you could continuously review your IT operations throughout the
year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying
on The Weekly IT Security Review by Yennik, Inc.
Readers have been asking us for a method that would allow them to
continuously review their IT operations throughout the year.
We have responded by using our expertise to develop The Weekly IT
Security Review. Designed especially for IT
professionals, this new offering from Yennik, Inc. provides a weekly
review of information systems security issues. For more
information and to subscribe visit
U.S. 'Severely Threatened' By Cyber Attacks - The U.S. intelligence
chief is urging greater cooperation and funding to defend against
online threats. Testifying before the Senate Intelligence Committee
on Tuesday, the top U.S. intelligence official warned that U.S.
critical infrastructure is "severely threatened" and called the
recent cyber attack on Google "a wake-up call to those who have not
taken this problem seriously."
ISP cleared of copyright infringement - In the first case of its
kind, an Australian court has ruled that an internet service
provider cannot be responsible for illegal downloading. iiNet,
Australia's third largest ISP, was taken to court by a group of 34
movie production houses.
U.S. House passes cybersecurity research bill - The U.S. House of
Representatives overwhelmingly approved a cybersecurity bill that
calls for beefing up training, research, and coordination so the
government can be better prepared to deal with cyberattacks.
Most consumers reuse banking passwords on other sites - Password
recycle fail leaves consumers ripe for harvesting - The majority of
online banking customers reuse their online-banking login
credentials on other websites, according to a new survey on password
China stomps cybercrook training outfit - Black Hawk taken down -
Chinese authorities have closed down a firm that allegedly trained
hackers to develop spyware and launch cyberattacks.
Security Chip That Does Encryption in PCs Hacked - Security chip
used in millions of PCs hacked; criminals can crack encryption with
new attack - Deep inside millions of computers is a digital Fort
Knox, a special chip with the locks to highly guarded secrets,
including classified government reports and confidential business
plans. Now a former U.S. Army computer-security specialist has
devised a way to break those locks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Phishing attack nets 3 million euros of carbon permits - The
international carbon market has been hit by a phishing attack which
saw an estimated 250,000 permits worth over 3 million euros stolen
Hacker attacks Ceridian; data from 27,000 at risk - The invasion at
Ceridian may have affected 27,000 people at 1,900 firms. A hacker
attack at payroll processing firm Ceridian Corp. of Bloomington has
potentially revealed the names, Social Security numbers, and, in
some cases, the birth dates and bank accounts of 27,000 employees
working at 1,900 companies nationwide.
Fugitive VoIP hacker admits 10 million minute spree - A Miami hacker
has admitted he pocketed more than $1m by selling millions of
minutes of voice over IP calls and surreptitiously routing them
through the networks of telecommunications companies.
City supe slaps bank for account compromise - $378,000 Ukraine
transfer - A supervisor for the town of Poughkeepsie, New York
lashed out at a local bank after someone siphoned $378,000 out of
municipal coffers and transferred it to Ukraine.
Payroll processing firm Ceridian Corp. hacked - A hacker recently
attacked the payroll processing firm Ceridian Corp. of Bloomington,
Minn. and gained access to sensitive information of employees
working at 1,900 companies nationwide.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (7 of 12)
Define what constitutes an incident.
An initial step in the development of a response program is
to define what constitutes an incident. This step is important as it
sharpens the organization's focus and delineates the types of events
that would trigger the use of the IRP. Moreover, identifying
potential security incidents can also make the possible threats seem
more tangible, and thus better enable organizations to design
specific incident-handling procedures for each identified threat.
The ability to detect that an incident is occurring or has occurred
is an important component of the incident response process. This is
considerably more important with respect to technical threats, since
these can be more difficult to identify without the proper technical
solutions in place. If an institution is not positioned to quickly
identify incidents, the overall effectiveness of the IRP may be
affected. Following are two detection-related best practices
included in some institutions' IRPs.
Identify indicators of unauthorized system access.
