Corporate bank accounts targeted in online fraud - Criminals have
tried to steal an estimated $100 million from corporate bank
accounts using targeted malware and money mules, the FBI said.
Judge says TD Ameritrade's proposed security fixes aren't enough -
Court rejects company's proposed class-action settlement for 2007
data breach - A federal judge's rejection of a proposed settlement
by TD Ameritrade Inc. in a data breach lawsuit marks the second time
in recent months that a court has weighed in on what it considers to
be basic security standards for protecting data.
Small, medium firms cut security budgets - Small and medium
businesses have, for the most part, frozen spending on security,
despite an increase in perceived threats, according to a survey
released this week.
CalOptima recovers discs with personal data on 68,000 members -
Discs appear untouched, breach notifications won't go out, spokesman
says - Several missing CDs containing unencrypted personal data on
68,000 members of the CalOptima managed care plan have been traced
to a secure postal facility in Atlanta. The discs went missing two
Spoofed FDIC bank fail e-mail - Spam e-mails mimicking the Federal
Deposit Insurance Corp. and warning of additional bank failures are
instead the latest bid by cyber crooks to empty your bank account,
security experts warn.
US-CERT warns about free BlackBerry spyware app - The U.S. Computer
Emergency Readiness Team warned BlackBerry users on Tuesday about a
new program called PhoneSnoop that allows someone to remotely
eavesdrop on phone conversations.
Data breach alerts linked to increased risk of ID theft - Consumers
who have received a data breach notification letter are four times
more likely than others to be the victim of identity theft,
according to a survey.
Brussels criticises UK on privacy - The UK government has been
accused of failing to protect citizens' privacy by the European
Commission. It said the government should have done more to
guarantee online privacy when trials of a controversial ad-serving
system were carried out in 2006.
Federal CIO Kundra Plans Cybersecurity Dashboard - The White House
will introduce new tools and metrics for measuring and managing the
federal government's cybersecurity efforts, federal CIO Vivek Kundra
said in testimony to Congress.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Massive bot attack spoofs Facebook password messages - 'Bredolab'
Trojan rides fake reset messages, reaches at least 735,000 users - A
massive bot-based attack has been hitting Facebook users, with
nearly three-quarters of a million users receiving fake password
reset messages, according to security researchers.
N.Y. bank computer technician charged with ID theft - A New York
computer technician has been charged with stealing the identities of
more than 150 Bank of New York Mellon employees and using them to
orchestrate a scheme that netted him more than $1.1 million,
Leaked House Ethics document spreads on the Net via P2P - Document
lists dozens of lawmakers under scrutiny for conduct violations - A
document containing the names of more than two dozen members of the
U.S. House of Representatives who are being scrutinized for conduct
violations is starting to get widely distributed over the Internet
after being leaked on a peer-to-peer network earlier this week.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Security Control Practices for E-Banking
1. Security profiles should be created and maintained and specific
authorization privileges assigned to all users of e-banking systems
and applications, including all customers, internal bank users and
outsourced service providers. Logical access controls should also be
designed to support proper segregation of duties.
2. E-banking data and systems should be classified according to
their sensitivity and importance and protected accordingly.
Appropriate mechanisms, such as encryption, access control and data
recovery plans should be used to protect all sensitive and high-risk
e-banking systems, servers, databases and applications.
3. Storage of sensitive or high-risk data on the organization's
desktop and laptop systems should be minimized and properly
protected by encryption, access control and data recovery plans.
4. Sufficient physical controls should be in place to deter
unauthorized access to all critical e-banking systems, servers,
databases and applications.
5. Appropriate techniques should be employed to mitigate external
threats to e-banking systems, including the use of:
a) Virus-scanning software at all critical entry points (e.g.
remote access servers, e-mail proxy servers) and on each desktop
b) Intrusion detection software and other security assessment tools
to periodically probe networks, servers and firewalls for weaknesses
and/or violations of security policies and controls.
c) Penetration testing of internal and external networks.
6. A rigorous security review process should be applied to all
employees and service providers holding sensitive positions.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security Booklet.
MONITORING AND UPDATING
Effective monitoring of threats includes both non - technical and
technical sources. Nontechnical sources include organizational
changes, business process changes, new business locations, increased
sensitivity of information, or new products and services. Technical
sources include new systems, new service providers, and increased
access. Security personnel and financial institution management must
remain alert to emerging threats and vulnerabilities. This effort
could include the following security activities:
! Senior management support for strong security policy awareness and
compliance. Management and employees must remain alert to
operational changes that could affect security and actively
communicate issues with security personnel. Business line managers
must have responsibility and accountability for maintaining the
security of their personnel, systems, facilities, and information.
! Security personnel should monitor the information technology
environment and review performance reports to identify trends, new
threats, or control deficiencies. Specific activities could include
reviewing security and activity logs, investigating operational
anomalies, and routinely reviewing system and application access
! Security personnel and system owners should monitor external
sources for new technical and nontechnical vulnerabilities and
develop appropriate mitigation solutions to address them. Examples
include many controls discussed elsewhere in this booklet including:
- Establishing an effective configuration management process that
monitors for vulnerabilities in hardware and software and
establishes a process to install and test security patches,
- Maintaining up - to - date anti - virus definitions and
intrusion detection attack definitions, and
- Providing effective oversight of service providers and vendors
to identify and react to new security issues.
! Senior management should require periodic security self-assessments
and audits to provide an ongoing assessment of policy compliance and
ensure prompt corrective action of significant deficiencies.
! Security personnel should have access to automated tools
appropriate for the complexity of the financial institution systems.
Automated security policy and security log analysis tools can
significantly increase the effectiveness and productivity of
the top of the newsletter
IT SECURITY QUESTION:
Determine whether individual and group access to data is based on
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
36. Does the institution use a reasonable means for delivering
the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
c. for the consumer who conducts transactions electronically,
clearly and conspicuously posting the notice on the institution's
electronic site and requiring the consumer to acknowledge receipt as
a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)]
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge
receipt as a necessary step to obtaining the financial product or
(Note: insufficient or unreasonable means of delivery include:
exclusively oral notice, in person or by telephone; branch or office
signs or generally published advertisements; and electronic mail to
a customer who does not obtain products or services electronically.
[§9 (b)(2)(i) and (ii), and (d)])