Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Navy Adds Cybersecurity Academy Requirements - The Naval Academy
has added two new class in cybersecurity, highlighting the
importance of cyberwarfare as an emerging area of potential
expertise for academy students.
GAO - Information Technology: Better Informed Decision Making Needed
on Navy's Next Generation Enterprise Network.
With hacking, music can take control of your car - With the high
technical barrier to entry, the researchers believe that hacker
attacks on cars will be very difficult to pull off, but they say
they want to make the auto industry aware of potential problems
before they become pervasive.
GAO - IRS Needs to Enhance Internal Control over Financial Reporting
and Taxpayer Data
FTC officially closes Twitter security investigation - The U.S.
Federal Trade Commission has closed the book on its legal action
against Twitter, stemming from two 2009 hacking incidents where
high-profile Twitter users -- including President Barack Obama --
lost control of their accounts.
India demands more access to Blackberry emails - RIM has hit back at
demands by Indian authorities for more power to monitor the email
data sent from its Blackberry handsets.
AT&T to introduce data caps on DSL - Unlimited data will soon be a
thing of the past for all AT&T customers, as the company confirms it
will put a cap on data usage for its DSL and U-verse broadband
GAO - Continued Attention Needed to Protect Our Nation's Critical
Infrastructure and Federal Information Systems.
GAO - Department of Labor: Further Management Improvements Needed to
Address Information Technology and Financial Controls.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
New Jersey Audit Uncovers Confidential Data on Auction-Bound
Computers - A recent audit by New Jersey’s Office of the State
Comptroller (OSC) uncovered confidential and personal information on
computers marked for public auction.
Defense contractor charged with stealing secrets on laptop - A
former engineer with U.S. military contractor L-3 Communications is
facing as much as 20 years in prison on charges that he illegally
exported military data to China.
SpyEye Botmasters Hit Anti-Botnet Site with Denial-of-Service Attack
- Cyber-criminals launched distributed denial-of-service attacks
against the Swiss site abuse.ch, which identifies malicious domains
and botnet command and control servers.
German finance agency suspends site over serious security bug -
Germany's federal finance ministry has pulled its website offline
after receiving notification of a serious security problem from
white hat hackers affiliated to the Chaos Computer Club (CCC).
Anonymous hacktivists reveal alleged fraud at Bank of America -
Hacker group Anonymous has released emails claiming to reveal fraud
at Bank of America.
Health Net breach prompts investigation, affects 1.9M - Managed
health care provider Health Net revealed this week that it lost the
personal information of nearly two million current and past
enrollees, its second massive breach in 16 months.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider
Operations and Controls
Determine adequacy of the service provider’s standards, policies
and procedures relating to internal controls, facilities
management (e.g., access requirements, sharing of facilities,
etc.), security (e.g., systems, data, equipment, etc.), privacy
protections, maintenance of records, business resumption
contingency planning, systems development and maintenance, and
employee background checks.
• Determine if the service provider provides sufficient security
precautions, including, when appropriate, firewalls, encryption,
and customer identity authentication, to protect institution
resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine
whether the audit scope, internal controls, and security
safeguards are adequate.
• Evaluate whether the institution will have complete and timely
access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that
are relevant to the services they are providing. (e.g.,
Regulation E, privacy and other consumer protection regulations,
Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance
coverage including fidelity, fire, liability, data losses from
errors and omissions, and protection of documents in transit.
Analyze the service provider’s most recent audited financial
statements and annual report as well as other indicators (e.g.,
publicly traded bond ratings), if available.
• Consider factors such as how long the service provider has
been in business and the service provider’s market share for a
given service and how it has fluctuated.
• Consider the significance of the institution’s proposed
contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s
level of investment in technology consistent with supporting the
institution’s activities? Does the service provider have the
financial resources to invest in and support the required
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Shared Secret Systems
(Part 1 of 2)
Shared secret systems uniquely identify the user by matching
knowledge on the system to knowledge that only the system and user
are expected to share. Examples are passwords, pass phrases, or
current transaction knowledge. A password is one string of
characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string
of words or characters (e.g., "My car is a shepherd") that the
system may shorten to a smaller password by means of an algorithm.
Current transaction knowledge could be the account balance on the
last statement mailed to the user/customer. The strength of shared
secret systems is related to the lack of disclosure of and about the
secret, the difficulty in guessing or discovering the secret, and
the length of time that the secret exists before it is changed.
A strong shared secret system only involves the user and the system
in the generation of the shared secret. In the case of passwords and
pass phrases, the user should select them without any assistance
from any other user, such as the help desk. One exception is in the
creation of new accounts, where a temporary shared secret could be
given to the user for the first login, after which the system
prompts the user to create a different password. Controls should
prevent any user from re - using shared secrets that may have been
compromised or were recently used by them.
Passwords are the most common authentication mechanism. Passwords
are generally made difficult to guess when they are composed from a
large character set, contain a large number of characters, and are
frequently changed. However, since hard - to - guess passwords may
be difficult to remember, users may take actions that weaken
security, such as writing the passwords down. Any password system
must balance the password strength with the user's ability to
maintain the password as a shared secret. When the balancing
produces a password that is not sufficiently strong for the
application, a different authentication mechanism should be
considered. Pass phrases are one alternative to consider. Due to
their length, pass phrases are generally more resistant to attack
than passwords. The length, character set, and time before enforced
change are important controls for pass phrases as well as passwords.
Shared secret strength is typically assured through the use of
automated tools that enforce the password selection policy.
Authentication systems should force changes to shared secrets on a
schedule commensurate with risk.
Passwords can also be dynamic. Dynamic passwords typically use
seeds, or starting points, and algorithms to calculate a new -
shared secret for each access. Because each password is used for
only one access, dynamic passwords can provide significantly more
authentication strength than static passwords. In most cases,
dynamic passwords are implemented through tokens. A token is a
physical device, such as an ATM card, smart card, or other device
that contains information used in the authentication process.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
32. When a customer relationship ends, does the institution continue
to apply the customer's opt out direction to the nonpublic personal
information collected during, or related to, that specific customer
relationship (but not to new relationships, if any, subsequently
established by that customer)? [§7(g)(2)]