The Information Security and Risk Management Conference
is being held September 28-30, 2009 in Las Vegas, Nevada. This
is a great conference that I highly recommend. For more
information and to register, please go to
HSBC firms fined over £3m for information security failings - The
Financial Services Authority (FSA) has fined three HSBC firms over
£3 million for not having adequate systems and controls in place to
protect their customers' confidential details from being lost or
stolen. These failings contributed to customer data being lost in
the post on two occasions.
Strained budgets cause severe security cutbacks - Due to strained
budgets, some IT departments are cutting funding for technologies
that could help mitigate threats they are most concerned about,
according to a survey from RSA Conference, released Wednesday.
GAO - Electronic Health Records - DOD and VA Efforts to Achieve Full
Interoperability Are Ongoing; Program Office Management Needs
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Network Solutions was PCI compliant before breach - Web hosting firm
Network Solutions on Friday announced that, despite its being PCI
compliant, a breach had compromised approximately 573,928
individuals' credit card information.
MOD Admits Losing An Entire Server - During 2008, the UK Ministry of
Defence admits it lost an entire server from a secure building - as
well as 1.7m individuals' personal data.
Clampi Trojan stealing online bank data from consumers and
businesses - Hundreds of thousands of Windows computers are believed
to be infected with a Trojan called "Clampi" that has been stealing
banking and other log-in credentials from compromised PCs since
2007, a security researcher said on the eve of the Black Hat
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Board and Management Oversight - Principle
2: The Board of Directors and senior management should review and
approve the key aspects of the bank's security control process.
The Board of Directors and senior management should oversee
the development and continued maintenance of a security control
infrastructure that properly safeguards e-banking systems and data
from both internal and external threats. This should include
establishing appropriate authorization privileges, logical and
physical access controls, and adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities.
Safeguarding of bank assets is one of the Board's fiduciary duties
and one of senior management's fundamental responsibilities.
However, it is a challenging task in a rapidly evolving e-banking
environment because of the complex security risks associated with
operating over the public Internet network and using innovative
To ensure proper security controls for e-banking activities, the
Board and senior management need to ascertain whether the bank has a
comprehensive security process, including policies and procedures,
that addresses potential internal and external security threats both
in terms of incident prevention and response. Key elements of an
effective e-banking security process include:
1) Assignment of explicit management/staff responsibility for
overseeing the establishment and maintenance of corporate security
2) Sufficient physical controls to prevent unauthorized physical
access to the computing environment.
3) Sufficient logical controls and monitoring processes to prevent
unauthorized internal and external access to e-banking applications
4) Regular review and testing of security measures and
controls, including the continuous tracking of current industry
security developments and installation of appropriate software
upgrades, service packs and other required measures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
A honeypot is a network device that the institution uses
to attract attackers to a harmless and monitored area of the
network. Honeypots have three key advantages over network
and host IDS systems. Since the honeypot's only function is
to be attacked, any network traffic to or from the honeypot
potentially signals an intrusion. Monitoring that traffic is
simpler than monitoring all traffic passing a network IDS.
Honeypots also collect very little data, and all of that
data is highly relevant. Network IDS systems gather vast
amounts of traffic which must be analyzed, sometimes
manually, to generate a complete picture of an attack.
Finally, unlike IDS, a honeypot does not pass packets
without inspection when under a heavy traffic load.
Honeypots have two key disadvantages. They are ineffective
unless they are attacked. Consequently, organizations that
use honeypots for detection usually make the honeypot look
attractive to an attacker. Attractiveness may be in the name
of the device, its apparent capabilities, or in its
connectivity. Since honeypots are ineffective unless they
are attacked, they are typically used to supplement other
intrusion detection capabilities.
Honeypots also introduce the risk of being compromised
without triggering an alarm, then becoming staging grounds
for attacks on other devices. The level of risk is dependent
on the degree of monitoring, capabilities of the honeypot,
and its connectivity. For instance, a honeypot that is not
rigorously monitored, that has excellent connectivity to the
rest of the institution's network, and that has varied and
easy - to - compromise services presents a high risk to the
confidentiality, integrity, and availability of the
institution's systems and data. On the other hand, a
honeypot that is rigorously monitored and whose sole
capability is to log connections and issue bogus responses
to the attacker, while signaling outside the system to the
administrator, demonstrates much lower risk.
the top of the newsletter
IT SECURITY QUESTION:
INTRUSION DETECTION AND RESPONSE
9. Evaluate the selection of systems to monitor and
objectives for monitoring.
10. Determine whether the data and data streams to monitor
are established and consistent with the risk assessment.
11. Determine whether users are appropriately notified
regarding security monitoring.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in its privacy policies, reserves the
right to disclose nonpublic personal information to nonaffiliated
third parties in the future, does the privacy notice include, as
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]