Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Police raid Italian branch of Anonymous - Italian police have reported 15 suspected members of the Italian branch of the Anonymous hacker group to the judiciary for investigation on charges of illegally accessing IT systems, damaging IT systems and interrupting a public service, Italian media reported. http://www.computerworld.com/s/article/9218212/Police_raid_Italian_branch_of_Anonymous?taxonomyId=82

FYI - Feds cuff programmer in alleged trading-ware theft - Say Chinese-born Chicago coder had flight booked a 49-year old Chinese-born American, has been charged with stealing proprietary software code. http://www.theregister.co.uk/2011/07/07/chinese_espionage_arrest/

FYI - ICO reports that private sector was responsible for a third of data breaches, yet most businesses refuse an audit - According to the Information Commissioner Christopher Graham, of the 603 data security breaches reported to the ICO in 2010/11, 186 occurred in the private sector, yet only 19 per cent of businesses contacted by the ICO accepted a free data protection audit. http://www.scmagazineuk.com/ico-reports-that-private-sector-was-responsible-for-a-third-of-data-breaches-yet-most-businesses-refuse-an-audit/article/207158/

FYI - We can force you to decrypt that laptop - The Colorado prosecution of a woman accused of a mortgage scam will test whether the government can punish you for refusing to disclose your encryption passphrase. http://news.cnet.com/8301-31921_3-20078312-281/doj-we-can-force-you-to-decrypt-that-laptop/

FYI - Tabloid phone hacking scandal spreads, former Cameron aide arrested - The News of the World phone hacking scandal has already destroyed the newspaper and could cost 200 jobs. Now, an ex-editor and senior aide to Prime Minister David Cameron is under arrest. http://www.csmonitor.com/World/Europe/2011/0708/Tabloid-phone-hacking-scandal-spreads-former-Cameron-aide-arrested

FYI - Contractors resist DoD's tougher info rules - The Pentagon is proposing to keep under wraps all unclassified information shared between contractors and the Defense Department except that which is expressly released to the public. http://www.federaltimes.com/article/20110710/ACQUISITION03/107100303/

FYI - Police officers and staff breach Data Protection Act - More than 900 UK police officers and staff were being subjected to internal disciplinary procedures for breaching the Data Protection Act (DPA) over a three year period. http://www.scmagazineuk.com/police-officers-and-staff-breach-data-protection-act/article/207002/

FYI - UCLA Medical Center agrees to settle HIPAA violation charges for $865K - Computerworld - After years of being accused of doing little to enforce Health Insurance Portability and Accountability Act's security and privacy rules, the U.S. Department of Health and Human Services appears to be finally getting serious about cracking down on offenders. http://www.computerworld.com/s/article/9218257/UCLA_Medical_Center_agrees_to_settle_HIPAA_violation_charges_for_865K?taxonomyId=203

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 'Sophisticated' attack targets two Energy Dept. labs - The Web sites of the Energy Department's Pacific Northwest National Lab and Jefferson National Lab were down today in the aftermath of "sophisticated" attacks, a spokesman at one of the labs told CNET. http://news.cnet.com/8301-27080_3-20077268-245/sophisticated-attack-targets-two-energy-dept-labs/?tag=mncol;title

FYI - WellPoint Settles Over Data Breach - Indiana to Receive $100,000 for Restitution - Health insurer WellPoint Inc. has reached a settlement with the Indiana Attorney General's office over a delayed notification about a consumer data breach that affected the records of 32,051 people. http://www.govinfosecurity.com/articles.php?art_id=3824&search_keyword=wellpoint&search_method=exact

FYI - Washington Post reports data breach on job ads section - The Washington Post has alerted job seekers who use its employment pages of a data breach that compromised up to 1.27 million accounts. http://www.computerworld.com/s/article/9218230/Washington_Post_reports_data_breach_on_job_ads_section?taxonomyId=17

FYI - Morgan Stanley client data goes missing - The personal information of tens of thousands of Morgan Stanley Smith Barney investment clients has gone missing. http://www.scmagazineus.com/morgan-stanley-client-data-goes-missing/article/207035/?DCMP=EMC-SCUS_Newswire

FYI - Colorado agency loses medical aid applicants' data - A computer disk containing the personal information of thousands of medical aid applications has gone missing from the Colorado Department of Health Care Policy and Financing. http://www.scmagazineus.com/colorado-agency-loses-medical-aid-applicants-data/article/206945/?DCMP=EMC-SCUS_Newswire

FYI - Hackers steal 1.27M email addresses from Washington Post site - Hackers broke into The Washington Post's jobs website late last month and stole approximately 1.27 million user IDs and email addresses, the newspaper disclosed Thursday. http://www.scmagazineus.com/hackers-steal-127m-email-addresses-from-washington-post-site/article/207024/?DCMP=EMC-SCUS_Newswire

FYI - Hackers claim they exposed Booz Allen Hamilton data - Hackers flying the AntiSec banner claimed today that they compromised a server at consulting firm Booz Allen Hamilton and have released internal data, including about 90,000 military e-mail addresses. http://news.cnet.com/8301-27080_3-20078498-245/hackers-claim-they-exposed-booz-allen-hamilton-data/ 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 7 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1)  dissatisfied purchasers of third-party products or services;

2)  patent or trademark holders for infringement by the third party; and

3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

TCP/IP Packets

TCP/IP is a packet - based communications system. A packet consists of a header and a data payload. A header is analogous to a mail envelope, containing the information necessary for delivery of the envelope, and the return address. The data payload is the content of the envelope. The IP packet header contains the address of the sender (source address) and the intended recipient (destination address) and other information useful in handling the packet. Under IP, the addresses are unique numbers known as IP addresses. Each machine on an IP network is identified by a unique IP address. The vast majority of IP addresses are publicly accessible. Some IP addresses, however, are reserved for use in internal networks. Those addresses are 10.0.0.0  -  10.255.255.255, 172.16.0.0  -  172.31.255.255, and 192.168.0.0  -  192.168.255.255. Since those internal addresses are not accessible from outside the internal network, a gateway device is used to translate the external IP address to the internal address. The device that translates external and internal IP addresses is called a network address translation (NAT) device. Other IP packet header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether routers are allowed to fragment the packet, and other information.

If the IP packet indicates the protocol is TCP, a TCP header will immediately follow the IP header. The TCP header contains the source and destination ports, the sequence number, and other information. The sequence number is used to order packets upon receipt and to verify that all packets in the transmission were received.

Information in headers can be spoofed, or specially constructed to contain misleading information. For instance, the source address can be altered to reflect an IP address different from the true source address, and the protocol field can indicate a different protocol than actually carried. In the former case, an attacker can hide their attacking IP, and cause the financial institution to believe the attack came from a different IP and take action against that erroneous IP. In the latter case, the attacker can craft an attack to pass through a firewall and attack with an otherwise disallowed protocol.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49.  If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a.  required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or

b.  required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]

  1.  carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§14(b)(2)(i)]
  2.  administer or service benefits or claims; [§14(b)(2)(ii)]
  3.  confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [§14(b)(2)(iii)]
  4.  accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
  5.  underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§14(b)(2)(v)] or
  6.  in connection with:
      i.  the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
      ii.  the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
      iii.  the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]