Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Hacker Albert Gonzalez receives 20 years in prison - Albert Gonzalez on Thursday received the largest-ever U.S. prison sentence for a hacker. Gonzalez, 28, of Miami, was sentenced to 20 years in prison for leading a group of cybercriminals that stole tens of millions of credit and debit card numbers from TJX and several other retailers. http://www.scmagazineus.com/hacker-albert-gonzalez-receives-20-years-in-prison/article/166571/

FYI - Another Gonzalez co-conspirator sentenced - Albert Gonzalez' digital crime spree continues as another one of his co-conspirators was sentenced Tuesday in federal court in Boston. http://www.scmagazineus.com/another-gonzalez-co-conspirator-sentenced/article/166428/

FYI - Email recipients still falling for spam, finds survey - Despite awareness around spam, half of email recipients are responding in some form to socially engineered mail messages, according to a survey released this week. http://www.scmagazineus.com/email-recipients-still-falling-for-spam-finds-survey/article/166673/?DCMP=EMC-SCUS_Newswire

FYI - Former student pleads guilty to hacking school payroll data He gets 10 years; Vancouver district employees put at risk - A 21-year-old former Evergreen Public Schools student has pleaded guilty to criminal charges in connection with a computerized payroll security breach in November that put more than 5,000 past and current Vancouver Public Schools employees at risk of identity theft. http://www.columbian.com/news/2010/mar/25/former-student-pleads-guilty-to-hacking-school-pay/

FYI - Mobile Finance Forum - Audio files and transcripts now available - "Cash, Check, or Cell Phone?" Protecting Consumers in a Mobile Finance World, an Emerging Issues Forum organized by the Federal Reserve Board, was held from 8:30 am-5:00 pm Tuesday, February 23, 2010, at the Board's Martin Building in Washington, D.C. www.federalreserve.gov/communityaffairs/national/2010mobile/default.htm 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Company says 3.3M student loan records stolen - Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing. The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut. http://www.computerworld.com/s/article/9174312/Company_says_3.3M_student_loan_records_stolen

FYI - USB stick containing social services' information found on a pavement - A USB stick that contained social services' confidential information about children in care has been found on a pavement in Stoke-on-Trent. http://www.scmagazineuk.com/usb-stick-containing-social-services-information-found-on-a-pavement/article/166783/

FYI - French suspect grilled over Obama Twitter hack - A French suspect has been arrested over accusations he hacked into the Twitter accounts of President Obama and other public figures, the BBC reports. http://www.theregister.co.uk/2010/03/25/obama_twitter_hack_suspect_cuffed/

FYI - SEC wins judgment against stock options hacker - A U.S. District Court has ordered a Ukrainian man to pay $580,000, as well as civil penalties, after he traded stock options based on knowledge he obtained from hacking into the computer network of IMS Health, a company that provides the pharmaceutical industry with sales data and consulting services. http://www.scmagazineus.com/sec-wins-judgment-against-stock-options-hacker/article/166988/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)

PROCEDURES TO ADDRESS SPOOFING - Detection

Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks.  The following is a list of possible indicators of Web-site spoofing:

*  E-mail messages returned to bank mail servers that were not originally sent by the bank.  In some cases, these e-mails may contain links to spoofed Web sites;
*  Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
*  An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.

Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank.  Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name.  The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site.  Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.

Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.

Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Data Transmission and Types of Firewalls 

Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration. 

There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.

Implementation 

When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.