Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
http://www.yennik.com/it-review/.
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
REMINDER - This week September 19, 2011, I am
attending the ISACA
Information Security and Risk Management Conference in Las
Vegas, Nevada. I look forward to seeing you there.
FYI
- Justice Dept. loses round in warrantless phone tracking - The
American Civil Liberties Union is touting its victory in a case
against the Department of Justice over alleged mobile phone
tracking.
http://news.cnet.com/8301-1009_3-20102518-83/justice-dept-loses-round-in-warrantless-phone-tracking/?tag=mncol;title
FYI
- Court Approves Lawsuit Against Toyota Over Cyberstalking Ad Stunt
- A woman who was targeted by Toyota in a creepy, stalker-themed
online advertising stunt will be allowed to sue the company, despite
the carmaker’s argument that she unknowingly agreed to the whole
thing.
http://www.wired.com/threatlevel/2011/09/toyota-punkd/
FYI
- Online ID thief sentenced to 14 years - A man who pleaded guilty
on April 4 to one count of wire fraud and one count of aggravated
identity theft was sentenced last week in U.S. District Court in
Alexandria, Va. to 14 years in prison.
http://www.scmagazineus.com/online-id-thief-sentenced-to-14-years/article/211853/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Patient data posted online in major breach of privacy - Medical
records for 20,000 emergency room patients were on website for a
year - A medical privacy breach at Stanford University’s hospital in
Palo Alto, Calif., led to the public posting of medical records for
20,000 emergency room patients, including names and diagnosis codes,
on a commercial website for nearly a year, the hospital has
confirmed.
http://www.msnbc.msn.com/id/44443413/ns/technology_and_science-the_new_york_times/#.TmlDP-zQp8E
FYI
- GlobalSign stops secure certificates after hack - Belgian security
firm GlobalSign has temporarily stopped issuing authentication
certificates for secure websites.
http://www.bbc.co.uk/news/technology-14819257
FYI
-
Linux Foundation Confirms Malware Attack - Foundation advises users
to change passwords following exploit of kernel.org, used to
distribute the Linux kernel. The Linux Foundation last week emailed
all of its users, warning them that an attacker had compromised
LinuxFoundation.org and Linux.com, as well as their subdomains. The
attacker may also have stolen usernames, email addresses, and
passwords.
http://www.informationweek.com/news/security/attacks/231601225
FYI
-
Vending machine company announces major data breach - Up to 40,000
reported may be affected by breach of Vacationland Vendors machines
at waterparks in Wisconsin, Tennessee - Vacationland Vendors, a
company that supplies vending machines and games to entertainment
venues, has disclosed a data breach affecting about 40,000 people
who visited waterpark resorts in Wisconsin and Tennessee between
December 2008 and May 2011.
http://www.computerworld.com/s/article/9219945/Vending_machine_company_announces_major_data_breach?taxonomyId=17
FYI
-
BC Twitter hack attributed to 'Christmas tree' trojan - A group of
hacktivists was able to compromise the NBC News Twitter account on
Friday by tricking the network's social media head into clicking on
a malicious attachment.
http://www.scmagazineus.com/nbc-twitter-hack-attributed-to-christmas-tree-trojan/article/211981/?DCMP=EMC-SCUS_Newswire
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week concludes our
series on the FDIC's Supervisory Policy on Identity Theft.
(Part
6 of 6)
President’s Identity Theft Task Force
On May 10, 2006, the President issued an executive order
establishing an Identity Theft Task Force (Task Force). The Chairman
of the FDIC is a principal member of the Task Force and the FDIC is
an active participant in its work. The Task Force has been charged
with delivering a coordinated strategic plan to further improve the
effectiveness and efficiency of the federal government's activities
in the areas of identity theft awareness, prevention, detection, and
prosecution. On September 19, 2006, the Task Force adopted interim
recommendations on measures that can be implemented immediately to
help address the problem of identity theft. Among other things,
these recommendations dealt with data breach guidance to federal
agencies, alternative methods of "authenticating" identities, and
reducing access of identity thieves to Social Security numbers. The
final strategic plan is expected to be publicly released soon.
Conclusion
Financial institutions have an affirmative and continuing obligation
to protect the privacy of customers' nonpublic personal information.
Despite generally strong controls and practices by financial
institutions, methods for stealing personal data and committing
fraud with that data are continuously evolving. The FDIC treats the
theft of personal financial information as a significant risk area
due to its potential to impact the safety and soundness of an
institution, harm consumers, and undermine confidence in the banking
system and economy. The FDIC believes that its collaborative efforts
with the industry, the public and its fellow regulators will
significantly minimize threats to data security and consumers.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION -
NETWORK ACCESS
Firewall Policy (Part 2 of 3)
Firewalls are an essential control for a financial institution with
an Internet connection and provide a means of protection against a
variety of attacks. Firewalls should not be relied upon, however, to
provide full protection from attacks. Institutions should complement
firewalls with strong security policies and a range of other
controls. In fact, firewalls are potentially vulnerable to attacks
including:
! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive
requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic
that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or
software;
! Attacks through flaws in the firewall design providing relatively
easy access to data or services residing on firewall or proxy
servers; and
! Attacks against machines and communications used for remote
administration.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
regulations.
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
consumer:
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a reasonable
means to opt out); and
3) a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to opt
out.
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions. |