FYI - Inside the Twisted Mind of the Security Professional - Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it. http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320

FYI - Black Hat SEOs: Is This the Future of Search? - Search Engine Optimization is the trick to winning online revenue. What happens when hackers start going after the prize? Part one of a two-part series. http://www.csoonline.com/article/print/221689

FYI - U.S. Health Agency Forbids Sensitive Data On Apple MacBooks - Employees who store medical records on laptops must use systems that run either on Microsoft's Windows operating system or Linux. In the wake of a widely publicized security breach that left thousands of patient records exposed, the federal government's National Institutes of Health is forbidding all employees who use Apple's MacBook laptops from handling sensitive data as of Friday, InformationWeek has learned. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207001840

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Vermont ski area reports Hannaford-like theft of payment card data - Okemo says card info was stolen as cards were swiped, as in breach at grocery chain - In a security breach that sounds similar to the one disclosed by Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in Vermont announced that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9074339&source=rss_topic17

FYI - Personal Pfizer Data on Stolen Laptop - Pfizer Inc. has revealed that the theft of a laptop computer in February potentially exposed about 800 current and former employees and contractors to identity theft. http://www.theday.com/re.aspx?re=6b8c60cf-8fa2-43f1-9238-6dba8792cfa3

FYI - The HSBC disc did not contain bank account details - HSBC loses 370,000 customer details - Financial Services Authority to investigate loss of disc - The disc, which was password protected, contained names, dates of birth, life insurance details and information on smoking habits. It did not contain bank account details. http://www.vnunet.com/vnunet/news/2213667/hsbc-lose-370-customer-details

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next 12 weeks will will cover the recently released FDIC Supervisory Insights regarding Incident Response Programs.  (1of 12)

Incident Response Programs:  Don't Get Caught Without One

Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft.

Banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss. This environment places significant demands on a bank's information security program to identify and prevent vulnerabilities that could result in successful attacks on sensitive customer information held by the bank. The rapid adoption of the Internet as a delivery channel for electronic commerce coupled with prevalent and highly publicized vulnerabilities in popular hardware and software have presented serious security challenges to the banking industry. In this high-risk environment, it is very likely that a bank will, at some point, need to respond to security incidents affecting its customers.

To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs).  However, at a time when organizations need to be most prepared, many banks are finding it challenging to assemble an IRP that not only meets minimum requirements (as prescribed by Federal bank regulators), but also provides for an effective methodology to manage security incidents for the benefit of the bank and its customers. In response to these challenges, this article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (3 of 5)

The enrollment process establishes the user's identity and anticipated business needs to information and systems. New employees, IT outsourcing relationships, and contractors may also be identified, and the business need for access determined during the hiring or contracting process.

During enrollment and thereafter, an authorization process determines user access rights. In certain circumstances the assignment of access rights may be performed only after the manager responsible for each accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of rights may be established by the employee's role or group membership, and managed by pre - established authorizations for that group. Customers, on the other hand, may be granted access based on their relationship with the institution.

Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include

! Identifying each privilege associated with each system component,

! Implementing a process to allocate privileges and allocating those privileges either on a need - to - use or an event - by - event basis,! Documenting the granting and administrative limits on privileges,

! Finding alternate ways of achieving the business objectives,

! Assigning privileges to a unique user ID apart from the one used for normal business use,

! Logging and auditing the use of privileged access,

! Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and

! Prohibiting shared privileged access by multiple users.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

13.  Review authenticator reissuance and reset procedures. Determine whether controls adequately mitigate risks from:

• Social engineering

• Errors in the identification of the user

• Inability to re-issue on a large scale in the event of a mass compromise

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either: 

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]