In 2008 U.S. government computers were infected 5,499 times with
malware - According to the Department of Homeland Security, there
were 5,499 known breaches of U.S. government computers with
malicious software last year, comparing to 3,928 in 2007, and 2,172
FERC needs to step up oversight of grid security, experts say -
Responding to a report that the nation's electric grid has been
hacked by foreign spies, experts recommended today that federal
agencies show greater initiative and seek legislative action to
strengthen their cybersecurity authority and controls over the grid.
Cyberattack repairs cost Pentagon $100 million in six months - The
Pentagon has spent more than $100 million in the past six months
repairing damage to its networks caused by cyberattacks, according
to military officials.
Conficker botnet stirs to distribute update payload - It's alive! -
The Conficker superworm is stirring, with the spread of a new
variant that spreads across P2P and drops a payload. It is thought
to update machines infected by earlier strains of the worm.
FBI Defends Disruptive Raids on Texas Data Centers - The FBI on
Tuesday defended its raids on at least two data centers in Texas, in
which agents carted out equipment and disrupted service to hundreds
Privacy laws: Leading the charge - With the nation's strictest data
security law set to take effect Jan. 1 in Massachusetts, mobile
phone merchant Dennis Kelly plans to parlay the regulations into a
Job vetting practices may breach Privacy Act - The Privacy
Commissioner warns that employers and vetting agencies may be
breaching the Privacy Act with some practices of collecting and
storing information about job applicants.
Conficker worm hits University of Utah - Virus infiltrated computers
at hospitals, medical school and some colleges - University of Utah
officials say a computer virus has infected more than 700 campus
computers, including those at the school's three hospitals.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
State warns 1,900 license holders of security breach - Nearly 1,900
holders of Hawai'i commercial driver's licenses are being warned to
take measures to prevent identity theft after a state computer
containing personal information was stolen three weeks ago.
Stolen laptop has information on 14,000 Moses Cone patients -
Personal information from more than 14,000 Moses Cone Health System
patients might have been compromised after a laptop computer was
stolen. The computer contained information about cardiology and
orthopedic patients treated at Moses Cone Memorial Hospital or
Wesley Long Community Hospital from February 2004 to February 2009.
Bank warns customers after theft - The theft of seven laptop
computers from an auditing firm has led the Borrego Springs Bank to
send warning letters to all of its customers saying their personal
financial information may be in the hands of criminals.
Gexa Energy data system hacked last spring - Company officials say
there is no evidence any of the personal data was used by hacker -
Former and current customers of Gexa Energy may have had their
personal information compromised last year.
Hackers prey on Ford Motor Co. searches to boost rankings -
Attackers are using the Ford Motor Co. name to poison search engine
results with some 1.2 million malicious links that lead to rogue
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
(Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Many financial institutions use commercial off-the-shelf (COTS)
software for operating systems and applications. COTS systems
generally provide more functions than are required for the specific
purposes for which it is employed. For example, a default
installation of a server operating system may install mail, Web, and
file-sharing services on a system whose sole function is a DNS
server. Unnecessary software and services represent a potential
security weakness. Their presence increases the potential number of
discovered and undiscovered vulnerabilities present in the system.
Additionally, system administrators may not install patches or
monitor the unused software and services to the same degree as
operational software and services. Protection against those risks
begins when the systems are constructed and software installed
through a process that is referred to as hardening a system.
When deploying off-the-shelf software, management should harden the
resulting system. Hardening includes the following actions:
! Determining the purpose of the system and minimum software and
! Documenting the minimum hardware, software and services to be
included on the system;
! Installing the minimum hardware, software, and services necessary
to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of
! Configuring privilege and access controls by first denying all,
then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed
activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior
to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically
configured systems, making configuration changes on a case-by-case
! Changing all default passwords; and
! Testing the resulting systems.
After deployment, the COTS systems may need updating with current
security patches. Additionally, the systems should be periodically
audited to ensure that the software present on the systems is
authorized and properly configured.
Return to the top of the
G. APPLICATION SECURITY
4. Determine if access to sensitive information and processes
require appropriate authentication and verification of authorized
use before access is granted.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
4) Does the institution provide initial notice after
establishing a customer relationship only if:
a. the customer relationship is not established at the
customer's election; [§4(e)(1)(i)] or
b. to do otherwise would substantially delay the customer's
transaction (e.g. in the case of a telephone application), and the
customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]