Houston Computer Administrator Sentenced to Two Years in Prison for
Hacking Former Employer's Computer Network - The former director of
information technology for a non-profit organ and tissue donation
center was sentenced today to two years in prison for hacking into
her former employer's computer network.
High spam response powers junk mail economy - Lunkhead junk mail
buyers come clean - Almost a third of consumers admit responding to
messages that might be spam emails. Some acted out of curiosity or
by mistake but a puzzling 96 from a sample of 800 (12 per cent) said
they clicked because they interested in the product or service
advertised in junk mail messages.
Cops swoop on e-crime gangs after banks pool intelligence - Early
success for new task force - Two London-based cybercrime gangs have
been busted, following an agreement by banks and credit card
companies to share intelligence on network attacks and malware.
Companies offer to pay breach fines - Two credit-card payment
processors are offering to cover merchants' fines and penalties in
the event of a data breach.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Intellectual property belonging to Twitter exposed in hack - Twitter
on Thursday revealed that a hacker who figured out the personal
email password of a company employee was able to steal a number of
sensitive internal documents.
Irish ISP downed by DDoS - Eircom drop blamed on hack - Ireland's
largest internet service provider Eircom is blaming hackers for its
second bout of recent downtime.
Irish ISP Eircom hit by multiple attacks that restrict service for
users - The Irish ISP is experiencing an unprecedented volume of
traffic that officials believe is multiple DNS poisoning attacks.
Webcams, printers, gizmos - the untold net threats - Ghost in the
machine - Forget mis-configured Apache servers and
vulnerability-laden Adobe applications. The biggest security threats
to business and home networks may be the avalanche of webcams,
printers, and other devices that ship with embedded web interfaces
that can easily be turned against their masters.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 2 of 2)
Finally, the Board and senior management should ensure that
its risk management processes for its e-banking activities are
integrated into the bank's overall risk management approach. The
bank's existing risk management policies and processes should be
evaluated to ensure that they are robust enough to cover the new
risks posed by current or planned e-banking activities. Additional
risk management oversight steps that the Board and senior management
should consider taking include:
1) Clearly establishing the banking organization's risk appetite in
relation to e-banking.
2) Establishing key delegations and reporting mechanisms, including
the necessary escalation procedures for incidents that impact the
bank's safety, soundness or reputation (e.g. networks penetration,
employee security infractions and any serious misuse of computer
3) Addressing any unique risk factors associated with ensuring the
security, integrity and availability of e-banking products and
services, and requiring that third parties to whom the banks has
outsourced key systems or applications take similar measures.
4) Ensuring that appropriate due diligence and risk analysis are
performed before the bank conducts cross-border e-banking
The Internet greatly facilitates a bank's ability to distribute
products and services over virtually unlimited geographic territory,
including across national borders. Such cross-border e-banking
activity, particularly if conducted without any existing licensed
physical presence in the "host country," potentially
subjects banks to increased legal, regulatory and country risk due
to the substantial differences that may exist between jurisdictions
with respect to bank licensing, supervision and customer protection
requirements. Because of the need to avoid inadvertent
non-compliance with a foreign country's laws or regulations, as well
as to manage relevant country risk factors, banks contemplating
cross-border e-banking operations need to fully explore these risks
before undertaking such operations and effectively manage them.
Depending on the scope and complexity of e-banking activities, the
scope and structure of risk management programs will vary across
banking organizations. Resources required to oversee e-banking
services should be commensurate with the transactional functionality
and criticality of systems, the vulnerability of networks and the
sensitivity of information being transmitted.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
Some host-based IDS units address the difficulty of
performing intrusion detection on encrypted traffic. Those units
position their sensors between the decryption of the IP packet and
the execution of any commands by the host. This host-based intrusion
detection method is particularly appropriate for Internet banking
servers and other servers that communicate over an encrypted
channel. LKMs, however, can defeat these host-based IDS units.
Host-based intrusion detection systems are recommended by the NIST
for all mission-critical systems, even those that should not allow
The heuristic, or behavior, method creates a statistical profile of
normal activity on the host or network. Boundaries for activity are
established based on that profile. When current activity exceeds the
boundaries, an alert is generated. Weaknesses in this system involve
the ability of the system to accurately model activity, the
relationship between valid activity in the period being modeled and
valid activity in future periods, and the potential for malicious
activity to take place while the modeling is performed. This method
is best employed in environments with predictable, stable activity.
Both signature-based and heuristic detection methods result in false
positives (alerts where no attack exists), and false negatives (no
alert when an attack does take place). While false negatives are
obviously a concern, false positives can also hinder detection. When
security personnel are overwhelmed with the number of false
positives, they may look at the IDS reports with less vigor,
allowing real attacks to be reported by the IDS but not researched
or acted upon. Additionally, they may tune the IDS to reduce the
number of false positives, which may increase the number of false
negatives. Risk-based testing is necessary to ensure the detection
capability is adequate.
the top of the newsletter
IT SECURITY QUESTION:
INTRUSION DETECTION AND RESPONSE
8. Determine whether an incident response team:
! Contains appropriate membership,
! Is available at all times,
! Has appropriate training to investigate and report findings,
! Has access to back-up data and systems, an inventory of all
approved hardware and software, and monitored access to systems (as
! Has appropriate authority and timely access to decision
makers for actions that require higher approvals.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
17. Does the institution provide consumers who receive the
short-form initial notice with a reasonable means of obtaining the
longer initial notice, such as:
a. a toll-free telephone number that the consumer may call to
request the notice; [§6(d)(4)(i)] or
b. for the consumer who conducts business in person at the
institution's office, having copies available to provide immediately
by hand-delivery? [§6(d)(4)(ii)]