Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- DHS partners with Boys & Girls Clubs of America on cybersecurity -
The U.S. Department of Homeland Security will partner with over four
million members of Boys & Girls Clubs of America to heighten
cybersecurity, the DHS announced on Friday.
- Account takeover still common, but getting detected faster - Banks
are still getting hit hard by hackers who take over corporate
accounts, but financial institutions are doing a better job at
spotting the fraud before any money is drained out, according to a
- Lawsuit accuses comScore of extensive privacy violations - Online
tracking firm surreptitiously siphons personal data, changes
security settings on computers, suit alleges - A proposed
class-action lawsuit filed in federal court in Chicago on Tuesday
accuses online tracking and analytics firm comScore of
surreptitiously collecting Social Security numbers, credit card
numbers, passwords and other data from consumer systems.
- Social media talks about rioting 'constructive' - The government
and police have not sought any new powers to shut social networks,
the Home Office said after a meeting with industry representatives.
- Student hacker gets 30 days, $15,000 fine - A 21-year-old Tesoro
High School graduate who broke into his school repeatedly to change
grades and steal tests three years ago was sentenced Friday to 30
days in jail and ordered to pay nearly $15,000 in restitution under
a plea agreement. http://articles.ocregister.com/2011-08-26/news/29936687_1_plea-agreement-plea-deal-service-projects
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Maine admits to data breach of voter registration system - Maine’s
Central Voter Registration (CVS) has been breached, potentially
exposing personal information on close to one million registered
- Hacker Exposes US Government Staff Log-ins - A hacker has posted
the log-in details of 20,000 people, many of whom are US government
employees - A single hacker has successfully penetrated an events
management company and obtained sensitive information belonging to
20,000 individuals, many of whom were United States government
contractors or employees.
- Agency sends contractors' day rates to 800 RBS staff - People's
bank sacks inhouse, pays £2k/day to outhousers - Recruitment agency
Hays has committed a massive blunder at the Royal Bank of Scotland.
- U.S. battery firms reportedly targeted in online attack - The FBI
is investigating denial-of-service attacks targeting several U.S.
battery retail Web sites last year that were traced to computers at
Russian domains in what looks like a corporate-sabotage campaign,
according to documents published yesterday by The Smoking Gun.
- Coordinated ATM Heist Nets Thieves $13M - An international
cybercrime gang stole $13 million from a Florida-based financial
institution earlier this year, by executing a highly-coordinated
heist in which thieves used ATMs around the globe to cash out stolen
prepaid debit cards, KrebsOnSecurity has learned.
- Hackers penetrate website for Nokia developers - Named and shamed
by Homer Simpson - Nokia suffered an embarrassing security breach
over the weekend when hackers penetrated one of its community
websites and accessed names, email addresses, and other information
belonging to developers of smartphone apps.
- Detective suspended after thieves steal vital police data from his
home - A detective has been suspended after a memory stick
containing details of people who have tipped off police was stolen
in a burglary at his home.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
4 of 6)
As a result of guidelines issued by the FDIC, together with other
federal agencies, financial institutions are required to develop and
implement a written program to safeguard customer information,
including the proper disposal of consumer information (Security
Guidelines).5 The FDIC considers this programmatic requirement to be
one of the foundations of identity theft prevention. In guidance
that became effective on January 1, 2007, the federal banking
agencies made it clear that they expect institutions to use stronger
and more reliable methods to authenticate the identity of customers
using electronic banking systems. Moreover, the FDIC has also issued
guidance stating that financial institutions are expected to notify
customers of unauthorized access to sensitive customer information
under certain circumstances. The FDIC has issued a number of other
supervisory guidance documents articulating its position and
expectations concerning identity theft. Industry compliance with
these expectations will help to prevent and mitigate the effects of
Risk management examiners trained in information technology (IT) and
the requirements of the Bank Secrecy Act (BSA) evaluate a number of
aspects of a bank's operations that raise identity theft issues. IT
examiners are well-qualified to evaluate whether banks are
incorporating emerging IT guidance into their Identity Theft
Programs and GLBA 501(b) Information Security Programs; responsibly
overseeing service provider arrangements; and taking action when a
security breach occurs. In addition, IT examiners will consult with
BSA examiners during the course of an examination to ensure that the
procedures institutions employ to verify the identity of new
customers are consistent with existing laws and regulations to
prevent financial fraud, including identity theft.
