Cybercrims dump swag on open botnet server - Everyone knows Trojans
steal personal data, but the discovery of a server containing more
than 1.4 gigabytes of stolen business and personal info brings home
the real extent of the problem.
Online banking call to arms - 'Banking organizations have failed to
pledge that they will stop sending emails that add to the
confusion.' According to a recent report released by UK payments
industry association APACS, the rate of phishing attacks in the UK
has increased dramatically over the last 12 months, with the number
of incidents reported during the first quarter of 2008 up 200 per
cent on the same period last year.
Stolen data could fetch in the thousands - The going price for
stolen information is like any other commodity: the higher the
quality, the higher the price, according to McAfee Avert Labs.
Privacy watchdog welcomes tough data laws - The Information
Commissioner's Office has warmly embraced the introduction of the
Criminal Justice Bill, which will give it the power to issue heavy
fines to organisations for deliberate or reckless breaches of the
Data Protection Act.
Few expected to make June 30 PCI deadline for Web application
security - Retailers covered by the Payment Card Industry Data
Security Standard (PCI-DSS) have just about a month and a half left
to comply with new requirements for protecting Web applications. But
as with previous PCI-related deadlines, this one appears destined to
pass with a majority of merchants unlikely to be in full compliance.
FYI - GAO - Challenges
in Implementing an Electronic Records Archive.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hackers' posts on epilepsy forum cause migraines, seizures - But in
a rare example of an attack apparently motivated by malice rather
than money, hackers recently bombarded the Epilepsy Foundation's Web
site with hundreds of pictures and links to pages with rapidly
Personal info on six million Chileans posted - According to various
news reports, a hacker has exposed the personal information of about
six million Chilean people.
Three accused of hacking Dave & Buster's computers - Three people
have been charged with stealing credit and debit card numbers from
customers at U.S. restaurant chain Dave & Buster's Inc by hacking
into cash register terminals, the Department of Justice said.
Another Laptop Stolen from Pfizer, Employee Information Compromised
- About 13,000 employees at Pfizer Inc., including about 5,000 from
Connecticut, had their personal information compromised when a
company laptop and flash drive were stolen, the pharmaceutical giant
Classified Hong Kong "watch-list" leaked on internet - A government
investigation was underway Friday after it was revealed that
confidential files from the Immigration Department had been
mistakenly leaked on to the internet.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
e continue the series regarding FDIC Supervisory Insights regarding
Programs. (6 of 12)
Practices-Going Beyond the Minimum
Each bank has the opportunity to go beyond the minimum requirements
and incorporate industry best practices into its IRP. As each bank
tailors its IRP to match its administrative, technical, and
organizational complexity, it may find some of the following best
practices relevant to its operating environment. The practices
addressed below are not all inclusive, nor are they regulatory
requirements. Rather, they are representative of some of the more
effective practices and procedures some institutions have
implemented. For organizational purposes, the best practices have
been categorized into the various stages of incident response:
preparation, detection, containment, recovery, and follow-up.
Preparing for a potential security compromise of customer
information is a proactive risk management practice. The overall
effectiveness and efficiency of an organization's response is
related to how well it has organized and prepared for potential
incidents. Two of the more effective practices noted in many IRPs
are addressed below.
Establish an incident response team.
A key practice in preparing for a potential incident is
establishing a team that is specifically responsible for responding
to security incidents. Organizing a team that includes individuals
from various departments or functions of the bank (such as
operations, networking, lending, human resources, accounting,
marketing, and audit) may better position the bank to respond to a
given incident. Once the team is established, members can be
assigned roles and responsibilities to ensure incident handling and
reporting is comprehensive and efficient. A common responsibility
that banks have assigned to the incident response team is developing
a notification or call list, which includes contact information for
employees, vendors, service providers, law enforcement, bank
regulators, insurance companies, and other appropriate contacts. A
comprehensive notification list can serve as a valuable resource
when responding to an incident.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Shared Secret Systems (Part 2 of 2)
Weaknesses in shared secret mechanisms generally relate to the ease
with which an attacker can discover the secret. Attack methods vary.
! A dictionary attack is one common and successful way to discover
passwords. In a dictionary attack, the attacker obtains the system
password file, and compares the password hashes against hashes of
commonly used passwords.
Controls against dictionary attacks include securing the password
file from compromise, detection mechanisms to identify a compromise,
heuristic intrusion detection to detect differences in user
behavior, and rapid reissuance of passwords should the password file
ever be compromised. While extensive character sets and storing
passwords as one - way hashes can slow down a dictionary attack,
those defensive mechanisms primarily buy the financial institution
time to identify and react to the password file compromises.
! An additional attack method targets a specific account and submits
passwords until the correct password is discovered.
Controls against those attacks are account lockout mechanisms, which
commonly lock out access to the account after a risk - based
number of failed login attempts.
! A variation of the previous attack uses a popular password, and
tries it against a wide range of usernames.
Controls against this attack on the server are a high ratio of
possible passwords to usernames, randomly generated passwords, and
scanning the IP addresses of authentication requests and client
cookies for submission patterns.
! Password guessing attacks also exist. These attacks generally
consist of an attacker gaining knowledge about the account holder
and password policies and using that knowledge to guess the
Controls include training in and enforcement of password policies
that make passwords difficult to guess. Such policies address the
secrecy, length of the password, character set, prohibition against
using well - known user identifiers, and length of time before the
password must be changed. Users with greater authorization or
privileges, such as root users or administrators, should have
longer, more complex passwords than other users.
! Some attacks depend on patience, waiting until the logged - in
workstation is unattended.
Controls include automatically logging the workstation out after a
period of inactivity (Existing
industry practice is no more than 20 - 30 minutes) and
heuristic intrusion detection.
! Attacks can take advantage of automatic login features, allowing
the attacker to assume an authorized user's identity merely by
using a workstation.
Controls include prohibiting and disabling automatic login features,
and heuristic intrusion detection.
! User's inadvertent or unthinking actions can compromise
passwords. For instance, when a password is too complex to readily
memorize, the user could write the password down but not secure the
paper. Frequently, written - down passwords are readily accessible
to an attacker under mouse pads or in other places close to the
user's machines. Additionally, attackers frequently are successful
in obtaining passwords by using social engineering and tricking the
user into giving up their password.
Controls include user training, heuristic intrusion detection, and
simpler passwords combined with another authentication mechanism.
! Attacks can also become much more effective or damaging if
different network devices share the same or a similar password.
Controls include a policy that forbids the same or similar password
on particular network devices.
Return to the top of the
6. Determine whether appropriate segregation
exists between the responsibility for networks and the
responsibility for computer operations.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
33. Except as permitted by §§13-15,
does the institution refrain from disclosing any nonpublic personal
information about a consumer to a nonaffiliated third party, other
than as described in the initial privacy notice provided to the
a. the institution has provided the consumer with a clear and
conspicuous revised notice that accurately describes the
institution's privacy policies and practices;
b. the institution has provided the consumer with a new opt out
c. the institution has given the consumer a reasonable opportunity
to opt out of the disclosure, before disclosing any information; [§8(a)(3)]
d. the consumer has not opted out? [§8(a)(4)]