Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Government, industry fall short in sharing cyber threat data - Auditors say expectations not being met when it comes to sharing information about threats to U.S. critical infrastructure - The government isn’t giving industry officials the timely and actionable information on cyber threats that they expect, nor is industry always meeting government expectations for sharing cyber threat data, according to the Government Accountability Office. http://fcw.com/articles/2010/08/17/web-cybersecurity-information-sharing.aspx?admgarea=TC_SECCYBERSEC

FYI - Pentagon takes aim at China cyber threat - The U.S. for the first time is publicly warning about the Chinese military's use of civilian computer experts in clandestine cyber attacks aimed at American companies and government agencies. http://www.washingtonpost.com/wp-dyn/content/article/2010/08/19/AR2010081904629.html

FYI - No charges in school laptop-spying case - Criminal intent by Pennsylvania school district could not be proven, prosecutor says Advertisement - No criminal charges will be filed against a suburban Philadelphia school district that secretly snapped tens of thousands of webcam photographs and screen shots on laptops issued to students. http://www.msnbc.msn.com/id/38745166/ns/technology_and_science-security/

FYI - Calif. breach notification bill going back to the governor - A California proposed bill that would update the state's pioneering data breach notification law is heading back to the governor's desk. http://www.scmagazineus.com/calif-breach-notification-bill-going-back-to-the-governor/article/177253/?DCMP=EMC-SCUS_Newswire

FYI - Blacklists, clustering and The Matrix - Following on from my previous discussion of the limitations of blacklisting in dealing with rapidly evolving threats and their symbiotic relationship with clustering technologies, let's lift the shroud of the clustering magic. http://www.scmagazineus.com/part-two-blacklists-clustering-and-the-matrix/article/177195/?DCMP=EMC-SCUS_Newswire

FYI - Trojan-ridden warning system implicated in Spanair crash - Malware may have been a contributory cause of a fatal Spanair crash that killed 154 people two years ago. http://www.theregister.co.uk/2010/08/20/spanair_malware/

FYI - Senators ask Marshals Service why it stores images of full-body scans - Unhappy Senate lawmakers have asked the U.S. Marshals Service, an arm of the Justice Department, to explain why it has stored more than 35,000 whole body imaging scans taken at a federal courthouse in Florida. http://www.nextgov.com/nextgov/ng_20100820_1563.php?oref=topnews

FYI - Police confiscate hardware from VPN provider - VPN provider Perfect Privacy is reporting that, on Friday morning (August 20th) police searched a house occupied by a Perfect Privacy network provider. The search warrant was reportedly issued on suspicion that unknown perpetrators may have routed potentially criminal communications via the servers in the German city of Erfurt. http://www.h-online.com/security/news/item/Police-confiscate-hardware-from-VPN-provider-1063742.html

FYI - Visa Top 10 Best Practices for Payment Application - Recent payment card data compromises have demonstrated the critical need for payment application companies to maintain mature software processes for their customers that go beyond Payment Application Data Security Standard (PA-DSS) compliant software. http://usa.visa.com/download/merchants/bulletin_payment_app_companies_best_practices.pdf

FYI - Social engineering - No school like old school: Crushing your pretext calling risks - Getting all the dirt on someone used to be easy for any savvy investigator. http://www.scmagazineus.com/social-engineering-part-1-no-school-like-old-school-crushing-your-pretext-calling-risks/article/174765/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal customer data by accessing supermarket database - Hackers stole customer data from eight online supermarkets in Japan, including Uny Co. and Neo Beat Co, in July using a hacking technique called SQL injection to access their databases, sources familiar with the matter said. http://www.japantoday.com/category/crime/view/hackers-steal-customer-data-by-accessing-supermarket-database

FYI - Stolen UConn laptop contained applicants' personal information - A laptop containing sensitive data from University of Connecticut applications recently was stolen. http://www.scmagazineus.com/stolen-uconn-laptop-contained-applicants-personal-information/article/177249/?DCMP=EMC-SCUS_Newswire

FYI - Cybercriminals Bilked Calgary Company of $1.8 Million In Payment Card Scam - Authorities investigating whether one of the suspects arrested is infamous hacker 'The Analyzer' - The U.S. Secret Service and Canadian authorities have busted a credit- and debit-card fraud ring that stole nearly $2 million from a Calgary-based short-term credit and financial services firm by falsifying the value of prepaid debit cards offered by the company, according to reports. http://darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226900085&subSection=Attacks/breaches
 
FYI - Bad flash drive caused worst U.S. military breach - A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the "most significant breach of" the nation's military computers ever, according to a new magazine article by a top defense official. http://news.cnet.com/8301-27080_3-20014732-245.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 5 of  6)

Consumer Education

The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.

In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.

In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Potential Threats To Consider (Part 1 of 2)

Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat.

Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information.

Systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential e-mail, or initiate unauthorized e-mails or transactions.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

1)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])