The Information Security and Risk Management Conference
is being held September 28-30, 2009 in Las Vegas, Nevada. This
is a great conference that I highly recommend. For more
information and to register, please go to
Web users ignoring security certificate warnings - Digital
certificate warnings in Web browsers are not an effective security
measure, according to Carnegie Mellon researchers.
Cable fault cuts off West Africa - Large parts of West Africa are
struggling to get back online following damage to an undersea cable.
The fault has caused severe problems in Benin, Togo, Niger and
GAO - HUD Needs to Strengthen Its Capacity to Manage and Modernize
Release - http://www.gao.gov/new.items/d09675.pdf
Highlights - http://www.gao.gov/highlights/d09675high.pdf
Researchers simulate a botnet of 1 million zombies - Computer
scientists working for the U.S. Department of Energy announced this
week that they have been able to create a simulated botnet
consisting of more than one million machines.
Breaking SSL network transactions - By making a simple change, a
fake SSL certificate can be created and used to persuade users that
it is safe to enter their credit card information on a merchant
Clampi banking trojan spreading rapidly - Researchers have
identified a new and dangerous banking trojan that can utilize a
Windows tool to spread itself to all workstations across an
NIST releases 'historic' final version of Special Publication 800-53
- The agency also released a draft of specs for SCAP - The National
Institute of Standards and Technology has collaborated with the
military and intelligence communities to produce the first set of
security controls for all government information systems, including
national security systems.
Contractor returns money to Pentagon - Probe finds computer security
inadequate - BuzzApptis Inc., a military information technology
provider, repaid $1.3 million of a $5.4 million Pentagon contract
after investigators said the company provided inadequate computer
security and a subcontractors system was hacked from an Internet
address in China.
Man is first to be charged with Web name theft - He allegedly stole
prime domain name, sold it to NBA player for over $100K - A northern
New Jersey man is charged with stealing a prime piece of Internet
real estate and reselling it to basketball player Mark Madsen in one
of the nation's first prosecutions of a suspected domain name thief.
U.S. Marines block social networking sites - The U.S. Marines issued
an "immediate ban" Monday on the use of social networking sites
across the military branch's networks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Personal Data Mishandled at Commerce Dept. - The names and Social
Security numbers of at least 27,000 Commerce Department employees
were exposed to a risk of identity theft following an inappropriate
transfer of the personal information in mid-July, according to a
letter sent to department employees last week.
Fake ATM scam rumbled by Defcon hackers - White hat hackers
attending the DefCon conference in Vegas last week uncovered the
presence of a fake ATM in the show's venue.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
covering some of the issues discussed in the "Risk Management
Principles for Electronic Banking" published by the Basel Committee
on Bank Supervision.
Board and Management Oversight - Principle 3: The
Board of Directors and senior management should establish a
comprehensive and ongoing due diligence and oversight process for
managing the bank's outsourcing relationships and other third-party
dependencies supporting e-banking.
Increased reliance upon partners and third party service providers
to perform critical e-banking functions lessens bank management's
direct control. Accordingly, a comprehensive process for managing
the risks associated with outsourcing and other third-party
dependencies is necessary. This process should encompass the
third-party activities of partners and service providers, including
the sub-contracting of outsourced activities that may have a
material impact on the bank.
Historically, outsourcing was often limited to a single service
provider for a given functionality. However, in recent years, banks'
outsourcing relationships have increased in scale and complexity as
a direct result of advances in information technology and the
emergence of e-banking. Adding to the complexity is the fact that
outsourced e-banking services can be sub-contracted to additional
service providers and/or conducted in a foreign country. Further, as
e-banking applications and services have become more technologically
advanced and have grown in strategic importance, certain e-banking
functional areas are dependent upon a small number of specialized
third-party vendors and service providers. These developments may
lead to increased risk concentrations that warrant attention both
from an individual bank as well as a systemic industry standpoint.
Together, these factors underscore the need for a comprehensive and
ongoing evaluation of outsourcing relationships and other external
dependencies, including the associated implications for the bank's
risk profile and risk management oversight abilities. Board and
senior management oversight of outsourcing relationships and
third-party dependencies should specifically focus on ensuring that:
1) The bank fully understands the risks associated with entering
into an outsourcing or partnership arrangement for its e-banking
systems or applications.
2) An appropriate due diligence review of the competency and
financial viability of any third-party service provider or partner
is conducted prior to entering into any contract for e-banking
3) The contractual accountability of all parties to the outsourcing
or partnership relationship is clearly defined. For instance,
responsibilities for providing information to and receiving
information from the service provider should be clearly defined.
4) All outsourced e-banking systems and operations are subject to
risk management, security and privacy policies that meet the bank's
5) Periodic independent internal and/or external audits are
conducted of outsourced operations to at least the same scope
required if such operations were conducted in-house.
This is the last of three principles regarding Board and Management
Oversight. Next week we will begin the series on the
principles of security controls, which include Authentication,
and transaction integrity, Segregation of duties, Authorization
controls, Maintenance of audit trails, and Confidentiality of key
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
Operational anomalies may be evidence of a broad number of issues,
one of which is potential intrusion. Anomalies that act as
intrusion-warning indicators fall into two categories, those
apparent in system processing, and those apparent outside the
System processing anomalies are evident in system logs and system
behavior. Good identification involves pre-establishing which system
processing data streams will be monitored for anomalies, defining
which anomalies constitute an indicator of an intrusion, and the
frequency of the monitoring. For example, remote access logs can be
reviewed daily for access during unusual times. Other logs can be
reviewed on other regular cycles for other unusual behaviors. System
behavior covers a broad range of issues, from CPU utilization to
network traffic protocols, quantity and destinations. One example of
a processing anomaly is CPU utilization approaching 100% when the
scheduled jobs typically require much less. Anomalous behavior,
however, may not signal an intrusion.
Outside the system, detection is typically based on system output,
such as unusual Automated Clearing House transactions or bill
payment transactions. Those unusual transactions may be flagged as a
part of ordinary transaction reviews, or customers and other system
users may report them. Customers and other users should be advised
as to where and how to report anomalies. The anomalous output,
however, may not signal an intrusion.
Central reporting and analysis of all IDS output, honeypot
monitoring, and anomalous system behavior assists in the intrusion
identification process. Any intrusion reporting should use
out-of-band communications mechanisms to protect the alert from
being intercepted or compromised by an intruder.
the top of the newsletter
INTRUSION DETECTION AND RESPONSE
12. Determine whether:
! Responsibilities and authorities of security personnel and
system administrators for monitoring are established, and
! Tools used are reviewed and approved by appropriate
management with appropriate conditions for use.
13. Determine if the responsibility and authority of system
administrators is appropriate for handling notifications generated
by monitoring systems.
14. Determine if users are trained to report unexpected network
behavior that may indicate an intrusion, and that clear reporting
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Opt Out Notice
19. If the institution discloses nonpublic personal information
about a consumer to a nonaffiliated third party, and the exceptions
under §§13-15 do not apply, does the institution provide the
consumer with a clear and conspicuous opt out notice that accurately
explains the right to opt out? [§7(a)(1)]