Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
Security Incidents Rise In Industrial Control Systems - Even with
minimal Internet access, malware and breaches are increasingly
occurring in utility, process control systems - While only about 10
percent of industrial control systems are actually connected to the
Internet, these systems that run water, wastewater, and utility
power plants have suffered an increase in cybersecurity incidents
over the past five years.
Threat Level Privacy, Crime and Security Online Bank Worker Pleads
Guilty to Hacking 100 ATMs - A Bank of America worker pleaded guilty
Tuesday to installing malware on more than 100 ATMs, and stealing
$304,000 over a seven-month period.
Changing Passwords Isn't Worth the Effort - Nobody will argue that
"123456" is a good choice for a password. But is forcing the user to
change it worth the effort?
TJX hacker sentenced to five years, fined - The sixth and final U.S.
person charged two years ago with breaking into the computer
networks at discount retail parent TJX was sentenced Thursday.
Pa. school district snapped 'thousands' of student images, claims
lawyer - District staffers called the photos taken by laptop
software a 'little soap opera' - The suburban Philadelphia school
district accused of spying on students using school-issued laptops
snapped thousands of images of teenagers in their homes, including
shots of a boy asleep in his bed, documents filed in a lawsuit
NSA Official Faces Prison for Leaking to Newspaper - A former senior
National Security Agency official was slammed with a 10-count
indictment Thursday after allegedly leaking top secret information
to a reporter at a national newspaper.
Trial of Palin hacker gets underway - A 22-year-old former
University of Tennessee-Knoxville student, accused of breaking into
the Yahoo! email account of Sarah Palin as she campaigned for vice
president in 2008, goes before a judge in Tennessee.
Certegy to pay $975K, undergo annual security audit - Certegy Check
Services has settled with the Florida attorney general's office over
a 2007 data breach that resulted in the theft of nearly six million
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Apache project server hacked, passwords compromised - Hackers broke
into a server used by the Apache Software Foundation to keep track
of software bugs.
Network Solutions customers hit by mass hack attack - Second mystery
outbreak in a week - Network Solutions' security team is battling a
mysterious attack that has silently infected a "huge" number of the
websites it hosts with malicious code.
Nine year-old blamed for US school system hack - Youngster uses
teacher's login to redraw Blackboard - Police hunting a hacker who
had attacked a US school's systems found themselves cornering a
"very intelligent" 9 year old instead, it has emerged.
Health information contained on physician's stolen laptop - A laptop
containing the demographic and health information of thousands of
patients was stolen from a physician affiliated with the
Massachusetts Eye and Ear Infirmary.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 5 of 5) Next week we will
begin our series on the Guidance on Safeguarding Customers
Against E-Mail and Internet-Related Fraudulent Schemes.
PROCEDURES TO ADDRESS SPOOFING - Contact the
OCC and Law Enforcement Authorities
If a bank is the target of a spoofing incident, it should promptly
notify its OCC supervisory office and report the incident to the FBI
and appropriate state and local law enforcement authorities. Banks
can also file complaints with the Internet Fraud Complaint Center
(see http://www.ic3.gov), a
partnership of the FBI and the National White Collar Crime Center.
In order for law enforcement authorities to respond effectively to
spoofing attacks, they must be provided with information necessary
to identify and shut down the fraudulent Web site and to investigate
and apprehend the persons responsible for the attack. The data
discussed under the "Information Gathering" section should meet this
In addition to reporting to the bank's supervisory office and law
enforcement authorities, there are other less formal mechanisms that
a bank can use to report these incidents and help combat fraudulent
activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/),
which is a joint initiative of industry and law enforcement designed
to support apprehension of perpetrators of phishing-related crimes,
including spoofing. Members of Digital Phishnet include ISPs,
online auction services, financial institutions, and financial
service providers. The members work closely with the FBI, Secret
Service, U.S. Postal Inspection Service, Federal Trade Commission
(FTC), and several electronic crimes task forces around the country
to assist in identifying persons involved in phishing-type crimes.
Finally, banks can forward suspicious e-mails to the FTC at
firstname.lastname@example.org. For more
information on how the FTC can assist in combating phishing and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 2 of 2)
Token technology relies on a separate physical device, which is
retained by an individual, to verify the user's identity. The token
resembles a small hand-held card or calculator and is used to
generate passwords. The device is usually synchronized with security
software in the host computer such as an internal clock or an
identical time based mathematical algorithm. Tokens are well suited
for one‑time password generation and access control. A separate PIN
is typically required to activate the token.
Smart cards resemble credit cards or other traditional magnetic
stripe cards, but contain an embedded computer chip. The chip
includes a processor, operating system, and both read only memory
(ROM) and random access memory (RAM). They can be used to generate
one-time passwords when prompted by a host computer, or to carry
cryptographic keys. A smart card reader is required for their use.
Biometrics involves identification and verification of an individual
based on some physical characteristic, such as fingerprint analysis,
hand geometry, or retina scanning. This technology is advancing
rapidly, and offers an alternative means to authenticate a user.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 3 of 6)
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable and
designed to call attention to the nature and significance of the
information contained in the notice. The regulations do not
prescribe specific methods for making a notice clear and
conspicuous, but do provide examples of ways in which to achieve the
standard, such as the use of short explanatory sentences or bullet
lists, and the use of plain-language headings and easily readable
typeface and type size. Privacy notices also must accurately reflect
the institution's privacy practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice in
writing, or if the consumer agrees, electronically. To meet this
standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2) mail
a printed copy of the notice to a consumer's last known address, or
(3) for the consumer who conducts transactions electronically, post
the notice on the institution's web site and require the consumer to
acknowledge receipt of the notice as a necessary step to completing
For customers only, a financial institution must provide the initial
notice (as well as the annual notice and any revised notice) so that
a customer may be able to retain or subsequently access the notice.
A written notice satisfies this requirement. For customers who
obtain financial products or services electronically, and agree to
receive their notices on the institution's web site, the institution
may provide the current version of its privacy notice on its web