Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
gathering information on Canadian citizens - Communications Security
Establishment Canada, which intercepts foreign communications and
also protects Canadian government computer systems, is using
information about Canadians to help in the acquisition of foreign
intelligence after recent changes in its policy.
Patco’s eBanking Fraud Case - A district court judge in Maine last
week approved a pending decision that commercial banks which protect
accounts with little more than passwords and secret questions are in
compliance with federal online banking security guidelines.
Android Trojan records your calls - Criminals have increased the
functionality of Android Trojans with a new strain that is capable
of recording, and not just logging, conversations on compromised
drops website blocking - Plans to block websites that host copyright
infringing material are to be dumped by the government.
details on mobile tracking by police - Affiliates of the American
Civil Liberties Union (ACLU) in 31 states have filed 379 information
requests, demanding that state and local law enforcement agencies
tell how they use location information from mobile phones to track
GAO - State
Has Taken Steps to Implement a Continuous Monitoring Application,
but Key Challenges Remain
hasn't "Anonymous" been caught? - We recently heard of crackdowns on
the “hacktivist” group Anonymous, where a haul of hackers and their
computers were swooped down upon and spirited away by the FBI. So
how come we continue to see communications from the group?
cracks down on the Blackberry - The use of the humble Blackberry may
be outlawed in India if Research in Motion fails to comply with the
government’s strict security demands.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Governments, IOC and UN hit by massive cyber attack - IT security
firm claims to have uncovered one of the largest ever series of
contractor loses hundreds of bank account details, leaving them at a
pub. - Two companies have been found in breach of the Data
Protection Act after tens of thousands of tenants’ details were left
at a London pub, alongside 800 records with bank account details.
LulzSec Dump Data from 70 Sheriffs' Offices - Anonymous continued
its attacks against law enforcement agencies to protest recent
arrests of Anonymous members and Topiary by breaching a third-party
marketing firm hosting 70 law enforcement Websites.
blames 'vindictive individual' for email database breach - Hacker or
disaffected worker mystery remains - Travelodge UK has confirmed
that a customer database security breach was behind the recent run
of spam emails to its customers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series on the
FDIC's Supervisory Policy on Identity Theft.
1 of 6)
Supervisory Policy on Identity Theft
Identity theft is fraud committed or attempted by using the
identifying information of another person without his or her
authority. Identifying information may include such things as a
Social Security number, account number, date of birth, driver's
license number, passport number, biometric data and other unique
electronic identification numbers or codes. As more financial
transactions are done electronically and remotely, and as more
sensitive information is stored in electronic form, the
opportunities for identity theft have increased significantly.
This policy statement describes the characteristics of identity
theft and emphasizes the FDIC's well-defined expectations that
institutions under its supervision detect, prevent and mitigate the
effects of identity theft in order to protect consumers and help
ensure safe and sound operations.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
Packet Filter Firewalls
Basic packet filtering was described in the router section and does
not include stateful inspection. Packet filter firewalls evaluate
the headers of each incoming and outgoing packet to ensure it has a
valid internal address, originates from a permitted external
address, connects to an authorized protocol or service, and contains
valid basic header instructions. If the packet does not match the
pre-defined policy for allowed traffic, then the firewall drops the
packet. Packet filters generally do not analyze the packet contents
beyond the header information. Dynamic packet filtering incorporates
stateful inspection primarily for performance benefits. Before
re-examining every packet, the firewall checks each packet as it
arrives to determine whether it is part of an existing connection.
If it verifies that the packet belongs to an established connection,
then it forwards the packet without subjecting it to the firewall
Weaknesses associated with packet filtering firewalls include the
! The system is unable to prevent attacks that employ application
specific vulnerabilities and functions because the packet filter
cannot examine packet contents.
! Logging functionality is limited to the same information used to
make access control decisions.
! Most do not support advanced user authentication schemes.
! Firewalls are generally vulnerable to attacks and exploitation
that take advantage of problems in the TCP/IP specification.
! The firewalls are easy to misconfigure, which allows traffic to
pass that should be blocked.
Packet filtering offers less security, but faster performance than
application-level firewalls. The former are appropriate in high -
speed environments where logging and user authentication with
network resources are not important. Packet filter firewalls are
also commonly used in small office/home office (SOHO) systems and
default operating system firewalls.
Institutions internally hosting Internet-accessible services should
consider implementing additional firewall components that include
Return to the top of
INTERNET PRIVACY - We continue our
review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer
in connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.