What if you could continuously review your IT operations throughout the year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying on The Weekly IT Security Review by Yennik, Inc.  Readers have been asking us for a method that would allow them to continuously review their IT operations throughout the year.  We have responded by using our expertise to develop The Weekly IT Security Review.  Designed especially for IT professionals, this new offering from Yennik, Inc. provides a weekly review of information systems security issues.  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - U.S. 'Severely Threatened' By Cyber Attacks - The U.S. intelligence chief is urging greater cooperation and funding to defend against online threats. Testifying before the Senate Intelligence Committee on Tuesday, the top U.S. intelligence official warned that U.S. critical infrastructure is "severely threatened" and called the recent cyber attack on Google "a wake-up call to those who have not taken this problem seriously." http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=222600872

FYI - ISP cleared of copyright infringement - In the first case of its kind, an Australian court has ruled that an internet service provider cannot be responsible for illegal downloading. iiNet, Australia's third largest ISP, was taken to court by a group of 34 movie production houses. http://news.bbc.co.uk/2/hi/technology/8498100.stm

FYI - U.S. House passes cybersecurity research bill - The U.S. House of Representatives overwhelmingly approved a cybersecurity bill that calls for beefing up training, research, and coordination so the government can be better prepared to deal with cyberattacks. http://news.cnet.com/8301-27080_3-10447627-245.html?tag=newsEditorsPicksArea.0

FYI - Most consumers reuse banking passwords on other sites - Password recycle fail leaves consumers ripe for harvesting - The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity. http://www.theregister.co.uk/2010/02/02/e_banking_password_fail_survey/

FYI - China stomps cybercrook training outfit - Black Hawk taken down - Chinese authorities have closed down a firm that allegedly trained hackers to develop spyware and launch cyberattacks. http://www.theregister.co.uk/2010/02/08/china_cybercrook_training_outfit_raid/

FYI - Security Chip That Does Encryption in PCs Hacked - Security chip used in millions of PCs hacked; criminals can crack encryption with new attack - Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former U.S. Army computer-security specialist has devised a way to break those locks. http://abcnews.go.com/Technology/wireStory?id=9780148

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Phishing attack nets 3 million euros of carbon permits - The international carbon market has been hit by a phishing attack which saw an estimated 250,000 permits worth over 3 million euros stolen this week. http://news.bbc.co.uk/2/hi/technology/8497129.stm

FYI - Hacker attacks Ceridian; data from 27,000 at risk - The invasion at Ceridian may have affected 27,000 people at 1,900 firms. A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. http://www.startribune.com/business/83505102.html?elr=KArksUUUU

FYI - Fugitive VoIP hacker admits 10 million minute spree - A Miami hacker has admitted he pocketed more than $1m by selling millions of minutes of voice over IP calls and surreptitiously routing them through the networks of telecommunications companies. http://www.theregister.co.uk/2010/02/03/voip_hacker_guilty/
 
FYI - City supe slaps bank for account compromise - $378,000 Ukraine transfer - A supervisor for the town of Poughkeepsie, New York lashed out at a local bank after someone siphoned $378,000 out of municipal coffers and transferred it to Ukraine. http://www.theregister.co.uk/2010/02/05/online_bank_heist/

FYI - Payroll processing firm Ceridian Corp. hacked - A hacker recently attacked the payroll processing firm Ceridian Corp. of Bloomington, Minn. and gained access to sensitive information of employees working at 1,900 companies nationwide. http://www.scmagazineus.com/payroll-processing-firm-ceridian-corp-hacked/article/163403/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)

Define what constitutes an incident.

An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.

Detection

The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.

Identify indicators of unauthorized system access.

Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Involve legal counsel.

Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Utilization of the Internet presents numerous issues and risks which must be addressed. While many aspects of system performance will present additional challenges to the bank, some will be beyond the bank's control. The reliability of the Internet continues to improve, but situations including delayed or misdirected transmissions and operating problems involving Internet Service Providers (ISPs) could also have an effect on related aspects of the bank's business. 

The risks will not remain static. As technologies evolve, security controls will improve; however, so will the tools and methods used by others to compromise data and systems. Comprehensive security controls must not only be implemented, but also updated to guard against current and emerging threats. Security controls that address the risks will be presented over the next few weeks.

SECURITY MEASURES

The FDIC paper discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.

Encryption, Digital Signatures, and Certificate Authorities 

Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity.  Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation.  Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication.  The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities.  The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.

Return to the top of the newsletter

INTERNET PRIVACY - This concludes our series listing the regulatory-privacy examination questions.  Next week, we will begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Other Exceptions to Notice and Opt Out Requirements

50.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a.  with the consent or at the direction of the consumer; [§15(a)(1)]
b.
1.  to protect the confidentiality or security of records; [§15(a)(2)(i)]
2.  to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3.  for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
4.  to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
5.  to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c.  to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]
d.  in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e.  to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f.  in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g.  to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h.  to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i.  to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")