SEC, FTC investigating Heartland after data theft - The company also
faces a class-action suit - Federal agencies, including the U.S.
Federal Trade Commission and the U.S. Securities and Exchange
Commission, have begun investigating Heartland Payment Systems
following a massive data breach at the payment processing company.
FCC threatens 600 operators with fines over data protection rules -
Operators haven't provided proof that they protect customer data,
agency says - The U.S. Federal Communications Commission may fine
600 operators for failing to properly file annual reports proving
that they protect customer data.
FAA will use software to identify sensitive data - The Federal
Aviation Administration (FAA) plans to implement software designed
to look for personally identifiable information in computer systems
so the agency can have a more thorough inventory of its sensitive
data, a FAA senior official has said.
Banking ID theft reaching epidemic proportions - The amount of
malware aimed at financial identity theft is bigger than ever,
Sean-Paul Correll, a threat researcher at PandaLabs, wrote in a post
on the PandaLabs blog of Panda Security.
Layoff backlash: Five steps to protect your business from angry
ex-employees - Layoffs can spark destructive behavior. Take these
steps to protect your company. A senior corporate executive leaves
the company, taking with him his framed family photographs, his
prized gold pen-and-pencil set -- and the passwords of several
Encryption demands: Ignored by quarter of MoD contractors -
Companies working on confidential UK defence information are not
complying with government demands to encrypt data.
SANS - Twenty Important Controls for Effective Cyber Defense and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Prime Minister's health records breached in database attack -
Personal medical records belonging to Scotland's rich and powerful -
including Prime Minister Gordon Brown and Holyrood's First Minister
Alex Salmond - have been illegally accessed in a breach of a
national database that holds details of 2.5 million people.
Visa: New payment-processor data breach not so new after all -
Company says recent breach alerts involved ongoing probe of earlier
system intrusion - Days after Visa Inc. seemingly confirmed that a
data breach had taken place at a third payment processor, following
on the recent breach disclosures by Heartland Payment Systems Inc.
and RBS WorldPay Inc., the credit card company is now saying that
there was no new security incident after all.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the
Official Staff Commentary (OSC,) an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated," is a consumer's
authorization via a home banking system.
To satisfy the regulatory requirements, the institution must
have some means to identify the consumer (such as a security code)
and make a paper copy of the authorization available (automatically
or upon request). The
text of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device. Therefore,
the institution should ensure that controls are in place to review
these notifications and also to ensure that an investigation is
initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS TO PROTECT AGAINST MALICIOUS CODE
Typical controls to protect against malicious code use technology,
policies and procedures, and training. Prevention and detection of
malicious code typically involves anti-virus and other detection
products at gateways, mail servers, and workstations. Those products
generally scan messages for known signatures of a variety of
malicious code, or potentially dangerous behavioral characteristics.
Differences between products exist in detection capabilities and the
range of malicious code included in their signatures. Detection
products should not be relied upon to detect all malicious code.
Additionally, anti-virus and other products that rely on signatures
generally are ineffective when the malicious code is encrypted. For
example, VPNs, IPSec, and encrypted e-mail will all shield malicious
code from detection.
Signature-based anti-virus products scan for unique components of
certain known malicious code. Since new malicious code is created
daily, the signatures need to be updated continually. Different
vendors of anti-virus products update their signatures on different
frequencies. When an update appears, installing the update on all of
an institution's computers may involve automatically pushing the
update to the computers, or requesting users to manually obtain the
Heuristic anti - virus products generally execute code in a
protected area of the host to analyze and detect any hostile intent.
Heuristic products are meant to defend against previously unknown or
disguised malicious code.
Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail
attachments, as well as any Active-X or Java applets. A more refined
strategy might block based on certain characteristics of known code.
Protection of servers involves examining input from users and only
accepting that input which is expected. This activity is called
filtering. If filtering is not employed, a Web site visitor, for
instance, could employ an attack that inserts code into a response
form, causing the server to perform certain actions. Those actions
could include changing or deleting data and initiating fund
Protection from malicious code also involves limiting the
capabilities of the servers and Web applications to only include
functions necessary to support operations. See "Systems Development,
Acquisition, and Maintenance."
Anti-virus tools and code blocking are not comprehensive solutions.
New malicious code could have different signatures, and bypass other
controls. Protection against newly developed malicious code
typically comes in the form of policies, procedures, and user
awareness and training. For example, policies could prohibit the
installation of software by unauthorized employees, and regular
reviews for unauthorized software could take place. System users
could be trained not to open unexpected messages, not to open any
executables, and not to allow or accept file transfers in P2P
communications. Additional protection may come from disconnecting
and isolating networks from each other or from the Internet in the
face of a fast-moving malicious code attack.
An additional detection control involves network and host intrusion
detection devices. Network intrusion detection devices can be tuned
to alert when known malicious code attacks occur. Host intrusion
detection can be tuned to alert when they recognize abnormal system
behavior, the presence of unexpected files, and changes to other
Return to the top of the
F. PERSONNEL SECURITY
4. Determine if the institution provides to its employees
appropriate security training covering the institution's policies
and procedures, on an appropriate frequency, and that institution
employees certify periodically as to their understanding and
awareness of the policy and procedures.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Reuse & Redisclosure of nonpublic personal information received
from a nonaffiliated financial institution under Sections 14 and/or
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure and reuse of
the information where the institution is the recipient of nonpublic
personal information (§11(a)).
B. Select a sample of data received from nonaffiliated financial
institutions, to evaluate the financial institution's compliance
with reuse and redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i)
2. Verify that the institution only uses and shares the data
pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).