REMINDER - The Information
Security and Risk Management Conference is being held September
28-30, 2009 in Las Vegas, Nevada. This is a great conference that I
highly recommend. For more information and to register, please go to
Two convicted for refusal to decrypt data - Up to five years in jail
after landmark prosecutions - Two people have been successfully
prosecuted for refusing to provide authorities with their encryption
keys, resulting in landmark convictions that may have carried jail
sentences of up to five years.
China will not enforce Green Dam filter plan - China said today that
it will not force PC makers to bundle an Internet filtering program
with computers sold in the country, backing down from a plan that
stirred global controversy.
Three men indicted in largest U.S. data breach - Two Russians and a
Florida man were charged on Monday with hacking into Heartland
Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket
chain, and stealing data related to more than 130 million credit and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Security firms discover botnet on Twitter - .A Twitter account can
be used as the command center for harnessing a "botnet" of
virus-infected computers, security firms Arbor Networks and Symantec
reported. In a blog post Friday, Symantec analyst Peter Coogan wrote
that researchers found an account, @upd4t3, which was tweeting out
links to download a piece malware called Downloader.Sninfs.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Security Controls -
1: Banks should take appropriate measures to authenticate the
identity and authorization of customers with whom it conducts
business over the Internet. (Part 2 of 2)
The bank must determine which authentication methods to use based on
management's assessment of the risk posed by the e-banking system as
a whole or by the various sub-components. This risk analysis should
evaluate the transactional capabilities of the e-banking system
(e.g. funds transfer, bill payment, loan origination, account
aggregation etc.), the sensitivity and value of the stored e-banking
data, and the customer's ease of using the authentication method.
Robust customer identification and authentication processes are
particularly important in the cross-border e-banking context given
the additional difficulties that may arise from doing business
electronically with customers across national borders, including the
greater risk of identity impersonation and the greater difficulty in
conducting effective credit checks on potential customers.
As authentication methods continue to evolve, banks are encouraged
to monitor and adopt industry sound practice in this area such as
1) Authentication databases that provide access to e-banking
customer accounts or sensitive systems are protected from tampering
and corruption. Any such tampering should be detectable and audit
trails should be in place to document such attempts.
2) Any addition, deletion or change of an individual, agent or
system to an authentication database is duly authorized by an
3) Appropriate measures are in place to control the e-banking
system connection such that unknown third parties cannot displace
4) Authenticated e-banking sessions remain secure throughout
the full duration of the session or in the event of a security lapse
the session should require re-authentication.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 2 of 2)
Successful implementation of any response policy and
procedure requires the assignment of responsibilities and training.
Some organizations formalize the response organization with the
creation of a computer security incident response team (CSIRT). The
CSIRT is typically tasked with performing, coordinating, and
supporting responses to security incidents. Due to the wide range of
non-technical issues that are posed by an intrusion, typical CSIRT
membership includes individuals with a wide range of backgrounds and
expertise, from many different areas within the institution. Those
areas include management, legal, public relations, as well as
information technology. Other organizations may outsource some of
the CSIRT functions, such as forensic examinations. When CSIRT
functions are outsourced, institutions should ensure that their
institution's policies are followed by the service provider and
confidentiality of data and systems are maintained.
Institutions can assess best the adequacy of their preparations
While containment strategies between institutions can vary, they
typically contain the following broad elements:
! Isolation of compromised systems, or enhanced monitoring of
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are
included in individual agency guidance); and
! Communication with effected parties.
Return to the top of the
INTRUSION DETECTION AND RESPONSE
18. Determine if the information disclosure policy addresses the
appropriate regulatory reporting requirements.
19. Determine if the security policy provides for a provable chain
of custody for the preservation of potential evidence through such
mechanisms as a detailed action and decision log indicating who made
20. Determine if the policy requires all compromised systems to be
restored before reactivation, through either rebuilding with
verified good media or verification of software cryptographic
21. Determine whether all participants in intrusion detection and
responses are trained adequately in the intrusion detection and
response policies, their roles, and the procedures they should take
to implement the policies.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
21. Does the institution provide the
consumer with the following information about the
right to opt out:
a. all the categories of nonpublic personal information that the
institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the
information is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of
that information; [§7(a)(2)(i)(A)] and
d. the financial products or services that the consumer obtains to
which the opt out direction would apply? [§7(a)(2)(i)(B)]