Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
Government, industry fall short in sharing cyber threat data -
Auditors say expectations not being met when it comes to sharing
information about threats to U.S. critical infrastructure - The
government isn’t giving industry officials the timely and actionable
information on cyber threats that they expect, nor is industry
always meeting government expectations for sharing cyber threat
data, according to the Government Accountability Office.
Pentagon takes aim at China cyber threat - The U.S. for the first
time is publicly warning about the Chinese military's use of
civilian computer experts in clandestine cyber attacks aimed at
American companies and government agencies.
No charges in school laptop-spying case - Criminal intent by
Pennsylvania school district could not be proven, prosecutor says
Advertisement - No criminal charges will be filed against a suburban
Philadelphia school district that secretly snapped tens of thousands
of webcam photographs and screen shots on laptops issued to
Calif. breach notification bill going back to the governor - A
California proposed bill that would update the state's pioneering
data breach notification law is heading back to the governor's desk.
Blacklists, clustering and The Matrix - Following on from my
previous discussion of the limitations of blacklisting in dealing
with rapidly evolving threats and their symbiotic relationship with
clustering technologies, let's lift the shroud of the clustering
Trojan-ridden warning system implicated in Spanair crash - Malware
may have been a contributory cause of a fatal Spanair crash that
killed 154 people two years ago.
Senators ask Marshals Service why it stores images of full-body
scans - Unhappy Senate lawmakers have asked the U.S. Marshals
Service, an arm of the Justice Department, to explain why it has
stored more than 35,000 whole body imaging scans taken at a federal
courthouse in Florida.
Police confiscate hardware from VPN provider - VPN provider Perfect
Privacy is reporting that, on Friday morning (August 20th) police
searched a house occupied by a Perfect Privacy network provider. The
search warrant was reportedly issued on suspicion that unknown
perpetrators may have routed potentially criminal communications via
the servers in the German city of Erfurt.
Visa Top 10 Best Practices for Payment Application - Recent payment
card data compromises have demonstrated the critical need for
payment application companies to maintain mature software processes
for their customers that go beyond Payment Application Data Security
Standard (PA-DSS) compliant software.
Social engineering - No school like old school: Crushing your
pretext calling risks - Getting all the dirt on someone used to be
easy for any savvy investigator.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hackers steal customer data by accessing supermarket database -
Hackers stole customer data from eight online supermarkets in Japan,
including Uny Co. and Neo Beat Co, in July using a hacking technique
called SQL injection to access their databases, sources familiar
with the matter said.
Stolen UConn laptop contained applicants' personal information - A
laptop containing sensitive data from University of Connecticut
applications recently was stolen.
Cybercriminals Bilked Calgary Company of $1.8 Million In Payment
Card Scam - Authorities investigating whether one of the suspects
arrested is infamous hacker 'The Analyzer' - The U.S. Secret Service
and Canadian authorities have busted a credit- and debit-card fraud
ring that stole nearly $2 million from a Calgary-based short-term
credit and financial services firm by falsifying the value of
prepaid debit cards offered by the company, according to reports.
Bad flash drive caused worst U.S. military breach - A malware-laden
flash drive inserted in a laptop at a U.S. military base in the
Middle East in 2008 led to the "most significant breach of" the
nation's military computers ever, according to a new magazine
article by a top defense official.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series
on the FDIC's Supervisory Policy on Identity Theft.
5 of 6)
The FDIC believes that consumers have an important role to play in
protecting themselves from identity theft. As identity thieves
become more sophisticated, consumers can benefit from accurate,
up-to-date information designed to educate them concerning steps
they should take to reduce their vulnerability to this type of
fraud. The financial services industry, the FDIC and other federal
regulators have made significant efforts to raise consumers'
awareness of this type of fraud and what they can do to protect
In 2005, the FDIC sponsored four identity theft symposia entitled
Fighting Back Against Phishing and Account-Hijacking. At each
symposium (held in Washington, D.C., Atlanta, Los Angeles and
Chicago), panels of experts from government, the banking industry,
consumer organizations and law enforcement discussed efforts to
combat phishing and account hijacking, and to educate consumers on
avoiding scams that can lead to account hijacking and other forms of
identity theft. Also in 2006, the FDIC sponsored a symposia series
entitled Building Confidence in an E-Commerce World. Sessions were
held in San Francisco, Phoenix and Miami. Further consumer education
efforts are planned for 2007.
In 2006, the FDIC released a multi-media educational tool, Don't Be
an On-line Victim, to help online banking customers avoid common
scams. It discusses how consumers can secure their computer, how
they can protect themselves from electronic scams that can lead to
identity theft, and what they can do if they become the victim of
identity theft. The tool is being distributed through the FDIC's web
site and via CD-ROM. Many financial institutions also now display
anti-fraud tips for consumers in a prominent place on their public
web site and send customers informational brochures discussing ways
to avoid identity theft along with their account statements.
Financial institutions are also redistributing excellent educational
materials from the Federal Trade Commission, the federal
government's lead agency for combating identity theft.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Potential Threats To Consider (Part 1 of 2)
Serious hackers, interested computer novices, dishonest vendors or
competitors, disgruntled current or former employees, organized
crime, or even agents of espionage pose a potential threat to an
institution's computer security. The Internet provides a wealth of
information to banks and hackers alike on known security flaws in
hardware and software. Using almost any search engine, average
Internet users can quickly find information describing how to break
into various systems by exploiting known security flaws and software
bugs. Hackers also may breach security by misusing vulnerability
assessment tools to probe network systems, then exploiting any
identified weaknesses to gain unauthorized access to a system.
Internal misuse of information systems remains an ever-present
Many break-ins or insider misuses of information occur due to poor
security programs. Hackers often exploit well-known weaknesses and
security defects in operating systems that have not been
appropriately addressed by the institution. Inadequate maintenance
and improper system design may also allow hackers to exploit a
security system. New security risks arise from evolving attack
methods or newly detected holes and bugs in existing software and
hardware. Also, new risks may be introduced as systems are altered
or upgraded, or through the improper setup of available
security-related tools. An institution needs to stay abreast of new
security threats and vulnerabilities. It is equally important to
keep up to date on the latest security patches and version upgrades
that are available to fix security flaws and bugs. Information
security and relevant vendor Web sites contain much of this
Systems can be vulnerable to a variety of threats, including the
misuse or theft of passwords. Hackers may use password cracking
programs to figure out poorly selected passwords. The passwords may
then be used to access other parts of the system. By monitoring
network traffic, unauthorized users can easily steal unencrypted
passwords. The theft of passwords is more difficult if they are
encrypted. Employees or hackers may also attempt to compromise
system administrator access (root access), tamper with critical
files, read confidential e-mail, or initiate unauthorized e-mails or
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
1) Does the institution provide a clear and conspicuous notice
that accurately reflects its privacy policies and practices to all
customers not later than when the customer relationship is
established, other than as allowed in paragraph (e) of section four
(4) of the regulation? [§4(a)(1))]?
(Note: no notice is required if nonpublic personal information is
disclosed to nonaffiliated third parties only under an exception in
Sections 14 and 15, and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a
customer relationship when it originates a consumer loan. If the
institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers
with the servicing rights. [§4(c)])