REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- DDoS attacks on major US banks are no Stuxnet - here's why - The
attacks that recently disrupted website operations at Bank of
America and at least five other major US banks used compromised Web
servers to flood their targets with above-average amounts of
Internet traffic, according to five experts from leading firms that
worked to mitigate the attacks.
- U.S. banks could be bracing for wave of account takeovers -
Security researchers at RSA warned Thursday that a sophisticated
plan is being hatched online to raid the bank accounts of customers
at some 30 banks in the United States.
- Feds charge 11 over $50m secret tech exports to Russia - An
unsealed federal indictment suggests $50m worth of microprocessors
and other high-tech kit were illegally shipped to Russia, with
possible uses including missile guidance systems and detonation
- The challenges of securing enterprises in a BYOD world - The
consumerization of information technology is having a profound
impact on organizations, and many are concerned about the risk that
consumer IT poses to the confidentiality, integrity and availability
of enterprise resources.
- SC Congress NY: To cut BYOD security costs, get specific - A
secure approach to bring-your-own-device (BYOD) in the workplace
starts with defining user guidelines, which ultimately determine the
bottom line for companies: what technology should be implemented and
how much it will cost.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Middle East cyberattacks on Google users increasing - The New York
Times reports that tens of thousands of Gmail accounts have been
targeted by state-sponsored attacks. Three months after it first
began warning users of state-sponsored cyber attacks, Google is
saying that the assault has only intensified.
- NASA, Pentagon hacker TinKode gets two-year suspended sentence -
Romanian court orders him to pay over $120,000 to Oracle, NASA and
the U.S. Department of Defense - Romanian national received a
two-year suspended prison sentence for hacking into computer systems
owned by Oracle, NASA, the U.S. Army and the U.S. Department of
Defense and was ordered to pay damages totalling more than $120,000.
- Chamber backs hotel chain in motion to toss FTC case - The law
firm of the U.S. Chamber of Commerce has filed an amicus brief in
Arizona, asking a U.S. District Court to accept a motion filed by
Wyndham Hotels and Resorts that would dismiss a complaint launched
by the Federal Trade Commission (FTC) over the hotel chain's
repeated security breaches.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (2 of 12)
of an Incident Response Program
A bank's ability to respond to security incidents in a planned and
coordinated fashion is important to the success of its information
security program. While IRPs are important for many reasons, three
are highlighted in this article.
First, though incident prevention is important, focusing solely on
prevention may not be enough to insulate a bank from the effects of
a security breach. Despite the industry's efforts at identifying and
correcting security vulnerabilities, every bank is susceptible to
weaknesses such as improperly configured systems, software
vulnerabilities, and zero-day exploits. Compounding the problem is
the difficulty an organization experiences in sustaining a "fully
secured" posture. Over the long term, a large amount of resources
(time, money, personnel, and expertise) is needed to maintain
security commensurate with all potential vulnerabilities.
Inevitably, an organization faces a point of diminishing returns
whereby the extra resources applied to incident prevention bring a
lesser amount of security value. Even the best information security
program may not identify every vulnerability and prevent every
incident, so banks are best served by incorporating formal incident
response planning to complement strong prevention measures. In the
event management's efforts do not prevent all security incidents
(for whatever reason), IRPs are necessary to reduce the sustained
damage to the bank.
Second, regulatory agencies have recognized the value of IRPs and
have mandated that certain incident response requirements be
included in a bank's information security program. In March 2001,
the FDIC, the Office of the Comptroller of the Currency (OCC), the
Office of Thrift Supervision (OTS), and the Board of Governors of
the Federal Reserve System (FRB) (collectively, the Federal bank
regulatory agencies) jointly issued guidelines establishing
standards for safeguarding customer information, as required by the
Gramm-Leach-Bliley Act of 1999. These standards require banks to
adopt response programs as a security measure. In April 2005, the
Federal bank regulatory agencies issued interpretive guidance
regarding response programs. This additional guidance describes
IRPs and prescribes standard procedures that should be included in
IRPs. In addition to Federal regulation in this area, at least 32
states have passed laws requiring that individuals be notified of a
breach in the security of computerized personal information.
Therefore, the increased regulatory attention devoted to incident
response has made the development of IRPs a legal necessity.
Finally, IRPs are in the best interests of the bank. A
well-developed IRP that is integrated into an overall information
security program strengthens the institution in a variety of ways.
Perhaps most important, IRPs help the bank contain the damage
resulting from a security breach and lessen its downstream effect.
Timely and decisive action can also limit the harm to the bank's
reputation, reduce negative publicity, and help the bank identify
and remedy the underlying causes of the security incident so that
mistakes are not destined to be repeated.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our coverage of
the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
PART I. Risks Associated with Wireless Internal Networks
Financial institutions are evaluating wireless networks as an
alternative to the traditional cable to the desktop network.
Currently, wireless networks can provide speeds of up to 11Mbps
between the workstation and the wireless access device without the
need for cabling individual workstations. Wireless networks also
offer added mobility allowing users to travel through the facility
without losing their network connection. Wireless networks are also
being used to provide connectivity between geographically close
locations as an alternative to installing dedicated
Wireless differs from traditional hard-wired networking in that it
provides connectivity to the network by broadcasting radio signals
through the airways. Wireless networks operate using a set of FCC
licensed frequencies to communicate between workstations and
wireless access points. By installing wireless access points, an
institution can expand its network to include workstations within
broadcast range of the network access point.
The most prevalent class of wireless networks currently available is
based on the IEEE 802.11b wireless standard. The standard is
supported by a variety of vendors for both network cards and
wireless network access points. The wireless transmissions can be
encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is
intended to provide confidentiality and integrity of data and a
degree of access control over the network. By design, WEP encrypts
traffic between an access point and the client. However, this
encryption method has fundamental weaknesses that make it
vulnerable. WEP is vulnerable to the following types of decryption
1) Decrypting information based on statistical analysis;
2) Injecting new traffic from unauthorized mobile stations based on
known plain text;
3) Decrypting traffic based on tricking the access point;
4) Dictionary-building attacks that, after analyzing about a day's
worth of traffic, allow real-time automated decryption of all
traffic (a dictionary-building attack creates a translation table
that can be used to convert encrypted information into plain text
without executing the decryption routine); and
5) Attacks based on documented weaknesses in the RC4 encryption
algorithm that allow an attacker to rapidly determine the encryption
key used to encrypt the user's session).
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
40. Does the institution provide at least one initial, annual, and
revised notice, as applicable, to joint consumers? [§9(g)]