The brochure for the Information Security and
Risk Management Conference being held 28-30 September 2009 in
Las Vegas, Nevada came out this week. This is a great conference that I highly recommend.
For more information and to register, please go to
Pentagon signs off on Cyber Command - The U.S. Secretary of Defense
ordered the military to create a unified command to act as the
nation's central hub for cyber capabilities and commanded the
Pentagon to develop a policy framework for cyberspace operations.
UK cyber security strategy launched - The UK is to create a central
Office of Cyber Security (OCS) to deal with the rising level of
online attacks. The new office will run within the Cabinet Office,
and will liaise with industry as well as providing strategic
PCI Security Council seeks industry comments on current standards
Feedback will be considered for next version of PCI executive says -
The group that administers the Payment Card Industry Data Security
Standard (PCI DSS) wants feedback about how the current version of
the standard, released last October, is working.
TJX settles over breach with 41 states for $9.75 million - In a move
to close the door on the largest reported retail data breach in
history, TJX announced Tuesday that it has settled with 41 states
who were probing the discount merchant's data security practices.
GAO - Federal Information Security Issues.
ATM vendor gets security talk pulled from conferences - Last year it
was smartcards and this year it's ATMs. It's almost security
conference season in Las Vegas and with one month to go, a
presentation has been pulled from Black Hat and Defcon.
Final settlement reached in CVS HIPAA violation suit - CVS Caremark
must implement an information security program and obtain
assessments of its effectiveness every other year for 20 years to
settle federal charges that its employees threw out personal
information about patients into garbage bins.http://www.scmagazineus.com/Final-settlement-reached-in-CVS-HIPAA-violation-suit/article/139077/?DCMP=EMC-SCUS_Newswire
Titsup airport express lane biz may pawn flyer data - If the feds
Clear it - Defunct American airport security lane service Clear said
on Friday it may sell its sensitive customer data to a similar
provider if it's authorized to do so by the US government.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Defense-contract discs sold in African market for $40 - Northrop
Grumman and Pentagon data dumped - Dumped hard drives with US
defense data have turned up for open sale in a West African market.
A team of Canadian journalism students bought a hard drive
containing information on multi-million dollar contracts between
military contractor Northrop Grumman and the Pentagon for just $40
in a market near Accra, Ghana.
Abrupt closure of airport fast-lane program sparks concern over
customer data - Financial woes push Verified Identity Pass to cease
Clear program - A company that collected detailed personal
information including biometric data on 260,000 individuals as part
of a registered air traveler program it operated has abruptly gone
out of business, leaving many customers wondering about the safety
and privacy of their personal data.
Valuable computer swiped from Cornell - Machine has personal data of
45,000 people - Ithaca police are investigating the theft of a
Cornell University computer which the university said contained a
large amount of personal data - including files with names and
Social Security numbers of about 45,000 staff members, former staff
members, students and dependents.
FTP login credentials at major corporations breached - A trojan has
reportedly been uncovered that is harvesting FTP login data of major
corporations, including the Bank of America, BBC, Amazon, Cisco,
Monster.com, Symantec and McAfee.
Web Filtering Company Reports Cyber Attack To FBI - The U.S.-based
company that claims its programming code was unlawfully included in
China's Green Dam software reports being targeted by a cyber attack.
Solid Oak Software, the Santa Barbara, Calif.-based maker of Web
filtering software called CYBERsitter, on Friday contacted the FBI
to investigate a cyber attack on the company that appears to have
come from China.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this
Report fall into three broad, and often overlapping, categories of
issues. However, these principles are not weighted by order of
preference or importance. If only because such weighting might
change over time, it is preferable to remain neutral and avoid such
A. Board and Management Oversight (Principles 1 to 3):
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process for
outsourcing relationships and other third-party dependencies.
B. Security Controls (Principles 4 to 10):
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems, databases
8. Data integrity of e-banking transactions, records, and
9. Establishment of clear audit trails for e-banking
10. Confidentiality of key bank information.
C. Legal and Reputational Risk Management (Principles 11 to
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to ensure
availability of e-banking systems and services.
14. Incident response planning.
Each of the above principles will be cover over the next few weeks,
as they relate to e-banking and the underlying risk management
principles that should be considered by banks to address these
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
Automated intrusion detection systems (IDS) use one of two
methodologies, signature and heuristics. An IDS can target either
network traffic or a host. The signature-based methodology is
generally used on network traffic. An IDS that uses a
signature-based methodology reads network packets and compares the
content of the packets against signatures, or unique
characteristics, of known attacks and known anomalous network
traffic. When a match is recognized between current readings and a
signature, the IDS generates an alert.
A general weakness in the signature-based detection method is that a
signature must exist for an alert to be generated. Attacks that
generate different signatures from what the institution includes in
its IDS will not be detected. This problem can be particularly acute
if the institution does not continually update its signatures to
reflect lessons learned from attacks on itself and others, as well
as developments in attack tool technologies. It can also pose
problems when the signatures only address known attacks, rather than
both known attacks and anomalous traffic. Another general weakness
is in the capacity of the IDS to read traffic. If the IDS falls
behind in reading network traffic, traffic may be allowed to bypass
the IDS. That traffic may contain attacks that would otherwise cause
the IDS to issue an alert.
Proper placement of network IDS is a strategic decision determined
by the information the institution is trying to obtain. Placement
outside the firewall will deliver IDS alarms related to all attacks,
even those that are blocked by the firewall. With this information,
an institution can develop a picture of potential adversaries and
their expertise based on the probes they issue against the network.
Because the placement is meant to gain intelligence on attackers
rather than to alert on attacks, tuning generally makes the IDS less
sensitive than if it is placed inside the firewall. An IDS outside
the firewall will generally alert on the greatest number of
unsuccessful attacks. IDS monitoring behind the firewall is meant to
detect and alert on hostile intrusions. Multiple IDS units can be
used, with placement determined by the expected attack paths to
sensitive data. Generally speaking, the closer the IDS is to
sensitive data, the more important the tuning, monitoring, and
response to IDS alerts. The National Institute of Standards and
Technology (NIST) recommends network intrusion detection systems "at
any location where network traffic from external entities is allowed
to enter controlled or private networks."
Return to the top of the
INTRUSION DETECTION AND RESPONSE
2. Determine if the IDSs identified as necessary in the risk
assessment process are properly installed and configured.
3. Determine whether an appropriate firewall ruleset and routing
controls are in place and updated as needs warrant.
! Identify personnel responsible for defining and setting
firewall rulesets and routing controls.
! Review procedures for updating and changing rulesets and
! Determine that appropriate filtering occurs for spoofed
addresses, both within the network and at external connections,
covering network entry and exit.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
14. Does the institution describe the following about its policies
and practices with respect to protecting the confidentiality and
security of nonpublic personal information:
a. who is authorized to have access to the information; and
b. whether security practices and policies are in place to ensure
the confidentiality of the information in accordance with the
institution's policy? [§6(c)(6)(ii)]
institution is not required to describe technical information about
the safeguards used in this respect.)