REMINDER - The Information
Security and Risk Management Conference is being held September
28-30, 2009 in Las Vegas, Nevada. This is a great conference that I
highly recommend. For more information and to register, please go to
Incompetence a bigger IT security threat than malign insiders -
Accidental security incidents involving workers happen more
frequently and have the greater potential for negative impact than
malicious insider attacks, according to new research from RSA.
FBI investigating mystery laptops sent to governors - There may be a
new type of Trojan Horse attack to worry about - The U.S. Federal
Bureau of Investigation is trying to figure out who sent five
Hewlett-Packard laptop computers to West Virginia Governor Joe
Mahchin a few weeks ago, with state officials worried that they may
contain malicious software.
Twitter fails to fix massive cross-site scripting bug, researcher
says - Hackers can hijack accounts more easily by getting people to
view a tweet, he says - A vulnerability in Twitter Inc.'s popular
microblogging service remains unfixed and can be used by criminals
to hijack accounts or redirect users to malicious Web sites, a
Phishing Attacks on the Wane - Phishing attacks have fallen out of
favor among cyber crooks who make a living stealing personal and
financial information, according to a report released this week by
IBM. Instead, attackers increasingly are using malicious Web links
and password-stealing Trojan horse programs to filch information
from victims, the company found.
DHS Clarifies Laptop Border Searches - The new rules leave open the
possibility that travelers may face penalties for refusing to
provide passwords or encryption keys. The Department of Homeland
Security on Thursday released new directives covering border
searches of electronic devices and media, but the government's rules
leave open the question of whether individuals can be compelled to
provide passwords and encryption keys.
Security test prompts federal fraud alert - A sanctioned security
test of a bank's computer systems had some unexpected consequences
this week, leading the federal agency that oversees U.S. credit
unions to issue a fraud alert.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Home Office data loss included drug records - The Home Office has
confirmed that the volume of data on a lost memory stick was much
larger than originally reported.
Top hacker arrested - A top hacker has been arrested for
manipulating 100,000 computers. Chinese news service Xinhua is
reporting the tale of the super hacker who formed a 'corpse network'
of some 100,000 computers, and used them to do his foul bidding.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Principle 3: Banks should ensure that appropriate measures
are in place to promote adequate segregation of duties within
e-banking systems, databases and applications.
Segregation of duties is
a basic internal control measure designed to reduce the risk of
fraud in operational processes and systems and ensure that
transactions and company assets are properly authorized, recorded
and safeguarded. Segregation of duties is critical to ensuring the
accuracy and integrity of data and is used to prevent the
perpetration of fraud by an individual. If duties are adequately
separated, fraud can only be committed through collusion.
E-banking services may necessitate modifying the ways in which
segregation of duties are established and maintained because
transactions take place over electronic systems where identities can
be more readily masked or faked. In addition, operational and
transaction-based functions have in many cases become more
compressed and integrated in e-banking applications. Therefore, the
controls traditionally required to maintain segregation of duties
need to be reviewed and adapted to ensure an appropriate level of
control is maintained. Because access to poorly secured databases
can be more easily gained through internal or external networks,
strict authorization and identification procedures, safe and sound
architecture of the straight-through processes, and adequate audit
trails should be emphasized.
Common practices used to establish and maintain segregation of
duties within an e-banking environment include the following:
1) Transaction processes and systems should be designed to
ensure that no single employee/outsourced service provider could
enter, authorize and complete a transaction.
2) Segregation should be maintained between those initiating
static data (including web page content) and those responsible for
verifying its integrity.
3) E-banking systems should be tested to ensure that
segregation of duties cannot be bypassed.
4) Segregation should be maintained between those developing
and those administrating e-banking systems.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information
INSURANCE (Part 1 of 2)
Financial institutions have used insurance coverage as an effective
method to transfer risks from themselves to insurance carriers.
Insurance coverage is increasingly available to cover risks from
security breaches or denial of service attacks. For example, several
insurance companies offer e - commerce insurance packages that can
reimburse financial institutions for losses from fraud, privacy
breaches, system downtime, or incident response. When evaluating the
need for insurance to cover information security threats, financial
institutions should understand the following points:
! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses
related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic
environment for these factors.
! Insurance cannot adequately cover the reputation and compliance
risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that
certain security practices are in place.
the top of the newsletter
IT SECURITY QUESTION:
SERVICE PROVIDER OVERSIGHT-SECURITY
6. Determine if institution oversight of third party provider
security controls is adequate.
7. Determine if any third party provider access to the institution's
system is controlled according to "Authentication and Access
Controls" and "Network Security" procedures.
8. Determine if the contract requires secure remote communications,
9. Determine if the institution appropriately assessed the third
party provider's procedures for hiring and monitoring personnel who
have access to the institution's systems and data.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
23. If the institution delivers the opt out notice after the initial
notice, does the institution provide the initial notice once again
with the opt out notice? [§7(c)]
24. Does the institution provide an opt out notice, explaining how
the institution will treat opt out directions by the joint
consumers, to at least one party in a joint consumer relationship?