Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
White House Updates Cybersecurity Orders - The three-pronged
approach should help federal agencies do away with wasteful
compliance spending and encourage improved security, say White House
Mobile network hack reveals sensitive cellphone data - Brad Pitt geo
tracking made easy - Researchers have demonstrated structural cracks
in GSM mobile networks that make it easy to find the number of most
US-based cellphone users and to track virtually any GSM-enabled
handset across the globe.
Cybercrime boosts jobs in security - As corporations across the
country have come to understand the nature of today's fast-evolving
cyberthreat landscape, many of them are now asking themselves the
same question: What kind of security team does an organization need?
Refresh your firewall - I've never known an organization's CSO or
CIO to admit they managed a larger budget than they needed, and the
prospects don't look much more promising moving forward. So that
begs the question - what to do first. For my money, I'd start by
refreshing the firewalls.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Digital Photocopiers Loaded With Secrets - Your Office Copy Machine
Might Digitally Store Thousands of Documents That Get Passed on at
Resale - At a warehouse in New Jersey, 6,000 used copy machines sit
ready to be sold. CBS News chief investigative correspondent Armen
Keteyian reports almost every one of them holds a secret.
1.5 million stolen Facebook accounts up for grabs - Researchers at
VeriSign's iDefense have discovered a single hacker selling 1.5
million stolen Facebook account credentials on an underground
market. The stolen credentials were put up for sale by a hacker with
the handle "kirllos" who is believed to be from Eastern Europe.
Blippy Leaks Four Credit Card Numbers - Social exhibitionism meets
Google Search and learns that one can share too much information.
One day after The New York Times explored the rise in social Web
sites that expose information about users' purchases and activities,
declaring that people are becoming more relaxed about privacy, a
minor data breach at one such site offers a reminder that people do
indeed have something to hide.
U.S. businesses face skimming fraud increase - U.S. banks are
grappling with a recent increase in skimming attacks, which are
being carried out by Eastern European gangs aiming to steal consumer
bank account numbers and PINs.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 1 of 3)
E-mail and Internet-related fraudulent schemes, such as "phishing"
(pronounced "fishing"), are being perpetrated with increasing
frequency, creativity and intensity. Phishing involves the use of
seemingly legitimate e-mail messages and Internet Web sites to
deceive consumers into disclosing sensitive information, such as
bank account information, Social Security numbers, credit card
numbers, passwords, and personal identification numbers (PINs). The
perpetrator of the fraudulent e-mail message may use various means
to convince the recipient that the message is legitimate and from a
trusted source with which the recipient has an established business
relationship, such as a bank. Techniques such as a false "from"
address or the use of seemingly legitimate bank logos, Web links and
graphics may be used to mislead e-mail recipients.
In most phishing schemes, the fraudulent e-mail message will request
that recipients "update" or "validate" their financial or personal
information in order to maintain their accounts, and direct them to
a fraudulent Web site that may look very similar to the Web site of
the legitimate business. These Web sites may include copied or
"spoofed" pages from legitimate Web sites to further trick consumers
into thinking they are responding to a bona fide request. Some
consumers will mistakenly submit financial and personal information
to the perpetrator who will use it to gain access to financial
records or accounts, commit identity theft or engage in other
The Federal Deposit Insurance Corporation (FDIC) and other
government agencies have also been "spoofed" in the perpetration of
e-mail and Internet-related fraudulent schemes. For example, in
January 2004, a fictitious e-mail message that appeared to be from
the FDIC was widely distributed, and it told recipients that their
deposit insurance would be suspended until they verified their
identity. The e-mail message included a hyperlink to a fraudulent
Web site that looked similar to the FDIC's legitimate Web site and
asked for confidential information, including bank account
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
This concludes the
series from the FDIC "Security Risks Associated with the Internet."
Starting next week, we will begin covering the OCC Bulletin
about Infrastructure Threats and Intrusion Risks.
V. Security Flaws and Bugs
Because hardware and software continue to improve, the task of
maintaining system performance and security is ongoing. Products are
frequently issued which contain security flaws or other bugs, and
then security patches and version upgrades are issued to correct the
deficiencies. The most important action in this regard is to keep
current on the latest software releases and security patches. This
information is generally available from product developers and
vendors. Also important is an understanding of the products and
their security flaws, and how they may affect system performance.
For example, if there is a time delay before a patch will be
available to correct an identified problem, it may be necessary to
invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist,
such as the Computer Emergency Response Team Coordination Center
(CERT/CC) at the Software Engineering Institute of Carnegie Mellon
University, Pittsburgh, Pennsylvania. The CERT/CC, among other
activities, issues advisories on security flaws in software
products, and provides this information to the general public
through subscription e‑mail, Internet newsgroups (Usenet), and their
Web site at www.cert.org. Many
other resources are freely available on the Internet.
Active Content Languages
Active content languages have been the subject of a number of recent
security discussions within the technology industry. While it is not
their only application, these languages allow computer programs to
be attached to Web pages. As such, more appealing and interactive
Web pages can be created, but this function may also allow
unauthorized programs to be automatically downloaded to a user's
computer. To date, few incidents have been reported of harm caused
by such programs; however, active content programs could be
malicious, designed to access or damage data or insert a virus.
Security problems may result from an implementation standpoint, such
as how the languages and developed programs interact with other
software, such as Web browsers. Typically, users can disable the
acceptance of such programs on their Web browser. Or, users can
configure their browser so they may choose which programs to accept
and which to deny. It is important for users to understand how these
languages function and the risks involved, so that they make
educated decisions regarding their use. Security alerts concerning
active content languages are usually well publicized and should
receive prompt reviews by those utilizing the technology.
Because potentially malicious programs can be downloaded directly
onto a system from the Internet, virus protection measures beyond
the traditional boot scanning techniques may be necessary to
properly protect servers, systems, and workstations. Additional
protection might include anti-virus products that remain resident,
providing for scanning during downloads or the execution of any
program. It is also important to ensure that all system users are
educated in the risks posed to systems by viruses and other
malicious programs, as well as the proper procedures for accessing
information and avoiding such threats.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 4 of 6)
Requirements for Notices (continued)
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial notice
together with an opt out notice stating that the institution's
privacy notice is available upon request and explaining a reasonable
means for the consumer to obtain it. The following is a list of
disclosures regarding nonpublic personal information that
institutions must provide in their privacy notices, as applicable:
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to whom
the institution may disclose information;
4) policies with respect to the treatment of former customers'
5) information disclosed to service providers and joint marketers
6) an explanation of the opt out right and methods for opting out;
7) any opt out notices the institution must provide under the Fair
Credit Reporting Act with respect to affiliate information sharing;
8) policies for protecting the security and confidentiality of
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and