|
What if
you could continuously review your IT operations throughout the
year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying
on The Weekly IT Security Review by Yennik, Inc.
Readers have been asking us for a method that would allow them to
continuously review their IT operations throughout the year.
We have responded by using our expertise to develop The Weekly IT
Security Review. Designed especially for IT
professionals, this new offering from Yennik, Inc. provides a weekly
review of information systems security issues. For more
information and to subscribe visit
http://www.yennik.com/it-review/.
FYI -
FYI - Participants in the Alaska Public Employees' Retirement System
and the Teachers' Retirement System, who were active or inactive
employees, including retirees, in 2003 and 2004. If you are affected
by this breach, you will be mailed a notice shortly with more
detailed information about the breach, and instructions on how to
sign up for free services pursuant to the settlement reached with
PwC.
http://doa.alaska.gov/drb/pdf/price-waterhouse-security-breach-factsheet.pdf
FYI -
Anatomy Of A Targeted, Persistent Attack - New report provides an
inside look at real attacks that infiltrated, camped out, and stole
intellectual property and proprietary information -- and their links
to China.
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=222600139
FYI -
Bank of America Web site goes down Friday - Bank of America was
investigating an outage on Friday that affected an unknown number of
customers but had ruled out a cyberattack, a representative said.
http://news.cnet.com/8301-27080_3-10444474-245.html
FYI -
Alleged cable modem hacker arrested - A Massachusetts man has been
charged with selling hacked cable modems that were reconfigured to
allow free, untraceable internet service, according to a news
release from the U.S. Department of Justice.
http://www.scmagazineus.com/alleged-cable-modem-hacker-arrested/article/162795/
FYI -
Global critical infrastructure under attack, study finds - Global
critical infrastructure networks are being pummeled with repeated
cyberattacks from foreign nation-states and other adversaries,
including terrorist organizations and organized crime groups, a
report released.
http://www.scmagazineus.com/global-critical-infrastructure-under-attack-study-finds/article/162645/
FYI -
Health Net Sued Over Data Breach - The Connecticut attorney general
has sued Health Net, claiming the insurance company failed to
adequately protect the medical records of 446,000 customers whose
private data was contained in a computer disk drive that was found
to be missing last spring.
http://www.informationweek.com/news/healthcare/security-privacy/showArticle.jhtml?articleID=222600681
FYI -
U.S. Navy establishes new Cyber Command - The U.S Navy has joined
the Air Force and Marines with the formation of a new command
charged with overseeing cyberspace operations.
http://www.scmagazineus.com/us-navy-establishes-new-cyber-command/article/162979/?DCMP=EMC-SCUS_Newswire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI -
National Archives Warns Former Clinton Staff, Visitors of Major Data
Breach - Personal information for 250,000 Clinton administration
staff and White House visitors sent to the National Archives was
compromised after a computer hard drive containing confidential
material disappeared nearly a year ago, RollCall.com reported.
http://www.foxnews.com/politics/2010/01/27/national-archives-warns-clinton-staff-visitors-major-data-breach/?test=latestnews
http://www.wired.com/threatlevel/2010/01/national-archives-data-breach/
FYI -
Bank sues victim of $800,000 cybertheft - In twist, Texas bank sues
business customer, claiming cybertheft not its fault - A Texas bank
is suing a customer hit by an $800,000 cybertheft incident in a case
that could test the extent to which customers should be held
responsible for protecting their online accounts from compromises.
http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft?taxonomyId=17&pageNumber=1
FYI -
BlueCross computer theft already costs $7 million - What was
initially assumed to be just a glitch in some soon-to-be-discarded
computer equipment last fall has grown into one of Chattanooga's
most expensive property crimes of the year.
http://www.timesfreepress.com/news/2010/jan/26/bluecross-computer-theft-already-costs-7-million/
FYI -
Hackers pluck 8,300 customer logins from bank server - Hackers have
stolen the login credentials for more than 8,300 customers of small
New York bank after breaching its security and accessing a server
that hosted its online banking system.
http://www.theregister.co.uk/2010/01/12/bank_server_breached/
FYI -
Laptop containing UCSF medical school patient information stolen - A
laptop containing sensitive patient information was recently stolen
from an employee of the University of California, San Francisco
(UCSF) School of Medici/ne.
http://www.scmagazineus.com/laptop-containing-ucsf-medical-school-patient-information-stolen/article/162788/
FYI -
Hackers deface 49 U.S. House websites - Hackers defaced 49 websites
belonging to U.S. House of Representatives' members and committees
soon after President Obama delivered his State of the Union address
on Wednesday night.
http://www.scmagazineus.com/hackers-deface-49-us-house-websites/article/162576/
FYI -
US gaming commission confirms 80,000 personal details exposed after
outside attack on server - Around 80,000 Iowa employee names, birth
dates and social security numbers have been exposed after a server
was hacked.
http://www.scmagazineuk.com/us-gaming-commission-confirms-80000-personal-details-exposed-after-outside-attack-on-server/article/162775/
FYI -
Students at Potomac school hack into computers; grades feared
changed - Students at a Potomac high school hacked into the school's
computer system and changed class grades, according to sources
briefed by the school's principal, and officials are investigating
how widespread the damage might be.
http://www.washingtonpost.com/wp-dyn/content/article/2010/01/28/AR2010012803494.html
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Incident Response
Programs. (6 of 12)
Best
Practices-Going Beyond the Minimum
Each bank has the opportunity to go beyond the minimum requirements
and incorporate industry best practices into its IRP. As each bank
tailors its IRP to match its administrative, technical, and
organizational complexity, it may find some of the following best
practices relevant to its operating environment. The practices
addressed below are not all inclusive, nor are they regulatory
requirements. Rather, they are representative of some of the more
effective practices and procedures some institutions have
implemented. For organizational purposes, the best practices have
been categorized into the various stages of incident response:
preparation, detection, containment, recovery, and follow-up.
