|
You can rely on the Review to help you
prepare for your IT examination. Designed
especially for IT management, The Weekly IT Security Review
provides a analysis of IT security issues covered in the FFIEC IT
Examination Handbook, which will help in preparing for your IT
examination. For more information and to subscribe visit
http://www.yennik.com/it-review/.
FYI -
Secret Service Paid TJX Hacker $75,000 a Year - Convicted TJX hacker
Albert Gonzalez earned $75,000 a year working undercover for the
U.S. Secret Service, informing on bank card thieves before he was
arrested in 2008 for running his own multimillion-dollar
card-hacking operation.
http://www.wired.com/threatlevel/2010/03/gonzalez-salary/
FYI -
GAO - IRS Needs to Continue to Address Significant Weaknesses.
More than two-thirds of the weaknesses and
deficiencies in the Internal Revenue Services IT systems remain
unresolved one year after being identified by the GAO, jeopardizing
the confidentiality, integrity and availability of sensitive
taxpayer information, the Government Accountability Office reported.
Release -
http://www.gao.gov/new.items/d10355.pdf
Highlights -
http://www.gao.gov/highlights/d10355high.pdf
Article -
http://www.govinfosecurity.com/articles.php?art_id=2323
FYI -
One in four UK schoolkids admits hacking - One in four UK youngsters
have tried hacking into Facebook or webmail accounts, according to a
new survey.
http://www.theregister.co.uk/2010/03/18/uk_teenage_hacker_survey/
FYI -
Lords pass controversial internet piracy bill - Legislation to
tackle internet piracy, including bans for illegal file-sharers, has
been passed by the Lords. The Digital Economy Bill is now expected
to be rushed through the Commons before the general election.
http://news.bbc.co.uk/2/hi/uk_news/politics/8569750.stm
FYI -
Russia and US working together to shut down stock hacker -
Cooperative effort to combat stock manipulators. The ongoing case
against hackers using stolen share trading accounts to manipulate
stocks is seeing good cooperation between Russian business and the
US government's Securities and Exchange Commission (SEC).
http://www.securecomputing.net.au/News/170201,russia-and-us-working-together-to-shut-down-stock-hacker.aspx
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI -
Health records compromised - Alberta's privacy commissioner has
launched an investigation into the potential compromise of thousands
of patient files at a northeast medical clinic.
http://www.calgarysun.com/news/alberta/2010/03/17/13261481.html
FYI -
Stolen Vanderbilt University desktop contained students' personal
information - A Vanderbilt University professor's desktop computer,
containing the personal information of thousands of current and
former students, was recently stolen.
http://www.scmagazineus.com/stolen-vanderbilt-university-desktop-contained-students-personal-information/article/166064/?DCMP=EMC-SCUS_Newswire
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 1 of 5)
BACKGROUND
Web-site spoofing is a method of creating fraudulent Web sites that
look similar, if not identical, to an actual site, such as that of a
bank. Customers are typically directed to these spoofed Web
sites through phishing schemes or pharming techniques. Once at
the spoofed Web site, the customers are enticed to enter information
such as their Internet banking username and password, credit card
information, or other information that could enable a criminal to
use the customers' accounts to commit fraud or steal the customers'
identities. Spoofing exposes a bank to strategic, operational,
and reputational risks; jeopardizes the privacy of bank customers;
and exposes banks and their customers to the risk of financial
fraud.
PROCEDURES TO ADDRESS SPOOFING
Banks can mitigate the risks of Web-site spoofing by implementing
the identification and response procedures discussed in this
bulletin. A bank also can help minimize the impact of a
spoofing incident by assigning certain bank employees responsibility
for responding to such incidents and training them in the steps
necessary to respond effectively. If a bank's Internet
activities are outsourced, the bank can address spoofing risks by
ensuring that its contracts with its technology service providers
stipulate appropriate procedures for detecting and reporting
spoofing incidents, and that the service provider's process for
responding to such incidents is integrated with the bank's own
internal procedures.
Banks can improve the effectiveness of their response procedures by
establishing contacts with the Federal Bureau of Investigation (FBI)
and local law enforcement authorities in advance of any spoofing
incident. These contacts should involve the appropriate
departments and officials responsible for investigating computer
security incidents. Effective procedures should also include
appropriate time frames to seek law enforcement involvement, taking
note of the nature and type of information and resources that may be
available to the bank, as well as the ability of law enforcement
authorities to act rapidly to protect the bank and its customers.
Additionally, banks can use customer education programs to mitigate
some of the risks associated with spoofing attacks. Education
efforts can include statement stuffers and Web-site alerts
explaining various Internet-related scams, including the use of
fraudulent e-mails and Web-sites in phishing attacks. In
addition, because the attacks can exploit vulnerabilities in Web
browsers and/or operating systems, banks should consider reminding
their customers of the importance of safe computing practices.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the series
from the FDIC "Security Risks Associated with the Internet."
SECURITY MEASURES
Firewalls - Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between
two networks which all traffic, regardless of the direction, must
pass through. When employed properly, it is a primary security
measure in governing access control and protecting the internal
system from compromise.
The key to a firewall's ability to protect the network is its
configuration and its location within the system. Firewall products
do not afford adequate security protection as purchased. They must
be set up, or configured, to permit or deny the appropriate traffic.
To provide the most security, the underlying rule should be to deny
all traffic unless expressly permitted. This requires system
administrators to review and evaluate the need for all permitted
activities, as well as who may need to use them. For example, to
protect against Internet protocol (IP) spoofing, data arriving from
an outside network that claims to be originating from an internal
computer should be denied access. Alternatively, systems could be
denied access based on their IP address, regardless of the
origination point. Such requests could then be evaluated based on
what information was requested and where in the internal system it
was requested from. For instance, incoming FTP requests may be
permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to
perform business operations and the need for security. Due to the
intricate details of firewall programming, the configuration should
be reassessed after every system change or software update. Even if
the system or application base does not change, the threats to the
system do. Evolving risks and threats should be routinely monitored
and considered to ensure the firewall remains an adequate security
measure. If the firewall system should ever fail, the default should
deny all access rather than permit the information flow to continue.
Ideally, firewalls should be installed at any point where a computer
system comes into contact with another network. The firewall system
should also include alerting mechanisms to identify and record
successful and attempted attacks and intrusions. In addition,
detection mechanisms and procedures should include the generation
and routine review of security logs.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
customers.
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a financial
institution's evaluation or brokerage of information that the
institution collects in connection with a request or an application
from a consumer for a financial product or service. For example, a
financial service includes a lender's evaluation of an application
for a consumer loan or for opening a deposit account even if the
application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer relationship" with a
financial institution. A "customer relationship" is a continuing
relationship between a consumer and a financial institution under
which the institution provides one or more financial products or
services to the consumer that are to be used primarily for personal,
family, or household purposes. |
