Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Cybersecurity bill would create costly regulations, say critics - Some Republican senators and the Chamber of Commerce call for the Senate to slow down its efforts to pass a new bill - Leaders in the U.S. Senate are trying to fast-track new cybersecurity legislation that will create costly new regulations for some businesses, some critics said Thursday. http://www.computerworld.com/s/article/9224341/Cybersecurity_bill_would_create_costly_regulations_say_critics?taxonomyId=17

FYI - The probability of a data breach lawsuit - If a data breach occurs, when are companies more likely to be sued? Legal complaints, from customers and employees, happen all the time following a data-leakage incident, but exactly which kind of incidents are more likely to force organizations into court? http://www.scmagazine.com/podcast-the-probability-of-a-data-breach-lawsuit/article/228265/?DCMP=EMC-SCUS_Newswire

FYI - NSA chief sees possible Anonymous hit on power grid - The computer-hacking confederacy Anonymous might be able to cause a limited power blackout in a year or two, the general who directs the National Security Agency has warned officials, TheWall Street Journal is reporting.
http://content.usatoday.com/communities/ondeadline/post/2012/02/report-nsa-chief-sees-possible-anonymous-hit-on-power-grid/1#.T0Powpj9CaE

FYI - Brit student locked up for Facebook source code hack - A British computer science student was jailed for eight months on Friday for hacking into the internal network at Facebook. http://www.theregister.co.uk/2012/02/20/facebook_hacker_jailed/

FYI - Goldman Sachs Code-Theft Conviction Reversed - A federal appeals court on Friday reversed the conviction of a former Goldman Sachs programmer sentenced to eight years for stealing the bank’s high-speed trading software. http://www.wired.com/threatlevel/2012/02/code-theft-conviction-reversed/

FYI - Feds Urge Court to Reject Laptop Decryption Appeal - The government is urging a federal appeals court not to entertain an appeal from a bank-fraud defendant who has been ordered to decrypt her laptop so its contents can be used in her criminal case. http://www.wired.com/threatlevel/2012/02/laptop-decryption-appeal/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cyber thieves piggyback off Stratfor breach, target feds - Hackers posing as officials from the geopolitical analysis publisher Stratfor are emailing infected links to government subscribers whose email addresses were stolen during an earlier raid on the company's computers, Microsoft researchers say. http://www.nextgov.com/nextgov/ng_20120215_5840.php

FYI - Nortel hacking attack went unnoticed for almost 10 years - Hackers broke into Nortel’s computer networks more than a decade ago and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents. http://www.zdnet.com/blog/security/nortel-hacking-attack-went-unnoticed-for-almost-10-years/10304

FYI - Connecticut college computer infected with malware, 18K affected - The Zbot, or Zeus, trojan infected a computer at Central Connecticut State University (CCSU) in New Britain to expose the Social Security numbers of thousands of people related to the college. http://www.scmagazine.com/connecticut-college-computer-infected-with-malware-18k-affected/article/228279/?DCMP=EMC-SCUS_Newswire

FYI - Greek hackers are arrested over Anonymous attacks - Teenagers picked up for government protests - THREE GREEK TEENAGERS have been arrested and accused of hacking and defacing a government web site. http://www.theinquirer.net/inquirer/news/2153661/greek-hackers-arrested-anonymous-attacks

FYI - Hackers target Putin's vote-monitoring system - Hackers have tried to crash a vast network of Web cameras which Vladimir Putin has ordered to allay fears of vote-rigging in the March presidential election, a deputy minister said on Friday. http://www.reuters.com/article/2012/02/17/us-russia-election-putin-idUSTRE81G1J920120217

FYI - Anonymous hacks FTC over Google privacy, ACTA - The Anonymous collective has again targeted the Federal Trade Commission, this time bringing down seven websites belonging to the consumer protection agency. http://www.scmagazine.com/anonymous-hacks-ftc-over-google-privacy-acta/article/228288/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Security Controls 

While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorization privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information. 

Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort.  Regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

Hardening Systems

Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.

When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:

! Determining the purpose of the system and minimum software and hardware requirements;
! Documenting the minimum hardware, software and services to be included on the system;
! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of applications;
! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
! Changing all default passwords; and
! Testing the resulting systems.

After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

4)  Does the institution provide initial notice after establishing a customer relationship only if:

a.  the customer relationship is not established at the customer's election; [§4(e)(1)(i)] or

b.  to do otherwise would substantially delay the customer's transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]