FYI - This week I am attending Tech Mecca convention
being held at the Red Rock Casino
in Las Vegas, Nevada.
Tech Mecca is sponsored by the Independent Bankers Association of
I look forward to meeting any of you that will also be in
FYI - AT&T Launches
Mobile Banking - Preloaded and downloadable bank access apps are
offered nationwide through Wachovia and SunTrust. AT&T Inc.
fulfilled its promise of nationwide mobile banking, rolling out a
service for customers of two banks that uses an application residing
on the user's handset.
FYI - Cisco survey:
Spyware, bots top security issues for government IT professionals -
Day-to-day worries about spyware and bots are the No. 1 security
concern of IT professionals working for the agencies of the federal
government, according to a study released by Cisco Systems.
FYI - PCI council to
take over secure application standard - The body charged with
managing and promoting the Payment Card Industry Data Security
Standard (PCI DSS) announced today it will soon administer another
set of merchant guidelines involving secure payment systems.
FYI - ODNI changes FISMA
focus - Intell agency takes the lead in making reporting secondary
to monitoring - Critics often fault agencies' implementation of the
Federal Information Security Management Act for focusing too much on
writing reports and not enough on security monitoring. However, that
criticism is heard less often as agencies take advantage of ways to
automate their FISMA reporting requirements and focus instead on
real-time security monitoring.
FYI - Problem-Driver DB
Ticketed for Security Flaws - The U.S. Department of Transportation
isn't adequately protecting personal information stored in a
database that state motor vehicle departments use to identify
problem drivers, according to a report issued by the DOT's inspector
FYI - Hushmail open to
Feds with court orders - US federal law enforcement agencies have
obtained access to clear text copies of encrypted emails sent
through Hushmail as part a of recent drug trafficking investigation.
FYI - DoubleClick Serves
Up Vast Malware Blitz - The third-party ad network says it now has
monitoring capabilities in place to catch the problem malware. Rogue
anti-spyware software that pushes fraudulent PC scans has found its
way onto DoubleClick and legitimate sites, including CNN, The
Economist, The Huffington Post and the official site of the
FYI - Visa Gave TJX a
Pass on PCI in 2005 - Retailer got some slack on security compliance
- and got hacked in the interim - The comedy of errors that led to
TJX Companies' loss of an estimated 94.7 million credit card records
isn't very funny. But as the puzzle pieces come together, it is
amazing to see how many things went wrong.
FYI - Half Million
Database Servers Lack Firewall Security - Think your database server
is safe? You may want to double-check. According to security
researcher David Litchfield, there are nearly half a million
database servers exposed on the Internet, without firewall
FYI - Veterans can sue
over security breach from stolen laptop - A federal judge says
veterans can sue the Department of Veterans Affairs in a case that
stems from the theft of a worker's laptop computer last year.
FYI - Salesforce
tight-lipped after phishing attack - Salesforce.com is refusing to
reveal details of a security breach caused when one of its employees
surrendered their password in a phishing attack against the company.
Details of Salesforce.com's customers were stolen as a result of the
password being surrended, the CRM services company admitted to
FYI - Attackers Snatch
Member Data from 92 Nonprofits - Attackers have stolen passwords and
accounts from 92 nonprofits by infiltrating systems at Convio, the
leading online marketing company for nonprofits.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
week begins our series on the FDIC's Supervisory Policy on Identity
(Part 6 of 6)
President's Identity Theft Task Force
On May 10, 2006, the President issued an executive order
establishing an Identity Theft Task Force (Task Force). The Chairman
of the FDIC is a principal member of the Task Force and the FDIC is
an active participant in its work. The Task Force has been charged
with delivering a coordinated strategic plan to further improve the
effectiveness and efficiency of the federal government's activities
in the areas of identity theft awareness, prevention, detection, and
prosecution. On September 19, 2006, the Task Force adopted interim
recommendations on measures that can be implemented immediately to
help address the problem of identity theft. Among other things,
these recommendations dealt with data breach guidance to federal
agencies, alternative methods of "authenticating" identities, and
reducing access of identity thieves to Social Security numbers. The
final strategic plan is expected to be publicly released soon.
Financial institutions have an affirmative and continuing obligation
to protect the privacy of customers' nonpublic personal information.
Despite generally strong controls and practices by financial
institutions, methods for stealing personal data and committing
fraud with that data are continuously evolving. The FDIC treats the
theft of personal financial information as a significant risk area
due to its potential to impact the safety and soundness of an
institution, harm consumers, and undermine confidence in the banking
system and economy. The FDIC believes that its collaborative efforts
with the industry, the public and its fellow regulators will
significantly minimize threats to data security and consumers.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Data Transmission and Types
Data traverses the Internet in units referred to as packets. Each
packet has headers which contain information for delivery, such as
where the packet is from, where it is going, and what application it
contains. The varying firewall techniques examine the headers and
either permit or deny access to the system based on the firewall's
There are different types of firewalls that provide various levels
of security. For instance, packet filters, sometimes implemented as
screening routers, permit or deny access based solely on the stated
source and/or destination IP address and the application (e.g.,
FTP). However, addresses and applications can be easily falsified,
allowing attackers to enter systems. Other types of firewalls, such
as circuit-level gateways and application gateways, actually have
separate interfaces with the internal and external (Internet)
networks, meaning no direct connection is established between the
two networks. A relay program copies all data from one interface to
another, in each direction. An even stronger firewall, a stateful
inspection gateway, not only examines data packets for IP addresses,
applications, and specific commands, but also provides security
logging and alarm capabilities, in addition to historical
comparisons with previous transmissions for deviations from normal
When evaluating the need for firewall technology, the potential
costs of system or data compromise, including system failure due to
attack, should be considered. For most financial institution
applications, a strong firewall system is a necessity. All
information into and out of the institution should pass through the
firewall. The firewall should also be able to change IP addresses to
the firewall IP address, so no inside addresses are passed to the
outside. The possibility always exists that security might be
circumvented, so there must be procedures in place to detect attacks
or system intrusions. Careful consideration should also be given to
any data that is stored or placed on the server, especially
sensitive or critically important data.
CLIENTS - The complete text of
the FDIC's paper "Security Risks Associated with the Internet"
dated December 18, 1997, can be found at http://www.fdic.gov/news/news/financial/1997/fil97131.html
the top of the newsletter
IT SECURITY QUESTION:
Workstations: (Part 2 of 2)
f. Are modems used for Internet connection?
g. Will workstation timeout with no activity?
h. Are screen savers used?
i. Are screen savers password protected?
j. Is a current copy of an anti-virus program installed on the
k. Are workstations turned off after business hours?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
4) Does the institution provide initial notice after
establishing a customer relationship only if:
a. the customer relationship is not established at the
customer's election; [§4(e)(1)(i)] or
b. to do otherwise would substantially delay the customer's
transaction (e.g. in the case of a telephone application), and the
customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]