,
impersonating), one computer can actually claim to be another.
Likewise, user identity can be misrepresented as well. In fact, it
is relatively simple to send email which appears to have come from
someone else, or even send it anonymously. Therefore, authentication
controls are necessary to establish the identities of all parties to
Return to the top of the newsletter
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
46. Does the institution refrain from disclosing,
directly or through affiliates, account numbers or similar forms of
access numbers or access codes for a consumer's credit card account,
deposit account, or transaction account to any nonaffiliated third
party (other than to a consumer reporting agency) for telemarketing,
direct mail or electronic mail marketing to the consumer, except:
a. to the institution's agents or service providers solely to
market the institution's own products or services, as long as the
agent or service provider is not authorized to directly initiate
charges to the account; ['12(b)(1)] or
b. to a
participant in a private label credit card program or an affinity or
similar program where the participants in the program are identified
to the customer when the customer enters into the program?
(Note: an "account number or similar
form of access number or access code" does not include numbers in
encrypted form, so long as the institution does not provide the
recipient with a means of decryption. ['12(c)(1)] A transaction
account does not include an account to which third parties cannot
initiate charges. ['12(c)(2)])