Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - DHS partners with Boys & Girls Clubs of America on cybersecurity - The U.S. Department of Homeland Security will partner with over four million members of Boys & Girls Clubs of America to heighten cybersecurity, the DHS announced on Friday. http://www.msnbc.msn.com/id/44289394/ns/us_news/t/dhs-partners-boys-girls-clubs-america-cybersecurity/ 

FYI - Account takeover still common, but getting detected faster - Banks are still getting hit hard by hackers who take over corporate accounts, but financial institutions are doing a better job at spotting the fraud before any money is drained out, according to a new survey. http://www.scmagazineus.com/account-takeover-still-common-but-getting-detected-faster/article/210535/?DCMP=EMC-SCUS_Newswire

FYI - Lawsuit accuses comScore of extensive privacy violations - Online tracking firm surreptitiously siphons personal data, changes security settings on computers, suit alleges - A proposed class-action lawsuit filed in federal court in Chicago on Tuesday accuses online tracking and analytics firm comScore of surreptitiously collecting Social Security numbers, credit card numbers, passwords and other data from consumer systems. http://www.computerworld.com/s/article/9219444/Lawsuit_accuses_comScore_of_extensive_privacy_violations

FYI - Social media talks about rioting 'constructive' - The government and police have not sought any new powers to shut social networks, the Home Office said after a meeting with industry representatives. http://www.bbc.co.uk/news/uk-14657456 

FYI - Student hacker gets 30 days, $15,000 fine - A 21-year-old Tesoro High School graduate who broke into his school repeatedly to change grades and steal tests three years ago was sentenced Friday to 30 days in jail and ordered to pay nearly $15,000 in restitution under a plea agreement. http://articles.ocregister.com/2011-08-26/news/29936687_1_plea-agreement-plea-deal-service-projects

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Maine admits to data breach of voter registration system - Maine’s Central Voter Registration (CVS) has been breached, potentially exposing personal information on close to one million registered voters. http://www.infosecurity-us.com/view/20335/

FYI - Hacker Exposes US Government Staff Log-ins - A hacker has posted the log-in details of 20,000 people, many of whom are US government employees - A single hacker has successfully penetrated an events management company and obtained sensitive information belonging to 20,000 individuals, many of whom were United States government contractors or employees. http://www.eweekeurope.co.uk/news/hacker-exposes-us-government-staff-log-ins-37838

FYI - Agency sends contractors' day rates to 800 RBS staff - People's bank sacks inhouse, pays £2k/day to outhousers - Recruitment agency Hays has committed a massive blunder at the Royal Bank of Scotland. http://www.theregister.co.uk/2011/08/24/hays_rbs_email_fail/

FYI - U.S. battery firms reportedly targeted in online attack - The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun. http://news.cnet.com/8301-1009_3-20096068-83/u.s-battery-firms-reportedly-targeted-in-online-attack/

FYI - Coordinated ATM Heist Nets Thieves $13M - An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards, KrebsOnSecurity has learned. http://krebsonsecurity.com/2011/08/coordinated-atm-heist-nets-thieves-13m/

FYI - Hackers penetrate website for Nokia developers - Named and shamed by Homer Simpson - Nokia suffered an embarrassing security breach over the weekend when hackers penetrated one of its community websites and accessed names, email addresses, and other information belonging to developers of smartphone apps. http://www.theregister.co.uk/2011/08/29/nokia_website_hacked/

FYI - Detective suspended after thieves steal vital police data from his home - A detective has been suspended after a memory stick containing details of people who have tipped off police was stolen in a burglary at his home. http://www.dailymail.co.uk/news/article-2030949/Detective-suspended-thieves-steal-vital-police-data-home.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 4 of  6)

Supervisory Action

As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.

Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.

The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force.  These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.

The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Services and Configuration

Firewalls may provide some additional services:

! Network address translation (NAT) - NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.

! Dynamic host configuration protocol (DHCP) - DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.

! Virtual Private Network (VPN) gateways - A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines.  Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.

One common firewall implementation in financial institutions hosting Internet applications is a DMZ, which is a neutral Internet accessible zone typically separated by two firewalls. One firewall is between the institution's private network and the DMZ and then another firewall is between the DMZ and the outside public network. The DMZ constitutes one logical security domain, the outside public network is another security domain, and the institution's internal network may be composed of one or more additional logical security domains. An adequate and effectively managed firewall can ensure that an institution's computer systems are not directly accessible to any on the Internet. 

Financial institutions have a variety of firewall options from which to choose depending on the extent of Internet access and the complexity of their network. Considerations include the ease of firewall administration, degree of firewall monitoring support through automated logging and log analysis, and the capability to provide alerts for abnormal activity.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual's legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution's evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender's evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if their financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.