Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Navy Adds Cybersecurity Academy Requirements - The Naval Academy has added two new class in cybersecurity, highlighting the importance of cyberwarfare as an emerging area of potential expertise for academy students. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=229300570

FYI - GAO - Information Technology: Better Informed Decision Making Needed on Navy's Next Generation Enterprise Network.
Release - http://www.gao.gov/products/GAO-11-150
Highlights - http://www.gao.gov/highlights/d11150high.pdf

FYI - With hacking, music can take control of your car - With the high technical barrier to entry, the researchers believe that hacker attacks on cars will be very difficult to pull off, but they say they want to make the auto industry aware of potential problems before they become pervasive. http://www.computerworld.com/s/article/9214167/With_hacking_music_can_take_control_of_your_car?taxonomyId=17&pageNumber=2

FYI - GAO - IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data
Release - http://www.gao.gov/products/GAO-11-308
Highlights - http://www.gao.gov/highlights/d11308high.pdf

FYI - FTC officially closes Twitter security investigation - The U.S. Federal Trade Commission has closed the book on its legal action against Twitter, stemming from two 2009 hacking incidents where high-profile Twitter users -- including President Barack Obama -- lost control of their accounts. http://www.computerworld.com/s/article/9214238/FTC_officially_closes_Twitter_security_investigation?taxonomyId=17

FYI - India demands more access to Blackberry emails - RIM has hit back at demands by Indian authorities for more power to monitor the email data sent from its Blackberry handsets. http://www.techeye.net/security/india-demands-more-access-to-blackberry-emails

FYI - AT&T to introduce data caps on DSL - Unlimited data will soon be a thing of the past for all AT&T customers, as the company confirms it will put a cap on data usage for its DSL and U-verse broadband services. http://news.cnet.com/8301-30686_3-20042839-266.html

FYI - GAO - Continued Attention Needed to Protect Our Nation's Critical Infrastructure and Federal Information Systems. http://www.gao.gov/products/GAO-11-463T

FYI - GAO - Department of Labor: Further Management Improvements Needed to Address Information Technology and Financial Controls.
Release - http://www.gao.gov/products/GAO-11-157
Highlights - http://www.gao.gov/highlights/d11157high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - New Jersey Audit Uncovers Confidential Data on Auction-Bound Computers - A recent audit by New Jersey’s Office of the State Comptroller (OSC) uncovered confidential and personal information on computers marked for public auction. http://www.govtech.com/policy-management/New-Jersey-Audit-Uncovers-Confidential-Data-on-Auction-Bound-Computers.html

FYI - Defense contractor charged with stealing secrets on laptop - A former engineer with U.S. military contractor L-3 Communications is facing as much as 20 years in prison on charges that he illegally exported military data to China. http://www.computerworld.com/s/article/9213818/Defense_contractor_charged_with_stealing_secrets_on_laptop?taxonomyId=144

FYI - SpyEye Botmasters Hit Anti-Botnet Site with Denial-of-Service Attack - Cyber-criminals launched distributed denial-of-service attacks against the Swiss site abuse.ch, which identifies malicious domains and botnet command and control servers. http://www.eweek.com/c/a/Security/SpyEye-BotMasters-Hit-AntiBotnet-Site-with-Denial-of-Service-Attack-867962/

FYI - German finance agency suspends site over serious security bug - Germany's federal finance ministry has pulled its website offline after receiving notification of a serious security problem from white hat hackers affiliated to the Chaos Computer Club (CCC). http://www.theregister.co.uk/2011/03/14/german_finance_agency_site_suspension/

FYI - Anonymous hacktivists reveal alleged fraud at Bank of America - Hacker group Anonymous has released emails claiming to reveal fraud at Bank of America. http://www.v3.co.uk/v3-uk/news/2033862/anonymous-hacktivists-reveal-fraud-bank-america

FYI - Health Net breach prompts investigation, affects 1.9M - Managed health care provider Health Net revealed this week that it lost the personal information of nearly two million current and past enrollees, its second massive breach in 16 months. http://www.scmagazineus.com/health-net-breach-prompts-investigation-affects-19m/article/198371/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Operations and Controls

• Determine adequacy of the service provider’s standards, policies and procedures relating to internal controls, facilities management (e.g., access requirements, sharing of facilities, etc.), security (e.g., systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks.
• Determine if the service provider provides sufficient security precautions, including, when appropriate, firewalls, encryption, and customer identity authentication, to protect institution resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine whether the audit scope, internal controls, and security safeguards are adequate.
• Evaluate whether the institution will have complete and timely access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that are relevant to the services they are providing. (e.g., Regulation E, privacy and other consumer protection regulations, Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of documents in transit.

Financial Condition

• Analyze the service provider’s most recent audited financial statements and annual report as well as other indicators (e.g., publicly traded bond ratings), if available.
• Consider factors such as how long the service provider has been in business and the service provider’s market share for a given service and how it has fluctuated.
• Consider the significance of the institution’s proposed contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s level of investment in technology consistent with supporting the institution’s activities? Does the service provider have the financial resources to invest in and support the required technology?

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Shared Secret Systems (Part 1 of 2)

Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.

A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.

Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.

Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.

Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

32. When a customer relationship ends, does the institution continue to apply the customer's opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)]