Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter
is available for the Android smart phones and tablets. Go
to the Market Store and search for yennik.
failure is seen as a greater concern than negligence, as cost of
average data breach to organisations reaches £1.9 million - System
failure has overtaken the insider as the most common threat in terms
of data loss. According to a study by Symantec and the Ponemon
Institute, 37 per cent of all data loss cases involved a system
failure, up seven per cent on 2009.
Hacker vs. Hacker - The hacking and public humiliation of
cyber-security firm HBGary isn't just entertaining geek theater.
It's a cautionary tale for businesses everywhere.
- Cyberattack could put customers at risk - Information about RSA's
SecurID authentication tokens used by millions of people, including
government and bank employees, was stolen during an "extremely
sophisticated cyberattack," putting customers relying on them to
secure their networks at risk, the company said today. http://news.cnet.com/8301-27080_3-20044455-245.html
- ICO says 40% of wireless home internet users have no knowledge of
WiFi security - Research just published by the Information
Commissioner's Office (ICO) claims to show that 40% of people who
have WiFi at home do not understand how to change the security
settings on their networks. http://www.infosecurity-magazine.com/view/16701/ico-says-40-of-wireless-home-internet-users-have-no-knowledge-of-wifi-security/
- GAO Says IRS Data Security Problems Persist - The General
Accountability Office reported that the Internal Revenue Service is
still exposing taxpayer and financial information to insider-threat
risks, despite making some access-control improvements. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=229301206
- Goldman Sachs programmer sentenced for code theft - A software
programmer charged with copying secret financial trading code from
Goldman Sachs computers was sentenced Friday to eight years in
- Microsoft launches new PC tool for small businesses - Microsoft
wants to convince small and midsize businesses that they need the
same sort of PC-management tools that large corporations use.
- Banking via mobile device jumps 54 percent - The number of people
accessing their bank or brokerage accounts through mobile devices
surged 54 percent in the fourth quarter last year compared with the
same period in 2009.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Medical ID theft on the rise, says new study - Even though nearly
1.5 million Americans were victims of medical identity theft last
year, many are doing little to protect their health records,
according to a second annual study released Tuesday.
- US-Cert warns of phishing attacks that bypass filters - The US
Computer Emergency Response Team (US-Cert) is warning users and
administrators following the discovery of a potent new phishing
operation. The scam is targeting a number of institutions, including
Bank of America, Lloyds, PayPal and TSB.
- Leader of Hacker Gang Sentenced to 9 Years For Hospital Malware -
The former leader of an anarchistic hacking group called the
Electronik Tribulation Army was sentenced Thursday to 9 years and 2
months in prison for installing malware on computers at a Texas
- Texas ringleader of pump-and-dump scam arrested - Federal agents
have arrested the alleged ringleader of an international securities
fraud gang that used hackers, botnet operators and email spam to
artificially drive up the value of stocks, the Department of Justice
(DoJ) said Thursday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Some considerations for contracting with service providers are
discussed below. This listing is
not all-inclusive and the institution may need to evaluate other
considerations based on its unique
circumstances. The level of detail and relative importance of
contract provisions varies with the
scope and risks of the services outsourced.
Scope of Service
The contract should clearly describe the rights and responsibilities
of parties to the contract.
Timeframes and activities for implementation and assignment of
responsibility. Implementation provisions should take into
consideration other existing systems or interrelated systems to
be developed by different service providers (e.g., an Internet
banking system being integrated with existing core applications
or systems customization).
• Services to be performed by the service provider including
duties such as software support and maintenance, training of
employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services
performed under the contract.
• Guidelines for adding new or different services and for
Institutions should generally include performance standards defining
minimum service level requirements and remedies for failure to meet
standards in the contract. For example, common service level metrics
include percent system uptime, deadlines for completing batch
processing, or number of processing errors. Industry standards for
service levels may provide a reference point. The institution should
periodically review overall performance standards to ensure
consistency with its goals and objectives.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on
the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Shared Secret Systems
(Part 2 of 2)
Weaknesses in shared secret mechanisms generally relate to the ease
with which an attacker can discover the secret. Attack methods vary.
! A dictionary attack is one common and successful way to discover
passwords. In a dictionary attack, the attacker obtains the system
password file, and compares the password hashes against hashes of
commonly used passwords.
Controls against dictionary attacks include securing the password
file from compromise, detection mechanisms to identify a compromise,
heuristic intrusion detection to detect differences in user
behavior, and rapid reissuance of passwords should the password file
ever be compromised. While extensive character sets and storing
passwords as one - way hashes can slow down a dictionary attack,
those defensive mechanisms primarily buy the financial institution
time to identify and react to the password file compromises.
! An additional attack method targets a specific account and submits
passwords until the correct password is discovered.
Controls against those attacks are account lockout mechanisms, which
commonly lock out access to the account after a risk - based number
of failed login attempts.
! A variation of the previous attack uses a popular password, and
tries it against a wide range of usernames.
Controls against this attack on the server are a high ratio of
possible passwords to usernames, randomly generated passwords, and
scanning the IP addresses of authentication requests and client
cookies for submission patterns.
! Password guessing attacks also exist. These attacks generally
consist of an attacker gaining knowledge about the account holder
and password policies and using that knowledge to guess the
Controls include training in and enforcement of password policies
that make passwords difficult to guess. Such policies address the
secrecy, length of the password, character set, prohibition against
using well - known user identifiers, and length of time before the
password must be changed. Users with greater authorization or
privileges, such as root users or administrators, should have
longer, more complex passwords than other users.
! Some attacks depend on patience, waiting until the logged - in
workstation is unattended.
Controls include automatically logging the workstation out after a
period of inactivity (Existing
industry practice is no more than 20 - 30 minutes) and
heuristic intrusion detection.
! Attacks can take advantage of automatic login features, allowing
the attacker to assume an authorized user's identity merely by using
Controls include prohibiting and disabling automatic login features,
and heuristic intrusion detection.
! User's inadvertent or unthinking actions can compromise passwords.
For instance, when a password is too complex to readily memorize,
the user could write the password down but not secure the paper.
Frequently, written - down passwords are readily accessible to an
attacker under mouse pads or in other places close to the user's
machines. Additionally, attackers frequently are successful in
obtaining passwords by using social engineering and tricking the
user into giving up their password.
Controls include user training, heuristic intrusion detection, and
simpler passwords combined with another authentication mechanism.
! Attacks can also become much more effective or damaging if
different network devices share the same or a similar password.
Controls include a policy that forbids the same or similar password
on particular network devices.
Return to the top of
PRIVACY - We continue our series listing the
regulatory-privacy examination questions. When you answer the
question each week, you will help ensure compliance with the privacy
33. Except as permitted by §§13-15,
does the institution refrain from disclosing any nonpublic personal
information about a consumer to a nonaffiliated third party, other
than as described in the initial privacy notice provided to the
a. the institution has provided the consumer with a clear and
conspicuous revised notice that accurately describes the
institution's privacy policies and
b. the institution has provided the consumer with a new opt out
c. the institution has given the consumer a reasonable opportunity
to opt out of the disclosure, before disclosing any information;
d. the consumer has not opted out? [§8(a)(4)]