FYI - Year 2010 bug wreaks havoc on German payment cards - Son of Y2K also hits SpamAssasin, Symantec - A delayed Y2K bug has bitten hard at some 30 million holders of German debit and credit cards, making it impossible for them to use automatic teller machines and point-of-sale terminals since New Year's Day. http://www.theregister.co.uk/2010/01/06/year_2010_payment_card_bug/

FYI - Y2.01K bug trips up Symantec - Schoolboy error causes red faces - Symantec's Endpoint Protection Manager has been hit by a classic date bug and fell over at the end of the year, accepting no definition updates dated since then. http://www.theregister.co.uk/2010/01/05/symantec_y2k10_bug/

FYI - Cyber Attack Simulation Planned Next Month - A financial sector group aims to help organizations learn how to respond when hit with a cyber attack. A financial services industry group is planning to simulate a series of cyber attacks to test how well banks, payment processors and retailers deal with online threats. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222200554&subSection=News

FYI - Flaw could allow attacker to decrypt protected USB drives - Several flash drive manufacturers recently issued warnings about a flaw which could allow an attacker to access encrypted data on a supposedly secure USB drive. http://www.scmagazineus.com/flaw-could-allow-attacker-to-decrypt-protected-usb-drives/article/160772/

FYI - Documents refute TSA privacy claims on body scanners, group says - Body imaging technologies can store, transmit images of airline passengers, EPIC says - The Transportation Security Administration is overstating the privacy protections applied in the use of whole body scanners at U.S. airports, a leading privacy advocacy group warned today. http://www.computerworld.com/s/article/9143838/Documents_refute_TSA_privacy_claims_on_body_scanners_group_says

FYI - Heartland settles with Visa; funds to go to issuing banks - Heartland Payment Systems and Visa have agreed on a $60 million settlement related to the payment processor's record-breaking data breach, revealed one year ago. http://www.scmagazineus.com/heartland-settles-with-visa-funds-to-go-to-issuing-banks/article/160943/

FYI - South Korean military bans USB flash drives - Citing recent hacking attempts, military plans to develop new data sharing system - In response to recent hacking attempts, the South Korean military plans to ban the use of USB flash drives, according to a report today on the China View Web site. http://gcn.com/articles/2010/01/11/korea-bans-flash-drives.aspx

FYI - More flash drive firms warn of security flaw; NIST investigates - The drives were certified to meet NIST standards - SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives. http://www.computerworld.com/s/article/9143504/More_flash_drive_firms_warn_of_security_flaw_NIST_investigates?source=rss_security

FYI - Three GIAC Security Certifications Gain More Clout - Now accredited by ANSI, GCIH was recently ranked as the No. 1 security certification that organizations pay a salary premium for, according to IT employment analysts with Foote Partners. http://www.channelinsider.com/c/a/Careers/Three-GIAC-Security-Certifications-Gain-More-Clout--198225/

FYI - Companies must consider security when choosing a cloud provider - 2009 was a growth year for cloud computing, with the trend capturing significant attention in both the press and from major companies around the world. As CIOs began to sink their teeth into cloud computing's business applications, the stage for large-scale adoption in 2010 was set. http://www.scmagazineus.com/companies-must-consider-security-when-choosing-a-cloud-provider/article/161170/

FYI - Henry tapped to run FBI's Washington Field Office - Shawn Henry, one of the most recognizable names in cybercrime enforcement, has been promoted to head of the FBI's Washington Field Office, considered one of the agency's most coveted posts, the FBI said. http://www.scmagazineus.com/henry-tapped-to-run-fbis-washington-field-office/article/161029/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FBI investigating online New York school district theft - A New York school district has reverted to using paper checks after cybercriminals tried to steal about $3.8 million from its online accounts just before Christmas, prompting an FBI investigation. http://www.computerworld.com/s/article/9143144/FBI_investigating_online_New_York_school_district_theft?source=rss_security

FYI - Twitter hackers compromise Chinese search engine - The same band of hackers responsible for the DNS records hijack of Twitter last month launched an apparent similar attack on leading Chinese search engine Baidu, according to published reports. http://www.scmagazineus.com/twitter-hackers-compromise-chinese-search-engine/article/161081/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (3of 12)

Elements of an Incident Response Program

Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.

Minimum Requirements

The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.

Develop reaction procedures for:

1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that have been accessed or misused; and
3)containing and controlling the security incident.

Establish notification procedures for:

1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
3) affected customers.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Data Integrity 

Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.  

Authentication 

Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

46.  Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a.  to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; ['12(b)(1)] or

b.  to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? ['12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. ['12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. ['12(c)(2)])