FYI - Army Hospital Breach May Be Result of P2P Leak - Data loss at Walter Reed exposed personal information on 1,000 soldiers - Peer-to-peer (P2P) applications may have been the culprit in a security breach that has exposed the personal information of more than 1,000 patients at Walter Reed Hospital, according to early reports. http://www.darkreading.com/document.asp?doc_id=155501

FYI - Security firm asks for help cracking ransomware key - New blackmailing Trojan encrypts files using high-grade 1024-bit RSA key - A security company asked for help cracking an encryption key central to an extortion scheme that demands money from users whose PCs have been infected by malware. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094818&source=rss_topic17

FYI - How to Sell Security - There are two basic ways to sell something. Either a product gives the buyer something he wants - as satisfaction, comfort or money - or it prevents the buyer from getting something he doesn't want: assault, fraud, burglaries or terrorist attacks. http://www.cio.com/article/print/367913

FYI - Exploiting VoIP vulnerabilities to steal confidential data - Can you call someone using VoIP and steal their personal data without talking to them? Most people would have said "No" until they saw the Sipera VIPER Lab demonstration, which does exactly that. http://www.scmagazineus.com/Exploiting-VoIP-vulnerabilities-to-steal-confidential-data/article/111091/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Latest 'lost' laptop holds treasure-trove of unencrypted AT&T payroll data - It's just another in a long line of stolen laptops ... unless you work in management at AT&T and you're worried about your social security number falling into the hands of identity thieves. http://www.networkworld.com/community/node/28453

FYI - Stolen laptop contained 32,000 farmers' financial data - About 32,000 Canadian farmers are on the alert after learning a laptop containing their financial information has been stolen. The laptop was stolen when a programmer working for the Canadian Canola Growers Association took the machine off-site for routine maintenance. CCGA general manager Rick White described the theft as a classic "smash and grab." http://www.cbc.ca/canada/manitoba/story/2008/06/05/canola-information.html

FYI - Hackers hijack hacking tools website - Crackers briefly hijacked hacking tools website Metasploit on Monday. But visitors to the site on Monday were redirected to a page announcing the site was "hacked by sunwear ! just for fun", as recorded by Sunbelt Software.
http://www.scmagazineus.com/Ethical-hacking-site-falls-victim-to-hackers/article/110965/?DCMP=EMC-SCUS_Newswire
http://blogs.zdnet.com/security/?p=1242&tag=nl.e550

FYI - Personal data of thousands compromised - Damac Properties has launched an investigation into how thousands of its customers personal details ended up for sale on eBay for 750 pounds ($1,466), a senior company official told ArabianBusiness.com. Ten copies of a database with personal information on over 8,000 of the Dubai-based developer's customers were put on the website on May 28. http://www.itp.net/news/521308-damac-clients-information-offered-on-ebay

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (10 of 12)

Test affected systems or procedures prior to implementation.

Testing is an important function in the incident response process. It helps ensure that reconfigured systems, updated procedures, or new technologies implemented in response to an incident are fully effective and performing as expected. Testing can also identify whether any adjustments are necessary prior to implementing the updated system, process, or procedure.

Follow-up

During the follow-up process, an institution has the opportunity to regroup after the incident and strengthen its control structure by learning from the incident. A number of institutions have included the following best practice in their IRPs.

Conduct a "lessons-learned" meeting.

1) Successful organizations can use the incident and build from the experience. Organizations can use a lessons-learned meeting to
2) discuss whether affected controls or procedures need to be strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed for the customer information security risk assessment and information security program;
5) determine if updated training is necessary regarding any new procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical resources to be better prepared going forward.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)

The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user's identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution's systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution's computer system were performed by that user.

The user's private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.

PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

10. Determine if firewall and routing controls are in place and updated as needs warrant.

• Identify personnel responsible for defining and setting firewall rulesets and routing controls.
• Review procedures for updating and changing rulesets and routing controls.
• Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is denied, and that the firewall's capabilities for identifying and blocking traffic are effectively utilized.
• Confirm that network mapping through the firewall is disabled.
• Confirm that NAT and split DNS are used to hide internal names and addresses from external users. (Note: Split DNS is a method of segregating the internal DNS from the external DNS.)  
• Confirm that malicious code is effectively filtered.
• Confirm that firewalls are backed up to external media, and not to servers on protected networks.
• Determine that firewalls and routers are subject to appropriate and functioning host controls.
• Determine that firewalls and routers are securely administered.
• Confirm that routing tables are regularly reviewed for appropriateness on a schedule commensurate with risk.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]