you could continuously review your IT operations throughout the
year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying
on The Weekly IT Security Review by Yennik, Inc.
Readers have been asking us for a method that would allow them to
continuously review their IT operations throughout the year.
We have responded by using our expertise to develop The Weekly IT
Security Review. Designed especially for IT
professionals, this new offering from Yennik, Inc. provides a weekly
review of information systems security issues. For more
information and to subscribe visit
FYI - Taken to the Cleaners - A study
from Credant Technologies finds clothes dropped off at the dry
cleaners are often filled with forgotten USB sticks - Earlier this
month, CSO reported on a worldwide recall on several
hardware-encrypted USB sticks from multiple vendors because they
contain a flaw which could allow hackers to easily gain access to
the sensitive information contained on the device.
FYI - RockYou hack reveals most common
password: '123456' - A recent analysis of 32 million passwords,
obtained in the RockYou.com hack, has revealed that the most
commonly used password on the site was '123456.'
FYI - Security researcher IDs China
link in Google hack - The code behind the attack, called Aurora, was
written in 2006 - The malicious software used to steal information
from Google Inc. and other companies contains code that links it to
China, a security researcher said.
FYI - Security threats Toolkit -
Cambridge researchers knock Verified by Visa - The 'Verified by
Visa' credit-card check has come under criticism from Cambridge
University researchers, who said it is training online shoppers to
adopt risky security habits.
FYI - Bank sues victim of $800,000
cybertheft - In twist, Texas bank sues business customer, claiming
cybertheft not its fault - A Texas bank is suing a customer hit by
an $800,000 cybertheft incident in a case that could test the extent
to which customers should be held responsible for protecting their
online accounts from compromises.
FYI - Electronic Health Records: DOD
and VA Interoperability Efforts Are Ongoing; Program Office Needs to
Implement Recommended Improvements.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Data breaches cost organizations
$204 per record in 2009 - Data breaches last year cost organizations
$204 per exposed record on average, which represents an almost two
percent increase over 2008, according to the fifth annual "Cost of
Data Breach" study.
FYI - Thief steals 57 hard drives from
BlueCross BlueShield of Tennessee - Stolen computer hard drives
belonging to BlueCross BlueShield of Tennessee contained sensitive
FYI - US oil industry hit by
cyberattacks: Was China involved? - Breaches show how sophisticated
industrial espionage is becoming. The big question: Who's behind
them? - At least three US oil companies were the target of a series
of previously undisclosed cyberattacks that may have originated in
China and that experts say highlight a new level of sophistication
in the growing global war of Internet espionage.
FYI - Data Breaches Get Costlier - The
cost of a data breach increased last year to $204 per compromised
customer record, according to the Ponemon Institute's annual study.
The average total cost of a data breach rose from $6.65 million in
2008 to $6.75 million in 2009.
FYI - Ladbrokes, police probe data
breach - Millions of customer profiles for sale - Ladbrokes is
investigating the loss of thousands of customer details from one of
its databases, but is reassuring gamblers that the information did
not include bank details or passwords.
FYI - Irish board hack prompts password
reset - Users thrown into scramble to change up login credentials -
Popular Irish web discussion forum boards.ie has reset user
passwords in response to a hack attack that compromised member login
Return to the top of
COMPLIANCE - We
continue the series regarding FDIC Supervisory Insights regarding
Response Programs. (5 of 12)
An institution should notify its primary Federal regulator as soon
as it becomes aware of the unauthorized access to or misuse of
sensitive customer information or customer information systems.
Notifying the regulatory agency will help it determine the potential
for broader ramifications of the incident, especially if the
incident involves a service provider, as well as assess the
effectiveness of the institution's IRP.
develop procedures for notifying law enforcement agencies and filing
SARs in accordance with their primary Federal regulator's
requirements. Law enforcement agencies may serve as an
additional resource in handling and documenting the incident.
Institutions should also establish procedures for filing SARs in a
timely manner because regulations impose relatively quick filing
deadlines. The SAR form itself may serve as a resource in the
reporting process, as it contains specific instructions and
thresholds for when to file a report. The SAR form instructions also
clarify what constitutes a "computer intrusion" for filing purposes.
Defining procedures for notifying law enforcement agencies and
filing SARs can streamline these notification and reporting
Institutions should also address customer
notification procedures in their IRP. When an institution becomes
aware of an incident involving unauthorized access to sensitive
customer information, the institution should conduct a reasonable
investigation to determine the likelihood that such information has
been or will be misused. If the institution determines that
sensitive customer information has been misused or that misuse of
such information is reasonably possible, it should notify the
affected customer(s) as soon as possible. Developing standardized
procedures for notifying customers will assist in making timely and
thorough notification. As a resource in developing these procedures,
institutions should reference the April 2005 interpretive guidance,
which specifically addresses when customer notification is
necessary, the recommended content of the notification, and the
acceptable forms of notification.
Return to the
top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
System Architecture and Design
The Internet can
facilitate unchecked and/or undesired access to internal systems,
unless systems are appropriately designed and controlled. Unwelcome
system access could be achieved through IP spoofing techniques,
where an intruder may impersonate a local or internal system and be
granted access without a password. If access to the system is based
only on an IP address, any user could gain access by masquerading as
a legitimate, authorized user by "spoofing" the user's address. Not
only could any user of that system gain access to the targeted
system, but so could any system that it trusts.
access can also result from other technically permissible activities
that have not been properly restricted or secured. For example,
application layer protocols are the standard sets of rules that
determine how computers communicate across the Internet. Numerous
application layer protocols, each with different functions and a
wide array of data exchange capabilities, are utilized on the
Internet. The most familiar, Hyper Text Transfer Protocol (HTTP),
facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the
transfer, copying, and deleting of files between computers. Telnet
protocol actually enables one computer to log in to another.
Protocols such as FTP and Telnet exemplify activities which may be
improper for a given system, even though the activities are within
the scope of the protocol architecture.
architecture of the Internet also makes it easy for system attacks
to be launched against systems from anywhere in the world.
Systems can even be accessed and then used to launch attacks against
other systems. A typical attack would be a denial of service attack,
which is intended to bring down a server, system, or application.
This might be done by overwhelming a system with so many requests
that it shuts down. Or, an attack could be as simple as accessing
and altering a Web site, such as changing advertised rates on
certificates of deposit.
Security Scanning Products
number of software programs exist which run automated security scans
against Web servers, firewalls, and internal networks. These
programs are generally very effective at identifying weaknesses that
may allow unauthorized system access or other attacks against the
system. Although these products are marketed as security tools to
system administrators and information systems personnel, they are
available to anyone and may be used with malicious intent. In some
cases, the products are freely available on the Internet.
Return to the top of the newsletter
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
If the institution discloses nonpublic personal information
to nonaffiliated third parties, do the requirements for initial
notice in �4(a)(2), opt out in ��7 and 10, revised notice in �8, and
for service providers and joint marketing in �13, not apply because
the information is disclosed as necessary to effect, administer, or
enforce a transaction that the consumer requests or authorizes, or
in connection with:
a. servicing or processing a
financial product or service requested or authorized by the
b. maintaining or servicing the
consumer's account with the institution or with another entity as
part of a private label credit card program or other credit
extension on behalf of the entity; or [�14(a)(2)]
proposed or actual securitization, secondary market sale (including
sale of servicing rights) or other similar transaction related to a
transaction of the consumer? [�14(a)(3)]