Preparation
Preparing for a potential security compromise of customer
information is a proactive risk management practice. The overall
effectiveness and efficiency of an organization's response is
related to how well it has organized and prepared for potential
incidents. Two of the more effective practices noted in many IRPs
are addressed below.
Establish an incident response team.
A key practice in preparing for a potential incident is
establishing a team that is specifically responsible for responding
to security incidents. Organizing a team that includes individuals
from various departments or functions of the bank (such as
operations, networking, lending, human resources, accounting,
marketing, and audit) may better position the bank to respond to a
given incident. Once the team is established, members can be
assigned roles and responsibilities to ensure incident handling and
reporting is comprehensive and efficient. A common responsibility
that banks have assigned to the incident response team is developing
a notification or call list, which includes contact information for
employees, vendors, service providers, law enforcement, bank
regulators, insurance companies, and other appropriate contacts. A
comprehensive notification list can serve as a valuable resource
when responding to an incident.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Internet."
Logical Access Controls
A primary concern in controlling system access is the safeguarding
of user IDs and passwords. The Internet presents numerous issues to
consider in this regard. Passwords can be obtained through deceptive
"spoofing" techniques such as redirecting users to false Web sites
where passwords or user names are entered, or creating shadow copies
of Web sites where attackers can monitor all activities of a user.
Many "spoofing" techniques are hard to identify and guard against,
especially for an average user, making authentication processes an
important defense mechanism.
The unauthorized or unsuspected acquisition of data such as
passwords, user IDs, e-mail addresses, phone numbers, names, and
addresses, can facilitate an attempt at unauthorized access to a
system or application. If passwords and user IDs are a derivative of
someone's personal information, malicious parties could use the
information in software programs specifically designed to generate
possible passwords. Default files on a computer, sometimes called
"cache" files, can automatically retain images of such data received
or sent over the Internet, making them a potential target for a
system intruder.
Security Flaws and Bugs / Active Content Languages
Vulnerabilities in software and hardware design also represent an
area of concern. Security problems are often identified after the
release of a new product, and solutions to correct security flaws
commonly contain flaws themselves. Such vulnerabilities are usually
widely publicized, and the identification of new bugs is constant.
These bugs and flaws are often serious enough to compromise system
integrity. Security flaws and exploitation guidelines are also
frequently available on hacker Web sites. Furthermore, software
marketed to the general public may not contain sufficient security
controls for financial institution applications.
Newly developed languages and technologies present similar security
concerns, especially when dealing with network software or active
content languages which allow computer programs to be attached to
Web pages (e.g., Java, ActiveX). Security flaws identified in Web
browsers (i.e., application software used to navigate the Internet)
have included bugs which, theoretically, may allow the installation
of programs on a Web server, which could then be used to back into
the bank's system. Even if new technologies are regarded as secure,
they must be managed properly. For example, if controls over active
content languages are inadequate, potentially hostile and malicious
programs could be automatically downloaded from the Internet and
executed on a system.
Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or
networks that are connected to the Internet, because they may be
downloaded directly. Aside from causing destruction or damage to
data, these programs could open a communication link with an
external network, allowing unauthorized system access, or even
initiating the transmission of data.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
Servicing Transactions
49. If the institution uses a Section 14 exception as necessary to
effect, administer, or enforce a transaction, is it :
a. required, or is one of the lawful or appropriate methods to
enforce the rights of the institution or other persons engaged in
carrying out the transaction or providing the product or service;
[§14(b)(1)] or
b. required, or is a usual, appropriate, or acceptable method
to:[§14(b)(2)]
1. carry out the transaction or the product or service business
of which the transaction is a part, including recording, servicing,
or maintaining the consumer's account in the ordinary course of
business; [§14(b)(2)(i)]
2. administer or service benefits or claims; [§14(b)(2)(ii)]
3. confirm or provide a statement or other record of the
transaction or information on the status or value of the financial
service or financial product to the consumer or the consumer's agent
or broker; [§14(b)(2)(iii)]
4. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
5. underwrite insurance or for reinsurance or for certain other
purposes related to a consumer's insurance; [§14(b)(2)(v)] or
6. in connection with:
i. the authorization, settlement, billing, processing,
clearing, transferring, reconciling, or collection of amounts
charged, debited, or otherwise paid by using a debit, credit, or
other payment card, check, or account number, or by other payment
means; [§14(b)(2)(vi)(A)]
ii. the transfer of receivables, accounts or interests
therein; [§14(b)(2)(vi)(B)] or
iii. the audit of debit, credit, or other payment
information? [§14(b)(2)(vi)(C)] |
