What if you could continuously review your IT operations throughout the year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying on The Weekly IT Security Review by Yennik, Inc.  Readers have been asking us for a method that would allow them to continuously review their IT operations throughout the year.  We have responded by using our expertise to develop The Weekly IT Security Review.  Designed especially for IT professionals, this new offering from Yennik, Inc. provides a weekly review of information systems security issues.  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Taken to the Cleaners - A study from Credant Technologies finds clothes dropped off at the dry cleaners are often filled with forgotten USB sticks - Earlier this month, CSO reported on a worldwide recall on several hardware-encrypted USB sticks from multiple vendors because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device. http://www.csoonline.com/article/519330/Taken_to_the_Cleaners

FYI - RockYou hack reveals most common password: '123456' - A recent analysis of 32 million passwords, obtained in the RockYou.com hack, has revealed that the most commonly used password on the site was '123456.' http://www.scmagazineus.com/rockyou-hack-reveals-most-common-password-123456/article/162071/

FYI - Security researcher IDs China link in Google hack - The code behind the attack, called Aurora, was written in 2006 - The malicious software used to steal information from Google Inc. and other companies contains code that links it to China, a security researcher said. http://www.computerworld.com/s/article/9146239/Security_researcher_IDs_China_link_in_Google_hack?source=CTWNLE_nlt_dailyam_2010-01-20

FYI - Security threats Toolkit - Cambridge researchers knock Verified by Visa - The 'Verified by Visa' credit-card check has come under criticism from Cambridge University researchers, who said it is training online shoppers to adopt risky security habits. http://news.zdnet.co.uk/security/0,1000000189,40008732,00.htm?tag=mncol;txt

FYI - Bank sues victim of $800,000 cybertheft - In twist, Texas bank sues business customer, claiming cybertheft not its fault - A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises. http://www.computerworld.com/s/article/print/9149218/Bank_sues_victim_of_800_000_cybertheft?taxonomyName=Security&taxonomyId=17

FYI - Electronic Health Records: DOD and VA Interoperability Efforts Are Ongoing; Program Office Needs to Implement Recommended Improvements.
Release - http://www.gao.gov/new.items/d10332.pdf
Highlights - http://www.gao.gov/highlights/d10332high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data breaches cost organizations $204 per record in 2009 - Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual "Cost of Data Breach" study. http://www.scmagazineus.com/data-breaches-cost-organizations-204-per-record-in-2009/article/162259/

FYI - Thief steals 57 hard drives from BlueCross BlueShield of Tennessee - Stolen computer hard drives belonging to BlueCross BlueShield of Tennessee contained sensitive member information. http://www.scmagazineus.com/thief-steals-57-hard-drives-from-bluecross-blueshield-of-tennessee/article/162178/

FYI - US oil industry hit by cyberattacks: Was China involved? - Breaches show how sophisticated industrial espionage is becoming. The big question: Who's behind them? - At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

FYI - Data Breaches Get Costlier - The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. http://www.pcworld.com/businesscenter/article/187611/data_breaches_get_costlier.html

FYI - Ladbrokes, police probe data breach - Millions of customer profiles for sale - Ladbrokes is investigating the loss of thousands of customer details from one of its databases, but is reassuring gamblers that the information did not include bank details or passwords. http://www.theregister.co.uk/2010/01/25/ladbrokes_data_fail/

FYI - Irish board hack prompts password reset - Users thrown into scramble to change up login credentials - Popular Irish web discussion forum boards.ie has reset user passwords in response to a hack attack that compromised member login credentials. http://www.theregister.co.uk/2010/01/22/irish_board_hack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (5 of 12)

Notification Procedures

An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.

Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements.  Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.

Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

System Architecture and Design

The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts. 

Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture. 

The open architecture of the Internet also makes it easy for system attacks to be launched  against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit. 

Security Scanning Products 

A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in �4(a)(2), opt out in ��7 and 10, revised notice in �8, and for service providers and joint marketing in �13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a.  servicing or processing a financial product or service requested or authorized by the consumer; [�14(a)(1)]

b.  maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [�14(a)(2)]

c.  a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [�14(a)(3)]