Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - FFIEC Releases Supplemental Guidance on Internet Banking Authentication - The Federal Financial Institutions Examination Council1 (FFIEC) today issued a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005.  Financial institutions will be expected to comply with the guidance no later than January 1, 2012. 
http://www.fdic.gov/news/news/press/2011/pr11111.html
www.ncua.gov/news/press_releases/2011/JR11-0628Auth-PR-FFIEC.pdf 

FYI - Inside the Anonymous Army of 'Hacktivist' Attackers - In this sleepy Dutch town last December, police burst into the bedroom of 19-year-old Martijn Gonlag as he hurriedly pulled on jeans over his boxer shorts. He was hauled away on suspicion of taking part in cyber attacks by the online group calling itself Anonymous. http://online.wsj.com/article/SB10001424052702304887904576399871831156018.html

FYI - Prepare for tougher data breach rules - Shocked commissioner hopes to improve consumer confidence online - European Commissioner Viviane Reding has warned banks that they will be required to notify customers about data security breaches. http://www.theregister.co.uk/2011/06/21/viviane_reding_data_breaches_mandatory_notification/

FYI - Australia toughens cybercrime laws - Conventional thinking - Australian carriers and ISPs will be forced to retain customer’s private data such as email and text messages by police and authorities, without a warrant, if it is required for investigations into cybercrime. http://www.theregister.co.uk/2011/06/23/australia_laws_fight_cybercrime/

FYI - In search of a global network security standard - Earlier this month on SCMagazineUS.com, Peter George, CEO of Fidelis Security Systems, wrote an “Open letter to the network security industry,” encouraging the industry to rally together. http://www.scmagazineus.com/in-search-of-a-global-network-security-standard/article/206231/?DCMP=EMC-SCUS_Newswire

FYI - Bug-Squashing Tools Offered to Improve Network Security - After a spate of hacking attacks, the Department of Homeland Security is promoting ways to make software more trustworthy. The Department of Homeland Security has announced an initiative to shore up security by squashing software bugs. This follows a slew of high-profile attacks on government and corporate computer systems that have led to sensitive information being stolen. http://www.technologyreview.com/web/37901/?a=f

FYI - LulzSec calls it quits after 50 days of 'mayhem' - The computer hacking group LulzSec said Saturday it had ended its campaign of cyberassaults on government and corporate websites and that it was time for it to "sail into the distance." http://www.computerworld.com/s/article/9217938/LulzSec_calls_it_quits_after_50_days_of_mayhem_?taxonomyId=203

FYI - Drug Prescription Data Mining Cleared By Supreme Court - A Vermont Law that forbade using prescription information collected by pharmacies for marketing purposes was declared unconstitutional on First Amendment grounds. http://www.informationweek.com/news/healthcare/security-privacy/231000397

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Former student pleads guilty to computer hacking at University of Central Missouri - United States Attorney for the Western District of Missouri announced that a former student of the University of Central Missouri pleaded guilty today to his role in a computer hacking conspiracy. http://www.justice.gov/usao/mow/news2011/fowler.ple.html

FYI - Sacked IT manager hacks, replaces CEO's presentation with ??? - A former IT manager who hacked into the presentation of his former company's CEO and replaced it with ??? has been sentenced to two years in prison. http://www.siliconrepublic.com/strategy/item/22350-sacked-it-manager-hacks/

FYI - Another Certificate Authority Compromised: No Fake SSL Certificates Issued - The fifth certificate authority to be hacked this year, StartSSL has suspended issuing its free SSL certificates indefinitely. http://www.eweek.com/c/a/Security/Another-Certificate-Authority-Compromised-No-Fake-SSL-Certificates-Issued-107625/

FYI - AT&T IPad Hacker Pleads Guilty - A 26-year-old man who last year helped hackers steal personal information belonging to about 120,000 iPad users pleaded guilty to fraud and hacking charges in a New Jersey court. http://www.pcworld.com/article/230991/atandt_ipad_hacker_pleads_guilty.html

FYI - Teenager charged over alleged website attacks - A 19-year-old Essex man has been charged with five computer offences, including attacking the Serious Organised Crime Agency's website. http://www.bbc.co.uk/news/technology-13879678

FYI - Feds crack multi-million scareware ring - Multinational gang face 20 years - The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m). http://www.theregister.co.uk/2011/06/23/fbi_scareware_arrests/

FYI - FBI throws a scare into datacenter service providers - In a story reported yesterday evening by the NY Times, the FBI decided to take down activity from a suspicious IP address by seizing three enclosures full of servers from a hosting Facility in Reston , VA, used by DigitalOne, the hosting company, based in Switzerland, that was being used by the target of the FBI investigation. http://www.zdnet.com/blog/datacenter/fbi-throws-a-scare-into-datacenter-service-providers/884

FYI - Feds claim victory over Coreflood botnet - FBI shuts down anti-botnet project, says it reduced Coreflood by 95% - Federal authorities have declared victory over the Coreflood botnet and shut down the replacement server that the FBI used to issue commands to infected PCs. http://www.computerworld.com/s/article/9217883/Feds_claim_victory_over_Coreflood_botnet?taxonomyId=17

FYI - Citigroup hackers made $2.7 million - Citigroup suffered about $2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. http://www.computerworld.com/s/article/9217932/Citigroup_hackers_made_2.7_million?taxonomyId=17

FYI - ChronoPay Co-Founder Arrested - Russian authorities on Thursday arrested the co-founder of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals. http://krebsonsecurity.com/2011/06/chronopay-co-founder-arrested/

FYI - Travelodge warns of spam emails but downplays rumours of hacking or customer data being sold - Travelodge UK has informed the Information Commissioner's Office over a potential data compromise after spam emails were sent from official accounts. http://www.scmagazineuk.com/travelodge-warns-of-spam-emails-but-downplays-rumours-of-hacking-or-customer-data-being-sold/article/206022/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 5 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 2 of 3)

Other common protocols in a TCP/IP network include the following types.

! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.

! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.

! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.

! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.

! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.

! Post office protocol (POP) - Commonly used to receive e-mail.

! Hypertext transport protocol (HTTP) - Used for Web browsing.

! Secure shell (SSH)  - Encrypts communications sessions, typically used for remote administration of servers.

! Secure sockets layer (SSL)  - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b.  the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]