Most banks implement some form of technical solution, such
as an intrusion detection system or a firewall, to assist in the
identification of unauthorized system access. Activity reports from
these and other technical solutions (such as network and application
security reports) serve as inputs for the monitoring process and for
the IRP in general. Identifying potential indicators of unauthorized
system access within these activity or security reports can assist
in the detection process.
Involve legal counsel.
Because many states have enacted laws governing
notification requirements for customer information security
compromises, institutions have found it prudent to involve the
institution's legal counsel when a compromise of customer
information has been detected. Legal guidance may also be warranted
in properly documenting and handling the incident.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Utilization of the Internet presents numerous issues and risks which
must be addressed. While many aspects of system performance will
present additional challenges to the bank, some will be beyond the
bank's control. The reliability of the Internet continues to
improve, but situations including delayed or misdirected
transmissions and operating problems involving Internet Service
Providers (ISPs) could also have an effect on related aspects of the
The risks will not remain static. As technologies evolve, security
controls will improve; however, so will the tools and methods used
by others to compromise data and systems. Comprehensive security
controls must not only be implemented, but also updated to guard
against current and emerging threats. Security controls that address
the risks will be presented over the next few weeks.
The FDIC paper discusses the primary interrelated technologies,
standards, and controls that presently exist to manage the risks of
data privacy and confidentiality, data integrity, authentication,
Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues
surrounding data privacy, confidentiality, and data integrity.
Encryption technology is also employed in digital signature
processes, which address the issues of authentication and
non-repudiation. Certificate authorities and digital certificates
are emerging to address security concerns, particularly in the area
of authentication. The function of and the need for encryption,
digital signatures, certificate authorities, and digital
certificates differ depending on the particular security issues
presented by the bank's activities. The technologies,
implementation standards, and the necessary legal infrastructure
continue to evolve to address the security needs posed by the
Internet and electronic commerce.
Return to the top of
INTERNET PRIVACY - This
concludes our series listing the regulatory-privacy examination
questions. Next week, we will begin our review of the issues in the
"Privacy of Consumer Financial Information" published by the
financial regulatory agencies.
Other Exceptions to Notice and Opt Out Requirements
50. If the institution discloses nonpublic personal information to
nonaffiliated third parties, do the requirements for initial notice
in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for
service providers and joint marketers in §13, not apply because the
institution makes the disclosure:
a. with the consent or at the direction of the consumer;
1. to protect the confidentiality or security of records;
2. to protect against or prevent actual or potential fraud,
unauthorized transactions, claims, or other liability;
3. for required institutional risk control or for resolving
consumer disputes or inquiries; [§15(a)(2)(iii)]
4. to persons holding a legal or beneficial interest relating to
the consumer; [§15(a)(2)(iv)] or
5. to persons acting in a fiduciary or representative capacity on
behalf of the consumer; [§15(a)(2)(v)]
c. to insurance rate advisory organizations, guaranty funds or
agencies, agencies rating the institution, persons assessing
compliance, and the institution's attorneys, accountants, and
d. in compliance with the Right to Financial Privacy Act, or to law
enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA or
from a consumer report reported by a consumer reporting agency;
f. in connection with a proposed or actual sale, merger, transfer,
or exchange of all or a portion of a business or operating unit, if
the disclosure of nonpublic personal information concerns solely
consumers of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or legal
h. to comply with a properly authorized civil, criminal, or
regulatory investigation, or subpoena or summons by Federal, state,
or local authorities; [§15(a)(7)(ii)] or
i. to respond to judicial process or government regulatory
authorities having jurisdiction over the institution for
examination, compliance, or other purposes as authorized by law?
(Note: the regulation gives the following as an example of
the exception described in section a of this question: "A consumer
may specifically consent to [an institution's] disclosure to a
nonaffiliated insurance company of the fact that the consumer has
applied to [the institution] for a mortgage so that the insurance
company can offer homeowner's insurance to the consumer.")