Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Recruiting and developing the 21st century cyber warrior - Last
month, U.S. Deputy Secretary of Defense William Lynn III announced
that the Department of Defense (DoD) was releasing a cybersecurity
strategy explicitly recognizing cyberspace as a new and official
- AES proved vulnerable by Microsoft researchers - Show that
algorithm underlying most all of today's online transactions can be
compromised - Researchers from Microsoft and Belgian Katholieke
Universiteit Leuven have discovered a way to break the widely used
Advanced Encryption Standard (AES), the encryption algorithm used to
secure most all online transactions and wireless communications.
- German state bans Facebook pages, 'Like' buttons - Facebook is in
trouble in Germany yet again after the data-protection authority in
Schleswig-Holstein ordered all institutions in the state to shut
down their Facebook fan pages and remove plug-ins such as the 'Like'
button from their websites.
- FTC fines firm $50,000 for collecting children's personal
information - The Federal Trade Commission (FTC) has fined W3
Innovations, a mobile applications developer, $50,000 for illegally
collecting and disclosing personal information on tens of thousands
of children under the age of 13 without their parents’ consent.
- AT&T sues two over scheme to steal customer data - AT&T has
accused two Utah men of carrying out a data mining scheme, using
automatic dialing programs to harvest information from its customer
database and costing the company more than $6.5 million.
- Met officers cleared over hacking misconduct claims - The former
Metropolitan Police commissioner has been cleared of misconduct in
his handling of the phone hacking inquiry by the police watchdog.
- GAO - Further Actions Needed to Re-examine Centralization Approach
and to Better Document Associated Costs
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Second BART Hack Exposes Police Personal Info - Hackers gained
access to the web site operated by The Bay Area Rapid Transit Police
Officers' Association, posting personal details of more than 100
officers. The officers' home and e-mail addresses were leaked along
with passwords. The hackers group Anonymous announced the most
recent breach, but has not yet claimed responsibility.
- Investigation reveals widespread insider hacking at immigration
agency- A yearlong probe into computer fraud at an immigration
application processing center uncovered multiple incidents of
internal hacking where staff accessed management-level emails and
other confidential files, according to Homeland Security Department
interviews, network analyses and internal emails obtained by Nextgov.
- IT admin cops to crippling ex-employer's network - A Georgia IT
administrator has pleaded guilty to crippling the computer system of
a Japanese pharmaceutical company's US subsidiary several months
after his employment there ended.
- eThieves Steal $217k from Arena Firm - Cyber thieves stole
$217,000 last month from the Metropolitan Entertainment & Convention
Authority (MECA), a nonprofit organization responsible for operating
the Qwest Center and other gathering places in Omaha, Nebraska.
- AntiSec hackers target another military contractor - A vigilante
hacker group has attacked Vanguard Defense Industries (VDI), a
contractor based in Conroe, Texas, that sells advanced weapons to
law enforcement, military and private corporations. Among its
products is the ShadowHawk, a robotic helicopter used for aerial
surveillance that can also be equipped with a grenade launcher.
- Hackers break into sensitive Purdue University server - A computer
server containing the personal information of thousands of former
Purdue University students was accessed by hackers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
3 of 6)
FDIC Response to Identity Theft
The FDIC's supervisory programs include many steps to address
identity theft. The FDIC acts directly, often in conjunction with
other Federal regulators, by promulgating standards that financial
institutions are expected to meet to protect customers' sensitive
information and accounts. The FDIC enforces these standards against
the institutions under its supervision and encourages all financial
institutions to educate their customers about steps they can take to
reduce the chances of becoming an identity theft victim. The FDIC
also sponsors and conducts a variety of consumer education efforts
to make consumers more aware of the ways they can protect themselves
from identity thieves.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Application - Level Firewalls
Application-level firewalls perform application-level screening,
typically including the filtering capabilities of packet filter
firewalls with additional validation of the packet content based on
the application. Application-level firewalls capture and compare
packets to state information in the connection tables. Unlike a
packet filter firewall, an application-level firewall continues to
examine each packet after the initial connection is established for
specific application or services such as telnet, FTP, HTTP, SMTP,
etc. The application-level firewall can provide additional screening
of the packet payload for commands, protocols, packet length,
authorization, content, or invalid headers. Application-level
firewalls provide the strongest level of security, but are slower
and require greater expertise to administer properly.
The primary disadvantages of application - level firewalls are:
! The time required to read and interpret each packet slows network
traffic. Traffic of certain types may have to be split off before
the application level firewall and passed through different access
! Any particular firewall may provide only limited support for new
network applications and protocols. They also simply may allow
traffic from those applications and protocols to go through the
Return to the top of
INTERNET PRIVACY - We continue
our review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Exceptions to the opt out right are detailed in sections 13, 14,
and 15 of the regulations. Financial institutions need not comply
with opt-out requirements if they limit disclosure of nonpublic
1) To a nonaffiliated third party to perform services for the
financial institution or to function on its behalf, including
marketing the institution's own products or services or those
offered jointly by the institution and another financial
institution. The exception is permitted only if the financial
institution provides notice of these arrangements and by contract
prohibits the third party from disclosing or using the information
for other than the specified purposes. In a contract for a joint
marketing agreement, the contract must provide that the parties to
the agreement are jointly offering, sponsoring, or endorsing a
financial product or service. However, if the service or function is
covered by the exceptions in section 14 or 15 (discussed below), the
financial institution does not have to comply with the additional
disclosure and confidentiality requirements of section 13.
Disclosure under this exception could include the outsourcing of
marketing to an advertising company. (Section 13)
2) As necessary to effect, administer, or enforce a transaction
that a consumer requests or authorizes, or under certain other
circumstances relating to existing relationships with customers.
Disclosures under this exception could be in connection with the
audit of credit information, administration of a rewards program, or
to provide an account statement. (Section 14)
3) For specified other disclosures that a financial institution
normally makes, such as to protect against or prevent actual or
potential fraud; to the financial institution's attorneys,
accountants, and auditors; or to comply with applicable legal
requirements, such as the disclosure of information to regulators.