Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
Shocking data breaches are rife in Irish public sector - Data
Protection Commissioner Billy Hawkes has hit out at the reluctance
of Irish public-sector bodies to deal with data protection issues.
More than 900 breaches in the private and public sector were
investigated and breaches were up 50pc year-on-year.
BofA insider to plead guilty to hacking ATMs - A Bank of America
computer specialist is set to plead guilty to charges that he hacked
the bank's automated tellers to dispense cash without recording the
Romania Swoops In on 70 Cybertheft Suspects - Romanian police
arrested 70 suspects Tuesday who they claim were involved in eBay
scams and other cybercrimes since 2006.
GAO - Agencies Need to Implement Federal Desktop Core Configuration
Securing personal-liable mobile devices on the corporate network -
Consumers are dizzy from the influx of smartphones in the
marketplace. Each device brings its own unique set of bells and
whistles and consequently, challenges for the IT enterprise as
consumers look to use their personal devices at work.
Agencies struggle with securing computers, GAO reports - Senators
are taking action to get agencies on track with securing their
computer systems from cyber attacks - Despite the frequency in
cyberattacks against government networks, no major agency has fully
secured its computers to the specifications in two major White House
protection initiatives, a pair of new reports said.
Spam a Judge, Go to Jail? - A litigant in a civil lawsuit asked an
appeals court Wednesday to overturn his 30-day contempt sentence for
urging people to send e-mail to a federal judge.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Identity theft and tax fraud ring busted - Federal authorities have
uncovered a sophisticated tax fraud scheme carried out by a group of
computer savvy criminals who used stolen identities to obtain income
tax returns totaling $4 million, according to a 74-count federal
indictment unsealed in Arizona.
Brokerage fined $375,000 in data-breach case; alleged hackers
arrested and extradited from Eastern Europe - If you've got a
brokerage account with D.A. Davidson, then it's likely that you've
already heard about the breach in security and what the company has
done to secure a remedy.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 4 of 5)
PROCEDURES TO ADDRESS SPOOFING - Spoofing
To respond to spoofing incidents effectively, bank management should
establish structured and consistent procedures. These procedures
should be designed to close fraudulent Web sites, obtain identifying
information from the spoofed Web site to protect customers, and
preserve evidence that may be helpful in connection with any
subsequent law enforcement investigations.
Banks can take the following steps to disable a spoofed Web site and
recover customer information. Some of these steps will require the
assistance of legal counsel.
* Communicate promptly, including through written communications,
with the Internet service provider (ISP) responsible for hosting the
fraudulent Web site and demand that the suspect Web site be
* Contact the domain name registrars promptly, for any domain name
involved in the scheme, and demand the disablement of the domain
* Obtain a subpoena from the clerk of a U.S. District Court
directing the ISP to identify the owners of the spoofed Web site and
to recover customer information in accordance with the Digital
Millennium Copyright Act;
* Work with law enforcement; and
* Use other existing mechanisms to report suspected spoofing
The following are other actions and types of legal documents that
banks can use to respond to a spoofing incident:
* Banks can write letters to domain name registrars demanding that
the incorrect use of their names or trademarks cease immediately;
* If these demand letters are not effective, companies with
registered Internet names can use the Uniform Domain Name Dispute
Resolution Process (UDRP) to resolve disputes in which they suspect
that their names or trademarks have been illegally infringed upon.
This process allows banks to take action against domain name
registrars to stop a spoofing incident. However, banks must bear in
mind that the UDRP can be relatively time-consuming. For more
details on this process see
* Additional remedies may be available under the federal Anti-Cybersquatting
Consumer Protection Act (ACCPA) allowing thebank to initiate
immediate action in federal district court under section 43(d) of
the Lanham Act, 15 USC 1125(d). Specifically, the ACCPA can provide
for rapid injunctive relief without the need to demonstrate a
similarity or likelihood of confusion between the goods or services
of the parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 1 of 2)
If passwords are used for access control or authentication measures,
users should be properly educated in password selection. Strong
passwords consist of at least six to eight alpha numeric characters,
with no resemblance to any personal data. PINs should also be
unique, with no resemblance to personal data. Neither passwords nor
PINs should ever be reduced to writing or shared with others.
Other security measures should include the adoption of one-time
passwords, or password aging measures that require periodic changes.
Encryption technology can also be employed in the entry and
transmission of passwords, PINs, user IDs, etc. Any password
directories or databases should be properly protected, as well.
Password guessing programs can be run against a system. Some can run
through tens of thousands of password variations based on personal
information, such as a user's name or address. It is preferable to
test for such vulnerabilities by running this type of program as a
preventive measure, before an unauthorized party has the opportunity
to do so. Incorporating a brief delay requirement after each
incorrect login attempt can be very effective against these types of
programs. In cases where a potential attacker is monitoring a
network to collect passwords, a system utilizing one-time passwords
would render any data collected useless.
When additional measures are necessary to confirm that passwords or
PINs are entered by the user, technologies such as tokens, smart
cards, and biometrics can be useful. Utilizing these technologies
adds another dimension to the security structure by requiring the
user to possess something physical.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of its
privacy policies and practices to each customer, not later than the
time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
2) A financial institution must provide an annual notice at least
once in any period of 12 consecutive months during the continuation
of the customer relationship.
3) Generally, new privacy notices are not required for each new
product or service. However, a financial institution must provide a
new notice to an existing customer when the customer obtains a new
financial product or service from the institution, if the initial or
annual notice most recently provided to the customer was not
accurate with respect to the new financial product or service.
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice.