Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Sony insurer says it's not liable for costs of data breach - Sues game maker for saying otherwise - Sony has been sued by its insurance company, which says the policy it issued doesn't cover a series of high-profile security breaches that exposed personal information associated with more than 100 million accounts. http://www.theregister.co.uk/2011/07/22/sony_breach_insurance/

FYI - Alleged Laval botnet creator arrested in Canada - The alleged author of the Laval botnet has been arrested by police in Canada. It is thought that the 24-year-old programmed the malware himself and then infected servers in Canada, the US and beyond, creating a vast network of zombie PCs. http://www.infosecurity-magazine.com/view/19574/alleged-laval-botnet-creator-arrested-in-canada/

FYI - Federal auditors scold IRS for slow notification of security breaches - The Obama administration is compelling private businesses to adopt new standards to protect themselves and the consumers they serve from hackers and cybertheft. Now federal auditors are scolding the government for not protecting consumers from itself. http://www.washingtonpost.com/local/dc-politics/auditors-scold-irs-over-cybersecurity-issues/2011/07/19/gIQAWEOgOI_story.html

FYI - GAO - Continued Attention Needed to Protect Our Nation's Critical Infrastructure
Release - http://www.gao.gov/products/GAO-11-865T
Highlights - http://www.gao.gov/highlights/d11865thigh.pdf

FYI - GAO - Data Center Consolidation: Agencies Need to Complete Inventories and Plans to Achieve Expected Savings
Release - http://www.gao.gov/products/GAO-11-565
Highlights - http://www.gao.gov/highlights/d11565high.pdf

FYI - Calif. Co. Sues Bank Over $465k eBanking Heist - A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract. http://krebsonsecurity.com/2011/07/calif-co-sues-bank-over-465k-ebanking-heist/

FYI - Maryland Governor Martin O'Malley Recognizes Winners of U.S. Cyber Challenge National Cyber Foundations Competition - Top Winner Receives General Dynamics Cyber Scholarship - Maryland Governor Martin O'Malley and the U.S. Cyber Challenge announced today the state's winners of the 2011 Spring Cyber Foundations National Competition. http://www.benzinga.com/pressreleases/11/07/p1803362/maryland-governor-martin-omalley-recognizes-winners-of-u-s-cyber-challe

FYI - US-CERT Director Leaves Abruptly - The director of the agency that protects the federal government from cyber attacks has resigned abruptly in the wake of a spate of hacks against government networks. http://www.informationweek.com/news/government/leadership/231002548

FYI - Florida reportedly sells drivers' info for $63M - The state made $63 million in 2010 selling drivers' names, addresses, dates of birth and what cars they own to employers, insurance companies and such personal data collection. http://www.cbsnews.com/stories/2011/07/21/national/main20081394.shtml

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Attack On Pacific Northwest National Lab Started At Public Web Servers - Zero-day Flash payload infected visitors to lab's public-facing Web servers - The cyberattack discovered at Pacific Northwest National Laboratory (PNNL) during the Fourth of July holiday weekend used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash attack, according to officials at the Department of Energy-contracted facility. http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231002231/attack-on-pacific-northwest-national-lab-started-at-public-web-servers.htmldark

FYI - Feds Charge Activist as Hacker for Downloading Millions of Academic Articles - A well-known coder and activist was arrested Tuesday, charged with violating federal hacking laws for downloading millions of academic articles from a subscription database service that MIT had given him access to via a guest account. If convicted, he faces up to 35 years in prison and a $1 million fine. http://www.wired.com/threatlevel/2011/07/swartz-arrest/

FYI - Pfizer latest corporate victim in hacktivist attacks - The Facebook page for Pfizer has returned online after it was compromised by hackers who posted remarks disparaging the pharmaceutical giant. http://www.scmagazineus.com/pfizer-latest-corporate-victim-in-hacktivist-attacks/article/208023/?DCMP=EMC-SCUS_Newswire

FYI - China-Based Spies Said to Be Behind Hacking of IMF Computers - Investigators probing the recent ransacking of International Monetary Fund computers have concluded the attack was carried out by cyber spies connected to China, according to two people close to the investigation. http://www.bloomberg.com/news/2011-07-21/spies-connected-to-china-said-to-have-carried-out-hacking-of-imf-computers.html

FYI - Hacker Sentenced In Virginia to 10 Years In Prison For Stealing 675,000 Credit Card Numbers Leading To $36 Million In Losses - Hacker was sentenced today to 120 months in prison by U.S. District Judge Anthony J. Trenga in Alexandria, Va., for trafficking in counterfeit credit cards and aggravated identity theft. http://www.darkreading.com/security/client-security/231002456/hacker-sentenced-in-virginia-to-10-years-in-prison-for-stealing-675-000-credit-card-numbers-leading-to-36-million-in-losses.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 9 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 2 of 2)

Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.

DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.

Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.
 
Return to the top of the newsletter

INTERNET PRIVACY - With this issue, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below. 

1)  A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2)  Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3)  A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4)  A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.