Many More Government Records Compromised in 2009 than Year Ago,
Report Claims - If you're bummed about the data in your department
that just got breached, you have some cold comfort. Although the
combined number of reported data breaches in the government and the
military has dropped in 2009 compared to last year, many more
records were compromised in those breaches, according to recent
figures compiled by a California nonprofit.
DHS completes draft of plan on how to respond to a national
cyberattack - The Homeland Security Department, working with other
federal agencies, has completed a draft of how governments and
businesses should respond to a widespread cyberattack, establishing
their roles and responsibilities.
Man loses fight against firm that suffered data breach - Harm? What
harm? A Missouri man has lost his legal battle against an online
prescription processor that suffered a security breach that exposed
highly sensitive subscriber information.
Microsoft To Kill Windows XP SP2 Support - Software maker eyes
cutoff date for support for XP, as well as for Windows 2000.
Microsoft is reminding customers that the end date for support for
Windows XP Service Pack 2, as well as some other versions of the
Windows operating system, is already on the horizon.
GIAC Certifications in High Demand - Incident Handler Credential is
Top-Rated Among Employers - When Foote Partners, the Florida-based
management consultancy, released its 2009 IT Skills Trends Report
Update, three of the top 10 certifications were Global Information
Assurance Certification (GIAC) offerings by the SANS Institute,
specializing in computer security training and professional
certification through GIAC.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
TSA, HSBC in secret doc redaction oopsie - Your uh, data is showing
- The Transport Security Administration (TSA) and the US arm of bank
HSBC have both failed to properly redact documents they published
La. firm sues Capital One after losing thousands in online bank
fraud - An electronics testing firm in Louisiana is suing its bank,
Capital One, alleging that the financial institution was negligent
when it failed to stop hackers from transferring nearly $100,000 out
of its account earlier this year.
NASA sites hacked via SQL injection - Two NASA sites recently were
hacked by an individual wanting to demonstrate that the sites are
susceptible to SQL injection.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Audit Trail Practices for E-Banking Systems
1. Sufficient logs should be maintained for all e-banking
transactions to help establish a clear audit trail and assist in
2. E-banking systems should be designed and installed to capture and
maintain forensic evidence in a manner that maintains control over
the evidence, and prevents tampering and the collection of false
3. In instances where processing systems and related audit trails
are the responsibility of a third-party service provider:
a) The bank should ensure that it has access to relevant audit
trails maintained by the service provider.
b) Audit trails maintained by the service provider meet the bank's
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Using "Wired Equivalent Privacy" (WEP) by itself to
provide wireless network security may lead a financial institution
to a false sense of security. Information traveling over the network
appears secure because it is encrypted. This appearance of security,
however, can be defeated in a relatively short time.
Through these types of attacks, unauthorized personnel could gain
access to the financial institution's data and systems. For example,
an attacker with a laptop computer and a wireless network card could
eavesdrop on the bank's network, obtain private customer
information, obtain access to bank systems and initiate unauthorized
transactions against customer accounts.
Another risk in implementing wireless networks is the potential
disruption of wireless service caused by radio transmissions of
other devices. For example, the frequency range used for 802.11b
equipment is also shared by microwave ovens, cordless phones and
other radio-wave-emitting equipment that can potentially interfere
with transmissions and lower network performance. Also, as wireless
workstations are added within a relatively small area, they will
begin to compete with each other for wireless bandwidth, decreasing
the overall performance of the wireless network.
Risk Mitigation Components -- Wireless Internal Networks
A key step in mitigating security risks related to the use of
wireless technologies is to create policies, standards and
procedures that establish minimum levels of security. Financial
institutions should adopt standards that require end-to-end
encryption for wireless communications based on proven encryption
methods. Also, as wireless technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless network devices.
For wireless internal networks, financial institutions should adopt
standards that require strong encryption of the data stream through
technologies such as the IP Security Protocol (IPSEC). These methods
effectively establish a virtual private network between the wireless
workstation and other components of the network. Even though the
underlying WEP encryption may be broken, an attacker would be faced
with having to defeat an industry-proven security standard.
Financial institutions should also consider the proximity of their
wireless networks to publicly available places. A wireless network
that does not extend beyond the confines of the financial
institution's office space carries with it far less risk than one
that extends into neighboring buildings. Before bringing a wireless
network online, the financial institution should perform a limited
pilot to test the effective range of the wireless network and
consider positioning devices in places where they will not broadcast
beyond the office space. The institution should also be mindful that
each workstation with a wireless card is a transmitter. Confidential
customer information may be obtained by listening in on the
workstation side of the conversation, even though the listener may
be out of range of the access device.
The financial institution should consider having regular independent
security testing performed on its wireless network environment.
Specific testing goals would include the verification of appropriate
security settings, the effectiveness of the wireless security
implementation and the identification of rogue wireless devices that
do not conform to the institution's stated standards. The security
testing should be performed by an organization that is technically
qualified to perform wireless testing and demonstrates appropriate
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
c. it has given the consumer a reasonable opportunity to opt
out before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)])