REMINDER - The Information Security and Risk Management Conference is being held September 28-30, 2009 in Las Vegas, Nevada.  This is a great conference that I highly recommend.  For more information and to register, please go to http://www.isaca.org/isrmc.

FYI - HSBC firms fined over £3m for information security failings - The Financial Services Authority (FSA) has fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions. http://www.fsa.gov.uk/pages/Library/Communication/PR/2009/099.shtml

FYI - Strained budgets cause severe security cutbacks - Due to strained budgets, some IT departments are cutting funding for technologies that could help mitigate threats they are most concerned about, according to a survey from RSA Conference, released Wednesday. http://www.scmagazineus.com/Strained-budgets-cause-severe-security-cutbacks/article/140654/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Electronic Health Records - DOD and VA Efforts to Achieve Full Interoperability Are Ongoing; Program Office Management Needs Improvement.
Release - http://www.gao.gov/new.items/d09775.pdf
Highlights - http://www.gao.gov/highlights/d09775high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Network Solutions was PCI compliant before breach - Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information.
http://www.scmagazineus.com/Network-Solutions-was-PCI-compliant-before-breach/article/140642/?DCMP=EMC-SCUS_Newswire
http://news.cnet.com/8301-27080_3-10296817-245.html

FYI - MOD Admits Losing An Entire Server - During 2008, the UK Ministry of Defence admits it lost an entire server from a secure building - as well as 1.7m individuals' personal data. http://www.eweekeurope.co.uk/news/mod-admits-losing-an-entire-server-1432

FYI - Clampi Trojan stealing online bank data from consumers and businesses - Hundreds of thousands of Windows computers are believed to be infected with a Trojan called "Clampi" that has been stealing banking and other log-in credentials from compromised PCs since 2007, a security researcher said on the eve of the Black Hat security conference. http://news.cnet.com/8301-27080_3-10298233-245.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process. 

The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. This should include establishing appropriate authorization privileges, logical and physical access controls, and adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities.

Safeguarding of bank assets is one of the Board's fiduciary duties and one of senior management's fundamental responsibilities. However, it is a challenging task in a rapidly evolving e-banking environment because of the complex security risks associated with operating over the public Internet network and using innovative technology.

To ensure proper security controls for e-banking activities, the Board and senior management need to ascertain whether the bank has a comprehensive security process, including policies and procedures, that addresses potential internal and external security threats both in terms of incident prevention and response. Key elements of an effective e-banking security process include: 

1) Assignment of explicit management/staff responsibility for overseeing the establishment and maintenance of corporate security policies.

2) Sufficient physical controls to prevent unauthorized physical access to the computing environment.

3) Sufficient logical controls and monitoring processes to prevent unauthorized internal and external access to e-banking applications and databases.

4)  Regular review and testing of security measures and controls, including the continuous tracking of current industry security developments and installation of appropriate software upgrades, service packs and other required measures.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Honeypots

A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.

Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.

Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

IT SECURITY QUESTION:  INTRUSION DETECTION AND RESPONSE

9. Evaluate the selection of systems to monitor and objectives for monitoring.

10. Determine whether the data and data streams to monitor are established and consistent with the risk assessment.

11. Determine whether users are appropriately notified regarding security monitoring.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose;  [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]