Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Court allows warrantless cell location tracking - The FBI and other police agencies don't need a search warrant to track the locations of Americans' cell phones, a federal appeals court ruled on Tuesday in a precedent-setting decision. http://news.cnet.com/8301-31921_3-20015743-281.html

FYI - ACLU Sues Over Laptop Border Searches - Obama administration policy allowing U.S. border officials to seize and search laptops, smartphones and other electronic devices for any reason was challenged as unconstitutional in federal court Tuesday. http://www.wired.com/threatlevel/2010/09/laptop-border-searches/

FYI - Fed's cybersecurity watchdog found to have security issues - The very systems the Homeland Security Department uses to monitor cybersecurity across the federal government were plagued by their own vulnerabilities, which placed the cybersecurity data they maintain at risk, according to an inspector general report. http://www.nextgov.com/nextgov/ng_20100909_5549.php?oref=topnews

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hotel operator warns of data breach - HEI Hospitality, owner and operator of upscale hotels operating under the Marriott, Sheraton, Westin and other monikers, has sent letters informing some 3,400 customers that their credit card data may have been compromised. http://www.computerworld.com/s/article/9184398/Hotel_operator_warns_of_data_breach?taxonomyId=17

FYI - RBS WorldPay hacker gets four years' probation - The mastermind behind one of the biggest hacking paydays in history has been sentenced to four years' probation and an US$8.9 million fine, according to published reports. http://www.computerworld.com/s/article/9184179/Report_RBS_WorldPay_hacker_gets_four_years_probation?taxonomyId=17

FYI - Chase's online banking service is down; ATMs fine - Chase's online banking service is down because of a technical problem and the bank says it's working to resolve it. http://www.msnbc.msn.com/id/39174466/ns/technology_and_science-tech_and_gadgets/

FYI - Hospital appeals $250,000 fine for late breach disclosure - The Lucile Packard Children's Hospital at Stanford University is appealing a whopping $250,000 fine imposed by California Department of Public Health (CDPH) for its alleged delay in reporting a data breach that exposed confidential patient data. http://www.computerworld.com/s/article/9184679/Hospital_appeals_250_000_fine_for_late_breach_disclosure?taxonomyId=17

FYI - South Shore Hospital completes probe into data loss - South Shore Hospital said there is “little to no risk” that information from computer files that went missing earlier this year has been used or abused. http://bostonherald.com/business/healthcare/view.bg?articleid=1280045&position=1

FYI - Mayo Clinic worker fired for snooping on patient records - The employee worked in the Mayo financial business unit in Arizona and once worked in Rochester. http://www.postbulletin.com/newsmanager/templates/localnews_story.asp?z=2&a=469014

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Host-Versus Network-Based Vulnerability Assessment Tools

As in intrusion detection systems, which are discussed later in this appendix, there are generally two types of vulnerability assessment tools: host-based and network-based.  Another category is sometimes used for products that assess vulnerabilities of specific applications (application-based) on a host.  A host is generally a single computer or workstation that can be connected to a computer network.  Host-based tools assess the vulnerabilities of specific hosts.  They usually reside on servers, but can be placed on specific desktop computers, routers, or even firewalls. 

Network-based vulnerability assessment tools generally reside on the network, specifically analyzing the network to determine if it is vulnerable to known attacks.  Both host- and network-based products offer valuable features, and the risk assessment process should help an institution determine which is best for its needs.  Information systems personnel should understand the types of tools available, how they operate, where they are located, and the output generated from the tools.

Host-based vulnerability assessment tools are effective at identifying security risks that result from internal misuse or hackers using a compromised system.  They can detect holes that would allow access to a system such as unauthorized modems, easily guessed passwords, and unchanged vendor default passwords.  The tools can detect system vulnerabilities such as poor virus protection capabilities; identify hosts that are configured improperly; and provide basic information such as user log-on hours, password/account expiration settings, and users with dial-in access.  The tools may also provide a periodic check to confirm that various security policies are being followed.  For instance, they can check user permissions to access files and directories, and identify files and directories without ownership.

Network-based vulnerability assessment tools are more effective than host-based at detecting network attacks such as denial of service and Internet Protocol (IP) spoofing.  Network tools can detect unauthorized systems on a network or insecure connections to business partners.  Running a host-based scan does not consume network overhead, but can consume processing time and available storage on the host.  Conversely, frequently running a network-based scan as part of daily operations increases network traffic during the scan.  This may cause inadvertent network problems such as router crashes.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

4)  Does the institution provide initial notice after establishing a customer relationship only if:

a.  the customer relationship is not established at the customer's election; [§4(e)(1)(i)] or

b.  to do otherwise would substantially delay the customer's transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]