FYI - Navy tightens grip on BlackBerrys - Print this
Email this Purchase a Reprint Link to this page The Navy has
implemented tougher security settings for BlackBerry devices used by
naval personnel. Administrators for the Navy-Marine Corps Intranet
activated the new settings Oct. 17 for the Navy and Oct. 23 for the
FYI - Vic police breached
database - Victorian police officers committed at least 26 breaches
of the force's confidential database in the last financial year,
with 15 more under investigation, a report shows.
FYI - Whistle-blower e-mail
addresses exposed in Judiciary Committee snafu - The House Judiciary
Committee yesterday apologized to would-be whistle-blowers for
accidentally exposing their e-mail addresses to other individuals
who, like them, had used a committee Web site to secretly submit
tips about alleged abuses at the Department of Justice.
FYI - Online Privacy Policies
Don't Do Their Job, Critics Say - Privacy notices online need to be
simpler and more easy to find, some privacy advocates say. Grant
Gross, IDG News Service - Online privacy policies need to be easier
to understand and more conspicuous because few people now actually
read them, said panelists at a U.S. Federal Trade Commission
workshop on targeted online advertising.
FYI - GAO: Infrastructure plans
lack cybersecurity strategy - With 85 percent of the country's
critical infrastructure in private hands, the federal government
must make sure that the 17 infrastructure sectors include
cybersecurity in their plans to protect themselves against
cyberattacks and disaster, an official of the Government
Accountability Office has told two House panels. However, none of
the sectors included in their sector plans all 30 cybersecurity
criteria, such as key vulnerabilities and measures to reduce them,
the official also testified.
FYI - Public Safety data not
secure, audit finds - Minnesota's chief law enforcement agency
failed to adequately safeguard non-public information in its
computers and did not keep an accurate inventory of some of its most
critical property, such as its laptops and cell phones, an audit
FYI - Lost CD may put pension
holders in peril - Thousands of customers of UK insurer Standard
Life have been left at risk of fraud after their personal details
were lost by HM Revenue & Customs (HMRC).
FYI - Masked thieves storm into
Chicago colocation (again!) - The recent armed robbery of a
Chicago-based co-location facility has customers hopping mad after
learning it was at least the fourth forced intrusion in two years.
They want to know how C I Host, an operator that vaunts the security
of its data centers, could allow the same one to be penetrated so
FYI - Dutch gov spies on Dutch
newspapers (not true) - The Dutch Ministry of Social Affairs and
Employment denies spying on the Dutch news agency GPD (Geassocieerde
Pers Diensten), a joint news service run by 17 regional newspapers.
The ministry has had access to a database with unpublished articles
and a agenda with scheduled activities since July last year.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series on the FDIC's Supervisory Policy on
(Part 5 of 6)
The FDIC believes that consumers have an important role to play in
protecting themselves from identity theft. As identity thieves
become more sophisticated, consumers can benefit from accurate,
up-to-date information designed to educate them concerning steps
they should take to reduce their vulnerability to this type of
fraud. The financial services industry, the FDIC and other federal
regulators have made significant efforts to raise consumers'
awareness of this type of fraud and what they can do to protect
In 2005, the FDIC sponsored four identity theft symposia entitled
Fighting Back Against Phishing and Account-Hijacking. At each
symposium (held in Washington, D.C., Atlanta, Los Angeles and
Chicago), panels of experts from government, the banking industry,
consumer organizations and law enforcement discussed efforts to
combat phishing and account hijacking, and to educate consumers on
avoiding scams that can lead to account hijacking and other forms of
identity theft. Also in 2006, the FDIC sponsored a symposia series
entitled Building Confidence in an E-Commerce World. Sessions were
held in San Francisco, Phoenix and Miami. Further consumer education
efforts are planned for 2007.
In 2006, the FDIC released a multi-media educational tool, Don't Be
an On-line Victim, to help online banking customers avoid common
scams. It discusses how consumers can secure their computer, how
they can protect themselves from electronic scams that can lead to
identity theft, and what they can do if they become the victim of
identity theft. The tool is being distributed through the FDIC's web
site and via CD-ROM. Many financial institutions also now display
anti-fraud tips for consumers in a prominent place on their public
web site and send customers informational brochures discussing ways
to avoid identity theft along with their account statements.
Financial institutions are also redistributing excellent educational
materials from the Federal Trade Commission, the federal
government's lead agency for combating identity theft.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the Internet."
Firewalls - Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between
two networks which all traffic, regardless of the direction, must
pass through. When employed properly, it is a primary security
measure in governing access control and protecting the internal
system from compromise.
The key to a firewall's ability to protect the network is its
configuration and its location within the system. Firewall products
do not afford adequate security protection as purchased. They must
be set up, or configured, to permit or deny the appropriate traffic.
To provide the most security, the underlying rule should be to deny
all traffic unless expressly permitted. This requires system
administrators to review and evaluate the need for all permitted
activities, as well as who may need to use them. For example, to
protect against Internet protocol (IP) spoofing, data arriving from
an outside network that claims to be originating from an internal
computer should be denied access. Alternatively, systems could be
denied access based on their IP address, regardless of the
origination point. Such requests could then be evaluated based on
what information was requested and where in the internal system it
was requested from. For instance, incoming FTP requests may be
permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to
perform business operations and the need for security. Due to the
intricate details of firewall programming, the configuration should
be reassessed after every system change or software update. Even if
the system or application base does not change, the threats to the
system do. Evolving risks and threats should be routinely monitored
and considered to ensure the firewall remains an adequate security
measure. If the firewall system should ever fail, the default should
deny all access rather than permit the information flow to continue.
Ideally, firewalls should be installed at any point where a computer
system comes into contact with another network. The firewall system
should also include alerting mechanisms to identify and record
successful and attempted attacks and intrusions. In addition,
detection mechanisms and procedures should include the generation
and routine review of security logs.
the top of the newsletter
IT SECURITY QUESTION:
Workstations: (Part 1 of 2)
a. Are the workstations personal computers, and are the personal
computers connected to the network?
b. What is the workstation operating system(s)?
c. Is access to workstations restricted?
d. Will workstation access allow network viewing to other
workstations and servers?
e. Do any workstations have modems?
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
3) Does the institution provide to existing customers, who
obtain a new financial product or service, an initial privacy notice
that covers the customer's new financial product or service, if the
most recent notice provided to the customer was not accurate with
respect to the new financial product or service? [§4(d)(1)]