Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

REMINDER - The ISACA Information Security and Risk Management Conference is being held September 13-15, 2010 in Las Vegas, Nevada. This is a great conference that I highly recommend.  For more information and to register, please go to http://www.isaca.org/isrmc.  I will the there and look forward to meeting you.

FYI - Second Student Sues School District Over Webcam Spying - A webcam scandal at a suburban Philadelphia school district expanded Tuesday to include a second student alleging his school-issued laptop secretly snapped images of him.
http://www.wired.com/threatlevel/2010/07/webcam-spy-scandal-broadens/

FYI - Massive check-fraud botnet operation tied to Russia - Check fraud is an old-fashioned kind of crime, but a criminal ring with ties to Russia is using modern cybercrime techniques, including botnets, online databases of financial information and check imaging archives, to run a highly automated, multi-million-dollar counterfeit-check operation. http://www.computerworld.com/s/article/9179771/Massive_check_fraud_botnet_operation_tied_to_Russia?taxonomyId=17

FYI - Black Hat 2010: Researcher Jack uses design, authentication flaws to force ATMs to spit out cash - Vulnerabilities & Flaws Making a dream come true for anyone who ever has seen their chips evaporate at a Las Vegas casino, a security researcher on Wednesday forced two ATMs to spit out bundles of cash thanks to security weaknesses in the machines. http://www.scmagazineus.com/black-hat-2010-researcher-jack-uses-design-authentication-flaws-to-force-atms-to-spit-out-cash/article/175803/?DCMP=EMC-SCUS_Newswire

FYI - U.S. military launches review of IT security after Wikileaks breach - Defense chief Gates said changes already underway in war zones, where security is loosened to get data to soldiers more quickly - Defense Secretary Robert Gates Thursday announced that U.S. information security practices will be reviewed following the leak of tens of thousands of classified war documents that were published by WikiLeaks earlier this week. http://www.computerworld.com/s/article/9179897/U.S._military_launches_review_of_IT_security_after_Wikileaks_breach?taxonomyId=17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data breaches blamed on organised crime - Hackers feast on financial sector security mistakes - Cybercrooks continue to be a menace to corporate security, with hackers and malware authors collectibly responsible for 85 per cent of all stolen data. http://www.theregister.co.uk/2010/07/29/data_breaches_dissected/

FYI - New Zealand pizza lovers suffer information theft - Breach reveals personal information and topping preferences - Some 230,000 New Zealanders have been told that their personally identifiable information may have fallen into the hands of hackers who apparently compromised the network of a locally famous food chain. http://www.networkworld.com/community/blog/new-zealand-pizza-lovers-suffer-information-t?t51hb

FYI - Sensitive thumb drive missing from New Jersey hospital - A thumb drive containing the personal data of current and former graduate medical education residents and fellows at Cooper University Hospital in Camden, N.J. has gone missing. http://www.scmagazineus.com/sensitive-thumb-drive-missing-from-new-jersey-hospital/article/176189/?DCMP=EMC-SCUS_Newswire

FYI - Texas Firm Blames Bank for $50,000 Cyber Heist - A business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000. http://krebsonsecurity.com/2010/08/texas-firm-blames-bank-for-50000-cyber-heist/

FYI - Police bust e-crime gang for online bank thefts - UK and Irish police have today swooped on an international e-crime gang accused of attempting to steal money from up to 20,000 online bank accounts and credit cards in the countries. http://www.networkworld.com/news/2010/080410-police-bust-e-crime-gang-for.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 2 of  6)

Characteristics of Identity Theft

At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses.  Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.

Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

RISK ASSESSMENT/MANAGEMENT

A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution's reputation. Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited.

The extent of the information security program should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets. For example, compared to an information-only Web site, institutions offering transactional Internet banking activities are exposed to greater risks. Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment program.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).

2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).