Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Plans to migrate LAPD to Google's cloud apps dropped - Service is incompatible with FBI's security requirements, city says - After more than two years of trying, the City of Los Angeles has abandoned plans to migrate its police department to Google's hosted email and office application platform saying the service cannot meet certain FBI security requirements. http://www.computerworld.com/s/article/9222932/Plans_to_migrate_LAPD_to_Google_s_cloud_apps_dropped?taxonomyId=17

FYI - DARPA to start checking your email for threats - Troops’ emails will be under surveillance as part of a new Defense Department project to help detect potential “insider threats,” or potential traitors or terrorists inside the military. http://www.navytimes.com/news/2011/12/military-darpa-email-surveillance-122111w/

FYI - Carrier IQ analysis finds no evidence of 'keylogger' - A Linux kernel hacker who completed an in-depth analysis of Carrier IQ's controversial software has determined that it's incapable of recording keystrokes or perusing SMS messages and e-mail correspondence. http://news.cnet.com/8301-31921_3-57336801-281/carrier-iq-analysis-finds-no-evidence-of-keylogger/

FYI - DHS program to monitor social media users draws lawsuit - Privacy advocates are suing the Homeland Security Department to obtain information on a program that monitors the social media interactions of citizens following a federal vendor's private sector plans to sabotage certain groups' online activities with similar technology. http://www.nextgov.com/nextgov/ng_20111221_9225.php?oref=topnews

FYI - Lax security exposes voice mail to hacking, study says - Thirty-one mobile carriers 'proven' to be open to surveillance and customer ID theft. It may be tempting to view the illegal interception of telephone voice mail, a practice that has caused anger in Britain after a scandal involving the media empire of Rupert Murdoch, as an arcane tool of scofflaw journalists with friends in Scotland Yard. http://www.smh.com.au/it-pro/security-it/lax-security-exposes-voice-mail-to-hacking-study-says-20111227-1pavx.html

FYI - Indian court orders 22 websites to remove offensive content - The Indian government had recently complained about objectionable content on the Web - A court in Delhi on Saturday ordered 22 Internet companies, including Google and Facebook, to remove certain "anti-religious" and "anti-social" content, the Press Trust of India news agency reported. http://www.computerworld.com/s/article/9223017/Report_Indian_court_orders_22_websites_to_remove_offensive_content?taxonomyId=17

FYI - Email from The New York Times meant for 300, sent to 8M - An email asking people to reconsider their cancellation of home delivery from The New York Times accidentally was sent to some eight million people on Wednesday, but was intended to reach only a few hundred. http://www.scmagazine.com/email-from-the-new-york-times-meant-for-300-sent-to-8m/article/221021/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Chinese hackers breached U.S. Chamber of Commerce - Attackers may have accessed data undetected for a year, says Wall Street Journal - Chinese hackers once broke into computers at the U.S. Chamber of Commerce and had access to everything on the organization's systems, including information on about 3 million of its members. http://www.computerworld.com/s/article/9222924/Update_Chinese_hackers_breached_U.S._Chamber_of_Commerce?taxonomyId=17

FYI - Iran spy drone GPS hijack boasts: Rubbish, say experts - Cockup far more likely than conspiracy, as usual - Doubts that Iran managed to bring down an advanced US drone over the country last month using an advanced GPS spoofing attack have been raised by experts, who say that attacks of this type would be extremely tough to pull off. http://www.theregister.co.uk/2011/12/21/spy_drone_hijack_gps_spoofing_implausible/

FYI - Web security questioned after data leak - The personal information of more than 6 million Internet users on CSDN, or China Software Developer Network, the country's largest programmers' website, was leaked by hackers, raising concerns about web security and triggering widespread panic. http://www.chinadaily.com.cn/china/2011-12/24/content_14320027.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

EXAMPLES OF ENCRYPTION USES

Asymmetric encryption is the basis of PKI, or public key infrastructure. In theory, PKI allows two parties who do not know each other to authenticate each other and maintain the confidentiality, integrity, and accountability for their messages. PKI rests on both communicating parties having a public and a private key, and keeping their public keys registered with a third party they both trust, called the certificate authority, or CA. The use of and trust in the third party is a key element in the authentication that takes place. For example, assume individual A wants to communicate with individual B. A first hashes the message, and encrypts the hash with A's private key. Then A obtains B's public key from the CA, and encrypts the message and the hash with B's public key. Obtaining B's public key from the trusted CA provides A assurance that the public key really belongs to B and not someone else. Using B's public key ensures that the message will only be able to be read by B. When B receives the message, the process is reversed. B decrypts the message and hash with B's private key, obtains A's public key from the trusted CA, and decrypts the hash again using A's public key. At that point, B has the plain text of the message and the hash performed by A. To determine whether the message was changed in transit, B must re - perform the hashing of the message and compare  the newly computed hash to the one sent by A. If the new hash is the same as the one sent by A, B knows that the message was not changed since the original hash was created (integrity). Since B obtained A's public key from the trusted CA and that key produced a matching hash, B is assured that the message came from A and not someone else (authentication).

Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS, the successor to SSL) uses asymmetric encryption for authentication, and symmetric encryption to protect the remainder of the communications session. TLS can be used to secure electronic banking and other transmissions between the institution and the customer. TLS may also be used to secure e - mail, telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security.

Virtual Private Networks (VPNs) are used to provide employees, contractors, and customers remote access over the Internet to institution systems. VPN security is provided by authentication and authorization for the connection and the user, as well as encryption of the traffic between the institution and the user. While VPNs can exist between client systems, and between servers, the typical installation terminates the VPN connection at the institution firewall. VPNs can use many different protocols for their communications. Among the popular protocols are PPTP (point - to - point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use different authentication methods, and different components on the host systems. Implementations between vendors, and between products, may differ. Currently, the problems with VPN implementations generally involve interfacing a VPN with different aspects of the host systems, and reliance on passwords for authentication.

IPSec is a complex aggregation of protocols that together provide authentication and confidentiality services to individual IP packets. It can be used to create a VPN over the Internet or other untrusted network, or between any two computers on a trusted network. Since IPSec has many configuration options, and can provide authentication and encryption using different protocols, implementations between vendors and products may differ. Secure Shell is frequently used for remote server administration. SSH establishes an encrypted tunnel between a SSH client and a server, as well as authentication services.

Disk encryption is typically used to protect data in storage.

Return to the top of the newsletter

INTERNET PRIVACY - Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1)); 

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§§6, 13).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§4(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)), and accessibility of or ability to retain the notice (§9(e)).