The Information Security and Risk Management Conference
is being held September 28-30, 2009 in Las Vegas, Nevada. This
is a great conference that I highly recommend. For more
information and to register, please go to
Marines: Facebook is not for the few good men - Security make the
ban necessary, order states - Marine Corps officials have banned
using social-networking Web sites on the service's networks due to
the security risks associated with the Web 2.0 tools, according to
an order published on the Marine Corps Web site .
Secure call centers: Backbone of the health care industry - Call
centers play a critical role in ensuring the successful management
of an organization's customer and product support. For the health
care industry, the call center acts as conduit between the hospital,
insurers, health care providers and patients.
IT admin charged in Xmas Eve rampage on charity - The former IT
admin for a Florida-based charity stands accused of ransacking the
organization's servers and phone systems last Christmas eve, more
than a year after his employment there ended.
Mass. bank customers getting replacement cards - Bank of America and
Citigroup account holders living in Massachusetts recently have
received replacement credit and debit cards, according to a report
Monday, but bank representatives do not believe a new data breach is
Bank to offer check deposits via iPhone - The Internet has taken a
lot of the paperwork out of banking, but there is no avoiding paper
when someone gives you a check. Now one bank wants to let customers
deposit checks immediately--through their phones.
Small businesses largely not PCI compliant - A recent survey has
found that a significant portion of small businesses are not
compliant with Payment Card Industry Data Security Standard (PCI DSS).
It found that though 83 percent of small businesses are familiar
with PCI DSS, only 62 percent are compliant.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hackers Target House.gov Sites - Hackers broke into more than a
dozen Web sites for members of the U.S. House of Representatives in
the past week, replacing portions of their home pages with digital
graffiti, according House officials.
Mystery hackers knock-over micro-blogging service - Updated Twitter
was knocked offline on Thursday after the site became the victim of
a distributed denial of service attack.
Stolen laptop holds Army Guard members' data - 131,000 former,
current members personal information could be at risk - The National
Guard says about 131,000 former and current Army Guard members'
personal data may be at risk because of the theft of a contractor's
Mozilla Store shuttered after vendor security breach - The Mozilla
Foundation closed its online stores on Tuesday after a third-party
company it uses to run one of the sites' back-end operations
suffered a security breach.
Cyber attackers empty business accounts in minutes - The criminals
knew what they were doing when they hit the Western Beaver County
School District. They waited until school administrators were away
on holiday, and then during a four-day period between Dec. 29 and
Jan. 2, siphoned $704,610.35 out of two of the school district's
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
the Board of Directors has the responsibility for ensuring that
appropriate security control processes are in place for e-banking,
the substance of these processes needs special management attention
because of the enhanced security challenges posed by e-banking.
Over the next number of weeks we will cover the principles of
Security Controls -
1: Banks should take appropriate measures to authenticate the
identity and authorization of customers with whom it conducts
business over the Internet. (Part 1 of 2)
It is essential in banking to confirm that a particular
communication, transaction, or access request is legitimate.
Accordingly, banks should use reliable methods for verifying the
identity and authorization of new customers as well as
authenticating the identity and authorization of established
customers seeking to initiate electronic transactions.
Customer verification during account origination is important in
reducing the risk of identity theft, fraudulent account applications
and money laundering. Failure on the part of the bank to adequately
authenticate customers could result in unauthorized individuals
gaining access to e-banking accounts and ultimately financial loss
and reputational damage to the bank through fraud, disclosure of
confidential information or inadvertent involvement in criminal
Establishing and authenticating an individual's identity and
authorization to access banking systems in a purely electronic open
network environment can be a difficult task. Legitimate user
authorization can be misrepresented through a variety of techniques
generally known as "spoofing." Online hackers can also
take over the session of a legitimate authorized individual through
use of a "sniffer" and carry out activities of a
mischievous or criminal nature. Authentication control processes can
in addition be circumvented through the alteration of authentication
Accordingly, it is critical that banks have formal policy and
procedures identifying appropriate methodology(ies) to ensure that
the bank properly authenticates the identity and authorization of an
individual, agent or system by means that are unique and, as far as
practical, exclude unauthorized individuals or systems. Banks can us
a variety of methods to establish authentication, including PINs,
passwords, smart cards, biometrics, and digital certificates. These
methods can be either single factor or multi-factor (e.g. using both
a password and biometric technology to authenticate). Multi-factor
authentication generally provides stronger assurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 1 of 2)
Intrusion detection by itself does not mitigate risks of an
intrusion. Risk mitigation only occurs through an effective and
timely response. The goal of the response is to minimize damage to
the institution and its customers through containment of the
intrusion, and restoration of systems.
The response primarily involves people rather then technologies. The
quality of intrusion response is a function of the institution's
culture, policies and procedures, and training.
Preparation determines the success of any intrusion response.
Preparation involves defining the policies and procedures that guide
the response, assigning responsibilities to individuals and
providing appropriate training, formalizing information flows, and
selecting, installing, and understanding the tools used in the
response effort. Key considerations that directly affect the
institution's policies and procedures include the following:
! How to balance concerns regarding availability, confidentiality,
and integrity, for devices and data of different sensitivities. This
consideration is a key driver for a containment strategy and may
involve legal and liability considerations. An institution may
decide that some systems must be disconnected or shut down at the
first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response
activities, and how to ensure the proper personnel are available and
! How to control the frequently powerful intrusion identification
and response tools.
! When to involve outside experts and how to ensure the proper
expertise will be available when needed. This consideration
addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators,
customers, and law enforcement. This consideration drives certain
monitoring decisions, decisions regarding evidence-gathering and
preservation, and communications considerations.
! Which personnel have authority to perform what actions in
containment of the intrusion and restoration of the systems. This
consideration affects the internal communications strategy, the
commitment of personnel, and procedures that escalate involvement
and decisionswithin the organization.
! How and what to communicate outside the organization, whether to
law enforcement, customers, service providers, potential victims,
and others. This consideration drives the communication strategy,
and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions
! What criteria must be met before compromised services, equipment
and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve
the institution's security.
! How and when to prepare and file a Suspicious Activities Report
Return to the top of the
INTRUSION DETECTION AND RESPONSE
15. Determine if the security policy specifies the actions to be
taken following the discovery of an unexpected, unusual, or
suspicious activity (potential intrusion), and that appropriate
personnel are authorized to take those actions.
16. Evaluate the appropriateness of the security policy in
addressing the review of compromised systems. Consider:
! Documentation of the roles, responsibilities and authority
of employees and contractors, and
! Conditions for the examination and analysis of data,
systems, and networks.
17. Determine if the information disclosure policy indicates what
information is shared with others, in what circumstances, and
identifies the individual(s) who have the authority to initiate
disclosure beyond the stated policy.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
20. Does the opt out notice
a. that the institution discloses or reserves the right to disclose
nonpublic personal information about the consumer to a nonaffiliated
third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)]
c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]