Court allows suit against bank for lax security - Citizens Financial
Bank should have offered strong authentication, plaintiffs claim - A
couple whose bank account was breached can sue their bank for its
alleged failure to implement the latest security measures designed
to prevent such compromises.
Five men named in racket that netted $4m in stolen card data -
Prosecutors in Manhattan have named five additional men from Eastern
Europe in an alleged scheme that pilfered $4m using more than 95,000
stolen credit cards.
TJX agrees to settle another breach lawsuit for $525,000 -
Two-and-a-half years later, the retailer is still handling fallout
from data compromise - TJX Companies Inc. has agreed to pay $525,000
to settle a lawsuit brought by several banks in connection with the
massive data breach disclosed by the retailer in January 2007.
GAO - DOD Needs to Strengthen Management of Its Statutorily Mandated
Software and System Process Improvement Efforts.
Breaching Fort Apache.org - What went wrong? - Open-sourcers put
locks on keys - Administrators at the Apache Software Foundation
have pledged to restrict the use of Secure Shell keys for accessing
servers over their network following a security breach on Monday
that briefly forced the closure the popular open-source website.
H1N1 Pandemic Preparedness Papers from SANS Technology Institute
degree Candidates. If you are trying to decide how prepared you and
your IT systems are for an H1N1 pandemic, you'll want to read the
mini-thesis submitted by Jim Beechey and Rob VandenBrink as part of
their candidacy for Master of Science in Security Engineering at the
SANS Technology Institute. It's has an associated PowerPoint
presentation you will find useful for educating others.
Conficker borks London council - Dirty USB shuts systems for days -
An Ealing council employee infected the UK local authority's IT
systems with the Conficker-D worm after he plugged an infected USB
into a work computer, causing tens of thousands of pounds in damages
in the process.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Navy laptop with personal info missing - Naval Hospital Pensacola
will be notifying thousands of beneficiaries who use its pharmacy
services, following the disappearance of a laptop computer August 18
which contains personally identifiable information.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Principle 4: Banks should ensure that proper authorization
controls and access privileges are in place for e-banking systems,
databases and applications.
In order to maintain segregation of duties, banks need to strictly
control authorization and access privileges. Failure to provide
adequate authorization control could allow individuals to alter
their authority, circumvent segregation and gain access to e-banking
systems, databases or applications to which they are not privileged.
In e-banking systems, the authorizations and access rights can be
established in either a centralized or distributed manner within a
bank and are generally stored in databases. The protection of those
databases from tampering or corruption is therefore essential for
effective authorization control.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
INSURANCE (Part 1 of 2)
Insurance coverage is rapidly evolving to meet the growing number of
security-related threats. Coverage varies by insurance company, but
currently available insurance products may include coverage for the
! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of
financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public
relations consultants, security and computer forensic consultants,
programmers, replacement systems, etc.
Financial institutions can attempt to insure against these risks
through existing blanket bond insurance coverage added on to address
specific threats. It is important that financial institutions
understand the extent of coverage and the requirements governing the
reimbursement of claims. For example, financial institutions should
understand the extent of coverage available in the event of security
breaches at a third - party service provider. In such a case, the
institution may want to consider contractual requirements that
require service providers to maintain adequate insurance to cover
When considering supplemental insurance coverage for security
incidents, the institution should assess the specific threats in
light of the impact these incidents will have on its financial,
operational, and reputation risk profiles. Obviously, when a
financial institution contracts for additional coverage, it should
ensure that it is aware of and prepared to comply with any required
security controls both at inception of the coverage and over the
term of the policy.
Return to the top of the
1. Review the information security risk
assessment and identify those items and areas classified as
2. Evaluate the appropriateness of the criteria used to select the
type of encryption/cryptographic algorithms.
! Consider if cryptographic algorithms are both publicly known
and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish,
etc.) or banking industry standard algorithms.
! Note the basis for choosing key sizes (e.g., 40-bit,
128-bit) and key space.
! Identify management's understanding of cryptography and
expectations of how it will be used to protect data.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
25. Does the institution permit
each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]
26. Does the opt out notice to joint consumers state that either:
a. the institution will consider an opt out by a joint consumer as
applying to all associated joint consumers; [§7(d)(2)(i)] or
b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]