Travel group warns: Corporate data at risk from laptop searches at
border - The Association of Corporate Travel Executives (ACTE) is
warning its members to limit the amount of proprietary business
information they carry on laptops and other electronic devices
because of fears that government agents can seize that data at U.S.
FYI - HSBC calls in police over
alleged £70m fraud attempt - Police are investigating an alleged
€90m (£70m) attempted fraud by a London-based member of staff at
HSBC, Britain's biggest bank. A man has been charged over the
alleged scam, which was discovered last week at HSBC's securities
services division, which settles trades for clients.
FYI - Rogue trader Kerviel gets
new job - Jérôme Kerviel, the French rogue trader accused of causing
€4.9bn (£3.8bn) losses at the bank Société Générale, has got a new
job as a computer expert.
A virtual war on terror - The bad guys are at it again and with
increasing ferocity, attacking anything and everything. So far,
Chinese hackers have been constantly waging an all-out warfare
against the government and defence networks of western countries,
the US in particular.
Virginia Tries to Ensure Students' Safety in Cyberspace -
State-Mandated Classes on Internet Take Shape - Alan Portillo didn't
think much, if at all, about his online vulnerability. Then the
15-year-old heard technology teacher Wendy Maitland list three
pieces of information an online predator would need to find him.
CERIAS ranked as nation's top information security program - A
private company that measures faculty productivity has ranked
Purdue's Center for Education and Research in Information Assurance
and Technology the top program in information security among
universities in the nation.
Massive hacker server discovered - Security researchers recently
found a server being used to harvest private information consisting
of stolen data from 40 international businesses, as well as
health-related information on patients worldwide.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Tax staff disciplined for snooping - 600 staff disciplined for
accessing personal or sensitive data - Treasury Minister Jane
Kennedy has revealed that more than 600 staff at HM Revenue and
Customs (HMRC) have been disciplined for accessing personal or
Cyber crime: PGI head's email hacked - After Panjab University's
former vice-chancellor K N Pathak became a victim of email hacking,
PGI director and Padmashree K K Talwar has been similarly targeted
by cyber criminals.
FYI - Hospitals in Hong Kong
lose data on 3,000 patients in thefts - Data on more than 3,000
patients in Hong Kong public hospitals has been lost through the
theft of computer memory sticks, officials said.
FYI - 6,000 UCSF patients' data
got put online - Information on thousands of UCSF patients was
accessible on the Internet for more than three months last year, a
possible violation of federal privacy regulations that might have
exposed the patients to medical identity theft, The Chronicle has
Hundreds of Laptops Missing at State Department, Audit Finds -
Hundreds of employee laptops are unaccounted for at the U.S.
Department of State, which conducts delicate, often secret,
diplomatic relations with foreign countries, an internal audit has
found. As many as 400 of the unaccounted for laptops belong to the
department's Anti-Terrorism Assistance Program, according to
officials familiar with the findings.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (5 of 12)
An institution should notify its primary Federal regulator as soon
as it becomes aware of the unauthorized access to or misuse of
sensitive customer information or customer information systems.
Notifying the regulatory agency will help it determine the potential
for broader ramifications of the incident, especially if the
incident involves a service provider, as well as assess the
effectiveness of the institution's IRP.
Institutions should develop procedures for notifying law enforcement
agencies and filing SARs in accordance with their primary Federal
regulator's requirements. Law enforcement agencies may serve
as an additional resource in handling and documenting the incident.
Institutions should also establish procedures for filing SARs in a
timely manner because regulations impose relatively quick filing
deadlines. The SAR form itself may serve as a resource in the
reporting process, as it contains specific instructions and
thresholds for when to file a report. The SAR form instructions also
clarify what constitutes a "computer intrusion" for filing purposes.
Defining procedures for notifying law enforcement agencies and
filing SARs can streamline these notification and reporting
Institutions should also address customer notification procedures in
their IRP. When an institution becomes aware of an incident
involving unauthorized access to sensitive customer information, the
institution should conduct a reasonable investigation to determine
the likelihood that such information has been or will be misused. If
the institution determines that sensitive customer information has
been misused or that misuse of such information is reasonably
possible, it should notify the affected customer(s) as soon as
possible. Developing standardized procedures for notifying customers
will assist in making timely and thorough notification. As a
resource in developing these procedures, institutions should
reference the April 2005 interpretive guidance, which specifically
addresses when customer notification is necessary, the recommended
content of the notification, and the acceptable forms of
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Shared Secret Systems (Part 1 of 2)
Shared secret systems uniquely identify the user by matching
knowledge on the system to knowledge that only the system and user
are expected to share. Examples are passwords, pass phrases, or
current transaction knowledge. A password is one string of
characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a
string of words or characters (e.g., "My car is a shepherd")
that the system may shorten to a smaller password by means of an
algorithm. Current transaction knowledge could be the account
balance on the last statement mailed to the user/customer. The
strength of shared secret systems is related to the lack of
disclosure of and about the secret, the difficulty in guessing or
discovering the secret, and the length of time that the secret
exists before it is changed.
A strong shared secret system only involves the user and the system
in the generation of the shared secret. In the case of passwords and
pass phrases, the user should select them without any assistance
from any other user, such as the help desk. One exception is in the
creation of new accounts, where a temporary shared secret could be
given to the user for the first login, after which the system
prompts the user to create a different password. Controls should
prevent any user from re - using shared secrets that may have been
compromised or were recently used by them.
Passwords are the most common authentication mechanism. Passwords
are generally made difficult to guess when they are composed from a
large character set, contain a large number of characters, and are
frequently changed. However, since hard - to - guess passwords may
be difficult to remember, users may take actions that weaken
security, such as writing the passwords down. Any password system
must balance the password strength with the user's ability to
maintain the password as a shared secret. When the balancing
produces a password that is not sufficiently strong for the
application, a different authentication mechanism should be
considered. Pass phrases are one alternative to consider. Due to
their length, pass phrases are generally more resistant to attack
than passwords. The length, character set, and time before enforced
change are important controls for pass phrases as well as passwords.
Shared secret strength is typically assured through the use of
automated tools that enforce the password selection policy.
Authentication systems should force changes to shared secrets on a
schedule commensurate with risk.
Passwords can also be dynamic. Dynamic passwords typically use
seeds, or starting points, and algorithms to calculate a new -
shared secret for each access. Because each password is used for
only one access, dynamic passwords can provide significantly more
authentication strength than static passwords. In most cases,
dynamic passwords are implemented through tokens. A token is a
physical device, such as an ATM card, smart card, or other device
that contains information used in the authentication process.
Return to the top of the
5. Determine whether external servers are
appropriately isolated through placement in DMZs, with supporting
servers on DMZs separate from external networks, public servers, and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
32. When a customer relationship
ends, does the institution continue to apply the customer's opt
out direction to the nonpublic personal information collected
during, or related to, that specific customer relationship (but not
to new relationships, if any, subsequently established by that