The FDIC has also issued revised examination procedures for the Fair
Credit Reporting Act (FCRA), through the auspices of the Federal
Financial Institutions Examination Council's (FFIEC) Consumer
Compliance Task Force. These procedures are used during consumer
compliance examinations and include steps to ensure that
institutions comply with the FCRA's fraud and active duty alert
provisions. These provisions enable consumers to place alerts on
their consumer reports that require users, such as banks, to take
additional steps to identify the consumer before new credit is
extended. The procedures also include reviews of institutions'
compliance with requirements governing the accuracy of data provided
to consumer reporting agencies. These requirements include the
blocking of data that may be the result of an identity theft.
Compliance examiners are trained in the various requirements of the
FCRA and ensure that institutions have effective programs to comply
with the identity theft provisions. Consumers are protected from
identity theft through the vigilant enforcement of all the
examination programs, including Risk Management, Compliance, IT and
The Fair and Accurate Credit Transactions Act directed the FDIC and
other federal agencies to jointly promulgate regulations and
guidelines that focus on identity theft "red flags" and customer
address discrepancies. As proposed, the guidelines would require
financial institutions and creditors to establish a program to
identify patterns, practices, and specific forms of activity that
indicate the possible existence of identity theft. The proposed
joint regulation would require financial institutions and creditors
to establish reasonable policies to implement the guidelines,
including a provision requiring debit and credit card issuers to
assess the validity of a request for a change of address. In
addition, the agencies proposed joint regulations that provide
guidance regarding reasonable policies and procedures that a user of
consumer reports must employ when the user receives a notice of
address discrepancy. When promulgated in final form, these joint
regulations and guidelines will comprise another element of the
FDIC's program to prevent and mitigate identity theft.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Services and Configuration
Firewalls may provide some additional services:
! Network address translation (NAT) - NAT readdresses outbound
packets to mask the internal IP addresses of the network. Untrusted
networks see a different host IP address from the actual internal
address. NAT allows an institution to hide the topology and address
schemes of its trusted network from untrusted networks.
! Dynamic host configuration protocol (DHCP) - DHCP assigns IP
addresses to machines that will be subject to the security controls
of the firewall.
! Virtual Private Network (VPN) gateways - A VPN gateway provides an
encrypted tunnel between a remote external gateway and the internal
network. Placing VPN capability on the firewall and the remote
gateway protects information from disclosure between the gateways
but not from the gateway to the terminating machines. Placement on
the firewall, however, allows the firewall to inspect the traffic
and perform access control, logging, and malicious code scanning.
One common firewall implementation in financial institutions hosting
Internet applications is a DMZ, which is a neutral Internet
accessible zone typically separated by two firewalls. One firewall
is between the institution's private network and the DMZ and then
another firewall is between the DMZ and the outside public network.
The DMZ constitutes one logical security domain, the outside public
network is another security domain, and the institution's internal
network may be composed of one or more additional logical security
domains. An adequate and effectively managed firewall can ensure
that an institution's computer systems are not directly accessible
to any on the Internet.
Financial institutions have a variety of firewall options from which
to choose depending on the extent of Internet access and the
complexity of their network. Considerations include the ease of
firewall administration, degree of firewall monitoring support
through automated logging and log analysis, and the capability to
provide alerts for abnormal activity.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a financial
institution's evaluation or brokerage of information that the
institution collects in connection with a request or an application
from a consumer for a financial product or service. For example, a
financial service includes a lender's evaluation of an application
for a consumer loan or for opening a deposit account even if the
application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer relationship" with a
financial institution. A "customer relationship" is a continuing
relationship between a consumer and a financial institution under
which the institution provides one or more financial products or
services to the consumer that are to be used primarily for personal,
family, or household purposes.