Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
REMINDER - This week September 13, 2010, I am
attending the ISACA
Information Security and Risk Management Conference in Las
Vegas, Nevada. I look forward to seeing you there.
A quarter of worms designed to spread via USB - A quarter of new
worms this year specifically have been designed to spread through
USB storage devices, researchers said.
RIM gets 60 days reprieve; India evaluates its BlackBerry proposals
- Proposals from Research In Motion (RIM) for lawful access of its
networks by law enforcement agencies in India are being put into
operation immediately, the government said.
Virginia's IT outage continues, 3 agencies still affected - A memory
card within a SAN caused the outage - Several Virginia state
agencies continue to experience problems with data access due to an
outage related to problems in a storage-area network (SAN) that
began last week in a data center run by outsourcer Northrop Grumman.
DARPA seeks assistance with insider threats - The Defense Advanced
Research Projects Agency (DARPA) announced a new program that is
looking for fresh approaches toward insider threat detection on
government and military networks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bad flash drive caused worst U.S. military breach - A malware-laden
flash drive inserted in a laptop at a U.S. military base in the
Middle East in 2008 led to the "most significant breach of" the
nation's military computers ever, according to a new magazine
article by a top defense official.
Zurich Insurance fined £2.3m over customers' data loss - The UK
operation of Zurich Insurance has been fined £2.27m by the Financial
Services Authority (FSA) for losing personal details of 46,000
CAO website targeted for second time - THE CENTRAL Applications
Office (CAO) was forced to shut down its website yesterday after an
early-morning cyber attack resulted in new passwords being issued to
22,000 third-level applicants.
Alleged ring leader extradited in $9.4m RBS WorldPay heist - Like
taking candy from a baby - Federal prosecutors say they have have
extradited one of the leaders of an international crime ring accused
of hacking in to bank card processor RBS WorldPay and stealing more
than $9.4m in a 12-hour period.
Major retail chain and building society found to be in breach of the
Data Protection Act - Yorkshire Building Society has been found to
be in breach of the Data Protection Act by the Information
Commissioner's Office (ICO).
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series
on the FDIC's Supervisory Policy on Identity Theft.
6 of 6)
President's Identity Theft Task Force
On May 10, 2006, the President issued an executive order
establishing an Identity Theft Task Force (Task Force). The Chairman
of the FDIC is a principal member of the Task Force and the FDIC is
an active participant in its work. The Task Force has been charged
with delivering a coordinated strategic plan to further improve the
effectiveness and efficiency of the federal government's activities
in the areas of identity theft awareness, prevention, detection, and
prosecution. On September 19, 2006, the Task Force adopted interim
recommendations on measures that can be implemented immediately to
help address the problem of identity theft. Among other things,
these recommendations dealt with data breach guidance to federal
agencies, alternative methods of "authenticating" identities, and
reducing access of identity thieves to Social Security numbers. The
final strategic plan is expected to be publicly released soon.
Financial institutions have an affirmative and continuing obligation
to protect the privacy of customers' nonpublic personal information.
Despite generally strong controls and practices by financial
institutions, methods for stealing personal data and committing
fraud with that data are continuously evolving. The FDIC treats the
theft of personal financial information as a significant risk area
due to its potential to impact the safety and soundness of an
institution, harm consumers, and undermine confidence in the banking
system and economy. The FDIC believes that its collaborative efforts
with the industry, the public and its fellow regulators will
significantly minimize threats to data security and consumers.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the FDIC paper "Risk Assessment
Tools and Practices or Information System Security."
Potential Threats To Consider (Part 2 of 2)
Hackers may use "social engineering" a scheme using social
techniques to obtain technical information required to access a
system. A hacker may claim to be someone authorized to access the
system such as an employee or a certain vendor or contractor. The
hacker may then attempt to get a real employee to reveal user names
or passwords, or even set up new computer accounts. Another threat
involves the practice of "war-dialing" in which hackers use a
program that automatically dials telephone numbers and searches for
modem lines that bypass network firewalls and other security
measures. A few other common forms of system attack include:
Denial of service (system failure), which is any action preventing a
system from operating as intended. It may be the unauthorized
destruction, modification, or delay of service. For example, in an "SYN
Flood" attack, a system can be flooded with requests to establish a
connection, leaving the system with more open connections than it
can support. Then, legitimate users of the system being attacked are
not allowed to connect until the open connections are closed or can
Internet Protocol (IP) spoofing, which allows an intruder via the
Internet to effectively impersonate a local system's IP address in
an attempt to gain access to that system. If other local systems
perform session authentication based on a connections IP address,
those systems may misinterpret incoming connections from the
intruder as originating from a local trusted host and not require a
Trojan horses, which are programs that contain additional (hidden)
functions that usually allow malicious or unintended activities. A
Trojan horse program generally performs unintended functions that
may include replacing programs, or collecting, falsifying, or
destroying data. Trojan horses can be attached to e-mails and may
create a "back door" that allows unrestricted access to a system.
The programs may automatically exclude logging and other information
that would allow the intruder to be traced.
Viruses, which are computer programs that may be embedded in other
code and can self-replicate. Once active, they may take unwanted and
unexpected actions that can result in either nondestructive or
destructive outcomes in the host computer programs. The virus
program may also move into multiple platforms, data files, or
devices on a system and spread through multiple systems in a
network. Virus programs may be contained in an e-mail attachment and
become active when the attachment is opened.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
2) Does the institution provide a clear and conspicuous notice that
accurately reflects its privacy policies and practices to all
consumers, who are not customers, before any nonpublic
personal information about the consumer is disclosed to a
nonaffiliated third party, other than under an exception in §§14 or