Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Judge rules against firm that lost $345k to bank trojan - Victim failed to secure account credentials - A federal magistrate judge has ruled against a small business that lost $345,000 in an online bank heist, arguing that the theft largely resulted from its own failure to secure its account credentials, according to published news reports. http://www.theregister.co.uk/2011/06/09/banking_trojan_victim_loses/

FYI - DoC calls for security standards, co-operation - Oh, also bigger markets for American security products - The US Department of Commerce is broadening its attention beyond the critical infrastructure sector, proposing security codes of conduct for the rest of the Internet economy. http://www.theregister.co.uk/2011/06/08/doc_security_paper/

FYI - Penn. school district hit with new Mac spying lawsuit - After settling with another student for $175,000 last year, Lower Merion says new suit 'solely motivated by monetary interests' - A former student at a suburban Philadelphia high school has sued his school district for allegedly spying on him and his family using a school-issued Mac laptop, according to court documents. http://www.computerworld.com/s/article/9217439/Penn._school_district_hit_with_new_Mac_spying_lawsuit?taxonomyId=17

FYI - EU nations give nod to tougher cybercrime jail terms - The new rules are part of a European Commission proposal, adopted by the Council of the European Union on Friday, which now goes to the European Parliament for approval. http://www.zdnet.co.uk/news/security-management/2011/06/13/eu-nations-give-nod-to-tougher-cybercrime-jail-terms-40093082/?tag=mncol;txt

FYI - Miscreants Fined For Selling T-Mobile Customer Data - Two men have been fined a total of more than £70,000 for illegally selling lucrative customer data to third parties - Two former T-Mobile employees have been fined a total of £73,700 for stealing and selling on customer data from the company, concluding an investigation that began in 2008, according to the Information Commissioner’s Office (ICO). http://www.eweekeurope.co.uk/news/miscreants-fined-for-selling-t-mobile-customer-data-31582

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Passwords + Secret Questions = ‘Reasonable’ eBanking Security - A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week - if adopted by a U.S. district court in Maine - will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. http://krebsonsecurity.com/2011/06/court-passwords-secret-questions-reasonable-ebanking-security/

FYI - After Hack, RSA Offers to Replace SecureID Tokens - In an acknowledgement of the severity of its recent computer compromise, RSA Security said Monday that it will replace Securid tokens for any customer that asks. http://www.pcworld.com/businesscenter/article/229553/after_hack_rsa_offers_to_replace_secureid_tokens.html

FYI - Citigroup breach exposed data on 210,000 customers - Citigroup admitted Wednesday that an attack on its website allowed hackers to view customers' names, account numbers and contact information such as email addresses for about 210,000 of its cardholders in North America. http://www.computerworld.com/s/article/9217486/Citigroup_breach_exposed_data_on_210_000_customers?taxonomyId=17

FYI - Greek police nab Pentagon hacking carding suspect - Greek police have arrested an 18-year-old suspected of hacking into systems run by Interpol, the FBI, and the Pentagon.
http://www.theregister.co.uk/2011/06/08/greek_police_arrest_pentagon_hack_suspect/
http://www.scmagazineus.com/greek-police-arrest-man-accused-of-hacking-us-sites/article/204887/?DCMP=EMC-SCUS_Newswire

FYI - Men pocket $1.5m in alleged ATM skimming spree - Feds charge men with aggravated ID theft - Four men have been charged with stealing $1.5 million from banks by using electronic devices to secretly record personal identification numbers as customers entered them into automatic teller machines and other gear. http://www.theregister.co.uk/2011/06/07/atm_skimming_indictment/

FYI - IMF latest victim of "major" cyberattack, breach - The International Monetary Fund (IMF) has suffered a major compromise, the latest incident in a string of attacks targeting high-profile organizations. http://www.scmagazineus.com/imf-latest-victim-of-major-cyberattack-breach/article/205198/?DCMP=EMC-SCUS_Newswire

FYI - Patient data stolen from California medical group - The medical information of thousands of individuals was compromised after thieves raided the offices of California medical group HealthCare Partners. http://www.scmagazineus.com/patient-data-stolen-from-california-medical-group/article/204876/?DCMP=EMC-SCUS_Newswire

FYI - Cops Arrest Three Anonymous Members Allegedly Involved in Sony Hack - Spanish authorities announced Friday they have arrested three members of the hacking group Anonymous in connection to attacks against Sony’s online Playstation network and other sites. http://www.wired.com/threatlevel/2011/06/three-anonymous-members-arrested/

FYI - Government 'may have hacked IMF' - Hackers who broke into the International Monetary Fund's computer system may have been backed by a nation state, according to security experts. http://www.bbc.co.uk/news/technology-13748488

FYI - Hacking group claims it breached Senate website, publishes evidence of break-in - A band of computer hackers who pride themselves on attacking vulnerable networks for fun accessed a Senate server that supports the chamber’s public website but did not breach other files, a Capitol Hill law enforcement official said Monday. http://www.washingtonpost.com/politics/hacking-group-claims-it-breached-senate-website-publishes-evidence-of-break-in/2011/06/13/AG7xAaTH_story.html

FYI - FBI Investigating Cyber Theft of $139,000 from Pittsford, NY - Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States. http://krebsonsecurity.com/2011/06/fbi-investigating-cyber-theft-of-139000-from-pittsford-ny/

FYI - How Citigroup hackers broke in 'through the front door' using bank's website - Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.html

FYI - Cleveland debit card spree getting bigger as more than 1 dozen banks, credit unions affected - The local debit card fraud breach that was discovered last month is much wider than first realized, striking just about every major bank in the area and some of the biggest credit unions across Northeast Ohio. http://www.cleveland.com/business/index.ssf/2011/06/cleveland_debit_card_spree_get.html

FYI - Banking breach has hundreds scrambling to recover money - It has now been confirmed thousands of dollars have been stolen from account holders with The People's Federal Credit Union. The banking breach has many scrambling to recover their money. http://www.newschannel10.com/story/14822946/banking-breach-has-hundreds-scrambling-to-recover-money

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

• nature of the third-party product or service;
• trade name of the third party; and
• website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network Configuration

Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.

A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.

Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote-access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:

! Identifying the various applications and user-groups accessed via the network;

! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);

! Mapping the internal and external connectivity between various network segments;

! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and

! Determining the most appropriate network configuration to ensure adequate security and performance.

With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a "demilitarized zone" (DMZ).
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

45.  If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:

a.  to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]

b.  to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and

c.  to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]