Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
German Wi-Fi networks liable for 3rd party piracy - Leave connection
open, risk fine - German surfers risk fines of €100 if their open
Wi-Fi connection gets used to download copyright-infringing
Senate confirms Alexander as chief of U.S. Cyber Command - The U.S.
Senate has approved Lt. Gen. Keith Alexander, director of the
National Security Agency, to also head the military's recently
created U.S. Cyber Command.
Thieves Flood Victim's Phone With Calls to Loot Bank Accounts - have
rolled out a new weapon in their arsenal of tactics - telephony
denial-of-service attacks that flood a victim's phone with
diversionary calls while the thieves drain the victim's account of
PCI Council releases new PIN security standard - The group
responsible for managing payment security rules has released version
3.0 of the PIN Transaction Security (PTS) standard. The new version
replaces the PIN Entry Device (PED) standard in an effort to
streamline point-of-sale security guidelines to also cover
unattended payment terminals, such as fuel dispensers, and hardware
security modules, which are nonuser facing devices used in PIN
Gov't agencies use unsafe methods to transfer files -Employees at
many U.S. government agencies are using unsecure methods, including
personal e-mail accounts, to transfer large files, often in
violation of agency policy, according to a survey.
Security guard pleads guilty to hacking his employer - A former
security guard has pleaded guilty to charges that he broke into his
employer's computers while working the night shift at a Dallas
GAO - Veterans Affairs Needs to Resolve Long-Standing Weaknesses.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Exposes Personal Data on 207,000 Army Reservists - A
laptop stolen from a government contractor last month contained
names, addresses and Social Security numbers of more than 207,000
U.S. Army reservists.
Laptop theft puts thousands of N.M. Medicaid users at risk - An
unencrypted laptop containing the personal information of thousands
of New Mexico citizens enrolled in the state's Medicaid Salud plan
was stolen in late March.
Students, Parents Allowed to View Webcam Scandal Photos - Suburban
Philadelphia parents and their high school-age children soon will
learn the extent of a potentially criminal webcam scandal.
Latvia's 'Robin Hood' hacker unmasked as AI researcher - Nabbed
after baring fat-cat salaries - Latvian police have identified a
computer science researcher as the folk hero who hacked government
systems to expose the fat salaries received by state officials
despite a draconian austerity drive in effect.
Ukrainian arrested in India on TJX data-theft charges - A Ukrainian
national has been arrested in India in connection with the most
notorious hacking incident in U.S. history.
Man charged with attacking O'Reilly, Coulter websites - A former
college student has been charged with using the school's computer
network to control a botnet and launch distributed denial-of-service
(DDoS) attacks against conservative websites belonging to Bill
O'Reilly, Ann Coulter and Rudy Giuliani.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We begin this week reviewing
the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part 1 of 10)
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking relationships
are exposed to several risks associated with the use of this
technology. The most significant risks are reputation risk and
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in
distinguishing whether the financial institution or the linked
third party is offering products and services;
dissatisfaction with the quality of products or services
obtained from a third party; and
- customer confusion as
to whether certain regulatory protections apply to third-party
products or services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we start a
three part review of controls to prevent and detect intrusions.
Management should determine the controls necessary to deter, detect,
and respond to intrusions, consistent with the best practices of
information system operators. Controls may include the following:
1) Authentication. Authentication provides identification by means
of some previously agreed upon method, such as passwords and
biometrics. (A method of identifying a person's identity by
analyzing a unique physical attribute.) The means and strength of
authentication should be commensurate with the risk. For instance,
passwords should be of an appropriate length, character set, and
lifespan (The lifespan of a password is the length of time the
password allows access to the system. Generally speaking, shorter
lifespans reduce the risk of password compromises.) for the systems
being protected. Employees should be trained to recognize and
respond to fraudulent attempts to compromise the integrity of
security systems. This may include "social engineering" whereby
intruders pose as authorized users to gain access to bank systems or
2) Install and Update Systems. When a bank acquires and installs new
or upgraded systems or equipment, it should review security
parameters and settings to ensure that these are consistent with the
intrusion risk assessment plan. For example, the bank should review
user passwords and authorization levels for maintaining "separation
of duties" and "need to know" policies. Once installed, security
flaws to software and hardware should be identified and remediated
through updates or "patches." Continuous monitoring and updating is
essential to protect the bank from vulnerabilities. Information
related to vulnerabilities and patches are typically available from
the vendor, security-related web sites, and in bi-weekly National
Infrastructure Protection Center's CyberNotes.
3) Software Integrity. Copies of software and integrity checkers (An
integrity checker uses logical analysis to identify whether a file
has been changed.) are used to identify unauthorized changes to
software. Banks should ensure the security of the integrity
checklist and checking software. Where sufficient risk exists, the
checklist and software should be stored away from the network, in a
location where access is limited. Banks should also protect against
viruses and other malicious software by using automated virus
scanning software and frequently updating the signature file (The
signature file contains the information necessary to identify each
virus.) to enable identification of new viruses.
Return to the top of
INTERNET PRIVACY - We continue our series listing
the regulatory-privacy examination questions. When you answer the
question each week, you will help ensure compliance with the privacy
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
Next week we will start covering the examination objectives.