FYI - GAO - Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses.
Release - http://www.gao.gov/new.items/d09546.pdf
Highlights - http://www.gao.gov/highlights/d09546high.pdf

FYI - US websites buckle under sustained DDoS attacks - Websites belonging to the federal government, regulatory agencies and private companies have been struggling against sustained online attacks that began on the Independence Day holiday, according to multiple published reports.
http://www.theregister.co.uk/2009/07/08/federal_websites_ddosed/
http://gcn.com/Articles/2009/07/08/Cyberattacks-on-US-Korean-sites.aspx

FYI - MasterCard halts remote POS security upgrades - Gartner says move would slow migration to stronger encryption for payment systems - In a purported second major security change in recent weeks, MasterCard has decided to disallow merchants' use of remote key injection (RKI) services to install new encryption keys on point-of-sale (POS) systems, says a Gartner analyst. http://www.computerworld.com/s/article/9135316/MasterCard_halts_remote_POS_security_upgrades?source=rss_security

FYI - 43pc of firms have no disaster recovery plans - Nearly half of organisations in Ireland have no disaster recovery (DR) in place, while a quarter store media in a location that is not fireproof, a new study has revealed. http://www.siliconrepublic.com/news/article/13397/cio/43pc-of-firms-have-no-disaster-recovery-plans

FYI - GAO - Electronic Health Records: Program Office Improvements Needed to Strengthen Management of VA and DOD Efforts to Achieve Full Interoperability.
Release - http://www.gao.gov/new.items/d09895t.pdf
Highlights - http://www.gao.gov/highlights/d09895thigh.pdf

FYI - France Creates New National IT Security Agency - The French Networks and Information Security Agency (FNISA) will conduct a round-the-clock watch on sensitive government networks in order to detect and respond to cyberattacks. http://www.pcworld.com/article/168135/france_creates_new_national_it_security_agency.html

FYI - Congressman calls for 'cyber-reprisals' against North Korea - Modern day General Ripper frets over phantom threat - A Republican congressman has urged the US to unleash a retaliatory cyber-attack against North Korea over DDoS attacks supposedly launched against US and South Korean websites. http://www.theregister.co.uk/2009/07/13/korean_ddos/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - LexisNexis warns of breach after alleged mafia bust - Information broker LexisNexis has warned more than 13,000 consumers, saying that a Florida man who is facing charges in an alleged mafia racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track terrorists. http://www.computerworld.com/s/article/9135479/LexisNexis_warns_of_breach_after_alleged_mafia_bust?source=rss_security

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 1 of 2)

Vigilant management oversight is essential for the provision of effective internal controls over e-banking activities. In addition to the specific characteristics of the Internet distribution channel discussed in the Introduction, the following aspects of e-banking may pose considerable challenge to traditional risk management processes:

1) Major elements of the delivery channel (the Internet and related technologies) are outside of the bank's direct control.

2) The Internet facilitates delivery of services across multiple national jurisdictions, including those not currently served by the institution through physical locations.

3) The complexity of issues that are associated with e-banking and that involve highly technical language and concepts are in many cases outside the traditional experience of the Board and senior management.

In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis. Without adequate up-front strategic review and ongoing performance to plan assessments, banks are at risk of underestimating the cost and/or overestimating the payback of their e-banking initiatives.

In addition, the Board and senior management should ensure that the bank does not enter into new e-banking businesses or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the bank's e-banking applications and underlying technologies. Adequate expertise is essential regardless of whether the bank's e-banking systems and services are managed in-house or outsourced to third parties. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material e-banking systems problems or security breaches that may occur. The increased reputational risk associated with e-banking necessitates vigilant monitoring of systems operability and customer satisfaction as well as appropriate incident reporting to the Board and senior management.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 3 of 4)

Some network IDS units allow the IP addresses associated with certain signatures to be automatically blocked. Financial institutions that use that capability run the risk of an attacker sending attack packets that falsely report the sending IP addresses as that of service providers and others that the institution needs to continue offering service, thereby creating a denial - of - service situation. To avoid such a situation, the institution also may implement a list of IP addresses that should not be blocked by the IDS.

Hosts also use a signature-based method. One such method creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion, and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.

An additional host-based signature method monitors the application program interfaces for unexpected or unwanted behavior, such as a Web server calling a command line interface.

Attackers can defeat host-based IDS systems using loadable kernel modules, or LKMs. A LKM is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing. With the proper LKM, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. LKMs can also hide the use of the application program interfaces. Detection of LKMs is extremely difficult and is typically done through another LKM.

Return to the top of the newsletter

IT SECURITY QUESTION:  INTRUSION DETECTION AND RESPONSE

7. Determine if appropriate detection capabilities exist related to:

!  System resource usage and anomalies,
!  Active host and network intrusion detection systems,
!  User related anomalies,
!  Operating and tool configuration anomalies,
!  File and data integrity problems, and
!  Vulnerability testing.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [§6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [§6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [§6(d)(3)])