REMINDER - The Information Security and Risk Management Conference is being held September 28-30, 2009 in Las Vegas, Nevada.  This is a great conference that I highly recommend.  For more information and to register, please go to http://www.isaca.org/isrmc.

FYI - Marines: Facebook is not for the few good men - Security make the ban necessary, order states - Marine Corps officials have banned using social-networking Web sites on the service's networks due to the security risks associated with the Web 2.0 tools, according to an order published on the Marine Corps Web site . http://fcw.com/articles/2009/08/04/marines-ban-social-networking.aspx

FYI - Secure call centers: Backbone of the health care industry - Call centers play a critical role in ensuring the successful management of an organization's customer and product support. For the health care industry, the call center acts as conduit between the hospital, insurers, health care providers and patients. http://www.scmagazineus.com/Secure-call-centers-Backbone-of-the-health-care-industry/article/141249/?DCMP=EMC-SCUS_Newswire

FYI - IT admin charged in Xmas Eve rampage on charity - The former IT admin for a Florida-based charity stands accused of ransacking the organization's servers and phone systems last Christmas eve, more than a year after his employment there ended. http://www.theregister.co.uk/2009/08/07/it_admin_christmas_eve_rampage/

FYI - Mass. bank customers getting replacement cards - Bank of America and Citigroup account holders living in Massachusetts recently have received replacement credit and debit cards, according to a report Monday, but bank representatives do not believe a new data breach is to blame. http://www.scmagazineus.com/Report-Mass-bank-customers-getting-replacement-cards/article/141431/

FYI - Bank to offer check deposits via iPhone - The Internet has taken a lot of the paperwork out of banking, but there is no avoiding paper when someone gives you a check. Now one bank wants to let customers deposit checks immediately--through their phones.
http://news.cnet.com/Bank-to-offer-check-deposits-via-iPhone/2100-1039_3-6249960.html
http://www.computerworld.com/s/article/9136359/How_tech_is_changing_banks

FYI - Small businesses largely not PCI compliant - A recent survey has found that a significant portion of small businesses are not compliant with Payment Card Industry Data Security Standard (PCI DSS). It found that though 83 percent of small businesses are familiar with PCI DSS, only 62 percent are compliant. http://www.scmagazineus.com/Small-businesses-largely-not-PCI-compliant/article/141557/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers Target House.gov Sites - Hackers broke into more than a dozen Web sites for members of the U.S. House of Representatives in the past week, replacing portions of their home pages with digital graffiti, according House officials. http://voices.washingtonpost.com/securityfix/2009/08/hackers_target_housegov_sites.html

FYI - Mystery hackers knock-over micro-blogging service - Updated Twitter was knocked offline on Thursday after the site became the victim of a distributed denial of service attack.
http://www.theregister.co.uk/2009/08/06/twitter_outage/
http://www.scmagazineus.com/Cause-of-Twitter-DDoS-traced-to-Russia-Georgia-conflict/article/141353/?DCMP=EMC-SCUS_Newswire

FYI - Stolen laptop holds Army Guard members' data - 131,000 former, current members personal information could be at risk - The National Guard says about 131,000 former and current Army Guard members' personal data may be at risk because of the theft of a contractor's laptop. http://www.msnbc.msn.com/id/32304147/ns/technology_and_science-security/

FYI - Mozilla Store shuttered after vendor security breach - The Mozilla Foundation closed its online stores on Tuesday after a third-party company it uses to run one of the sites' back-end operations suffered a security breach. http://www.theregister.co.uk/2009/08/05/mozilla_stores_shuttered/

FYI - Cyber attackers empty business accounts in minutes - The criminals knew what they were doing when they hit the Western Beaver County School District. They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned $704,610.35 out of two of the school district's bank accounts. http://www.computerworld.com/s/article/9136334/Cyber_attackers_empty_business_accounts_in_minutes

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking.  Over the next number of weeks we will cover the principles of Security Controls.

Security Controls - Principle 1: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 1 of 2)

It is essential in banking to confirm that a particular communication, transaction, or access request is legitimate. Accordingly, banks should use reliable methods for verifying the identity and authorization of new customers as well as authenticating the identity and authorization of established customers seeking to initiate electronic transactions.

Customer verification during account origination is important in reducing the risk of identity theft, fraudulent account applications and money laundering. Failure on the part of the bank to adequately authenticate customers could result in unauthorized individuals gaining access to e-banking accounts and ultimately financial loss and reputational damage to the bank through fraud, disclosure of confidential information or inadvertent involvement in criminal activity.

Establishing and authenticating an individual's identity and authorization to access banking systems in a purely electronic open network environment can be a difficult task. Legitimate user authorization can be misrepresented through a variety of techniques generally known as "spoofing." Online hackers can also take over the session of a legitimate authorized individual through use of a "sniffer" and carry out activities of a mischievous or criminal nature. Authentication control processes can in addition be circumvented through the alteration of authentication databases.

Accordingly, it is critical that banks have formal policy and procedures identifying appropriate methodology(ies) to ensure that the bank properly authenticates the identity and authorization of an individual, agent or system by means that are unique and, as far as practical, exclude unauthorized individuals or systems. Banks can us a variety of methods to establish authentication, including PINs, passwords, smart cards, biometrics, and digital certificates. These methods can be either single factor or multi-factor (e.g. using both a password and biometric technology to authenticate). Multi-factor authentication generally provides stronger assurance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

INTRUSION RESPONSE  (Part 1 of 2)

Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.

The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.

Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:

! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
! How to control the frequently powerful intrusion identification and response tools.
! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions taken.
! What criteria must be met before compromised services, equipment and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve the institution's security.
! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter

IT SECURITY QUESTION: 

INTRUSION DETECTION AND RESPONSE

15. Determine if the security policy specifies the actions to be taken following the discovery of an unexpected, unusual, or suspicious activity (potential intrusion), and that appropriate personnel are authorized to take those actions.

16. Evaluate the appropriateness of the security policy in addressing the review of compromised systems. Consider:

!  Documentation of the roles, responsibilities and authority of employees and contractors, and
!  Conditions for the examination and analysis of data, systems, and networks.

17. Determine if the information disclosure policy indicates what information is shared with others, in what circumstances, and identifies the individual(s) who have the authority to initiate disclosure beyond the stated policy.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]

b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]