REMINDER - The Information
Security and Risk Management Conference is being held September
28-30, 2009 in Las Vegas, Nevada. This is a great conference that I
highly recommend. For more information and to register, please go to
FTC Finalizes Rules On Health Care Breach Disclosure - Organizations
will be required to notify patients of breaches, even if they are
not bound by HIPAA - The Federal Trade Commission yesterday issued a
final rule that will require Web-based businesses to notify
consumers when the security of their electronic health information
has been breached.
USDA unit bans browsers other than Internet Explorer - An
Agriculture Department agency has begun enforcing a policy banning
the use of Web browsers other than Microsoft's Internet Explorer, to
the surprise of employees who rely on other browsers, such as
Mozilla's Firefox, to help in developing Web sites for public use.
Employers block more social networking sites - Employers are
gradually tightening the reins on which websites their staff can
view and are increasingly choosing to block access to popular social
Besieged by attacks, AT&T dumps celebrity hacker - The perils of
being Kevin Mitnick - Over the years, Kevin Mitnick has gotten used
to the attacks on his website and cell phone account that routinely
result from being a convicted hacker turned security expert. What he
finds much harder to stomach is the treatment he's getting from his
West Africa net service restored - The cause of the fault has not
been revealed - A cable fault that caused a major blackout of
internet services across West Africa has been repaired. The damage
was discovered 25km (15 miles) off the coast of Benin on a branch of
the SAT-3 cable, which connects Europe to South Africa.
"Dirtiest" websites host average 18,000 threats - The most dangerous
sites on the web are propagating an average of 18,000 different
pieces of malware, according to Symantec.
Do you know where your user IDs and passwords are? - Surprisingly, a
majority of enterprises still use IDs and passwords as their only
standard authentication criteria. This is true among many industries
and companies of all sizes. Unfortunately, there are many reasons
why this is no longer adequate in an enterprise environment.
ISP criticised for distributing the same password to all new users
with no firm instruction to change it - A European ISP has admitted
that all new subscribers are given the same password. The Dutch
branch of Tele2 claimed that when a new subscriber signs up, they
can choose a login or are assigned one and they are then sent a
letter by Tele2 with their login name, password and the date their
new DSL connection will be activated.
Hackers rest over summer, pounce during Christmas - The summer
season could end up with fewer cyberattacks because companies are
less likely to be targeted now than other vacation periods, a new
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Data breach affected 'limited' number of sites, guests - Radisson
Hotels revealed that a "limited" number of guests may have had their
credit or debit card data stolen, due to a breach of the computer
systems at some of the chain's hotels.
Identity fraud ring busted in New York - Members of an alleged fraud
ring have been arraigned in New York, charged with stealing
identities and obtaining $22 million of wireless phone equipment and
London hospital recovers from Conficker outbreak - An east London
hospital has confirmed its computer systems were infected by the
Conficker worm earlier this month. Whipps Cross University Hospital
NHS Trust stressed that the outbreak affected only administrative
systems, causing minor inconvenience, and did not affect patient
care. Systems have since been restored to normal.
Hacker pleads guilty in massive bank fraud case - Hacker Ehud
Tenenbaum has pleaded guilty in connection to charges of fraud that
netted millions of dollars from banks in Indiana, Florida, Texas and
California, according to the U.S. Attorney's office in New York.
Bernanke Victimized by Identity Fraud Ring - According to court
documents, the Fed chairman and his wife were swindled in 2008 by a
skilled team of crooks.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Principle 2: Banks should use transaction authentication methods
that promote non-repudiation and establish accountability for
creating proof of the origin or delivery of electronic information
to protect the sender against false denial by the recipient that the
data has been received, or to protect the recipient against false
denial by the sender that the data has been sent. Risk of
transaction repudiation is already an issue with conventional
transactions such as credit cards or securities transactions.
However, e-banking heightens this risk because of the difficulties
of positively authenticating the identities and authority of parties
initiating transactions, the potential for altering or hijacking
electronic transactions, and the potential for e-banking users to
claim that transactions were fraudulently altered.
To address these
heightened concerns, banks need to make reasonable efforts,
commensurate with the materiality and type of the e-banking
transaction, to ensure that:
1) E-banking systems are designed to reduce the likelihood that
authorized users will initiate unintended transactions and that
customers fully understand the risks associated with any
transactions they initiate.
2) All parties to the transaction are positively authenticated
and control is maintained over the authenticated channel.
3) Financial transaction data are protected from alteration
and any alteration is detectable.
Banking organizations have begun to employ various techniques that
help establish non-repudiation and ensure confidentiality and
integrity of e-banking transactions, such as digital certificates
using public key infrastructure (PKI).
A bank may issue a digital certificate to a customer or
counterparty to allow for their unique identification/authentication
and reduce the risk of transaction repudiation. Although in some
countries customers' rights to disclaim transactions is provided
in specific legal provisions, legislation has been passed in certain
national jurisdictions making digital signatures legally
enforceable. Wider global legal acceptance of such techniques is
likely as technology continues to evolve.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
BUSINESS CONTINUITY CONSIDERATIONS
Events that trigger the implementation of a business continuity plan
may have significant security considerations. Depending on the
event, some or all of the elements of the security environment may
change. Different people may be involved in operations, at a
different physical location, using similar but different machines
and software which may communicate over different communications
lines. Depending on the event, different tradeoffs may exist between
availability, integrity, confidentiality, and accountability, with a
different appetite for risk on the part of management.
Business continuity plans should be reviewed as an integral part of
the security process. Risk assessments should consider the changing
risks that appear in business continuity scenarios and the different
security posture that may be established. Strategies should consider
the different risk environment and the degree of risk mitigation
necessary to protect the institution in the event the continuity
plans must be implemented. The implementation should consider the
training of appropriate personnel in their security roles, and the
implementation and updating of technologies and plans for back - up
sites and communications networks. Testing these security
considerations should be integrated with the testing of business
continuity plan implementations.
Return to the top of the
SERVICE PROVIDER OVERSIGHT-SECURITY
1. Determine if contracts contain security requirements that at
least meet the objectives of the Section 501(b) GLBA security
guidelines and contain nondisclosure language regarding specific
2. Determine whether the institution has assessed the service
provider's ability to meet contractual security requirements.
3. Determine whether appropriate controls exist over the
substitution of personnel on the institution's projects and
4. Determine whether appropriate security testing is required and
performed on any code, system, or service delivered under the
5. Determine whether appropriate reporting of security incidents is
required under the contract.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
22. Does the institution provide the consumer with at least one of
the following reasonable means of opting out, or with another
a. check-off boxes prominently displayed on the relevant forms with
the opt out notice; [§7(a)(2)(ii)(A)]
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent
via electronic mail or a process at the institution's web site, if
the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)]
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
institution may require the consumer to use one specific means, as
long as that means is reasonable for that consumer. [§7(a)(iv)])