|
FYI -
More than 150 banks affected by Heartland data breach thus far -
List compiled by BankInfoSecurity.com includes banks in 40 states,
Canada, Bermuda and Guam - The number of financial institutions that
have said they were affected by the data breach disclosed last month
by Heartland Payment Systems Inc. is growing longer by the day and
now includes banks in 40 states as well as Canada, Bermuda and Guam,
according to the BankInfoSecurity.com news portal.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127822&source=rss_topic17
http://www.theregister.co.uk/2009/02/12/heartland_data_breach_latest/
FYI -
Officials look to contain FAA information security breach - FAA is
working to stem concerns regarding the agency's disclosure on Monday
that a hacker was able to access Social Security numbers and other
personal information of 45,000 agency employees and retirees, a
senior agency official told lawmakers.
http://www.nextgov.com/nextgov/ng_20090212_2113.php
FYI -
Medical data leakage rampant on P2P networks - The risk of patient
information disclosures on peer-to-peer (P2P) networks is much
higher than if a health care worker loses a laptop or removable
storage device, according to new Dartmouth College research.
http://www.scmagazineus.com/Medical-data-leakage-rampant-on-P2P-networks/article/127216/
FYI -
Florida Arrests 3 in Heartland Breach - The first arrests in
connection with the recently disclosed breach at Heartland Payment
Systems have been made.
http://www.pcworld.com/article/159573/article.html?tk=nl_dnxnws
http://www.bankinfosecurity.com/articles.php?art_id=1210
FYI -
Government computers under attackRecords show that cyberattacks on
federal computer networks increased 40 percent last year, and that
figure is likely low as it reflects only the reported attacks.
http://www.scmagazineus.com/Government-computers-under-attack/article/127464/?DCMP=EMC-SCUS_Newswire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI -
Los Alamos computers go missing - Sixty-nine computers are missing
or were stolen from the Los Alamos National Laboratory, a national
security research institution in New Mexico, according to an
internal memo released by a government watchdog.
http://www.scmagazineus.com/Los-Alamos-computers-go-missing/article/127281/?DCMP=EMC-SCUS_Newswire
FYI -
UA says probe continues of '08 hacking - Someone illegally gained
access to 17 computer servers at the University of Alabama in
November 2008, a UA official said.
http://www.tuscaloosanews.com/article/20090214/NEWS/902130209/1007?Title=UA_says_probe_continues_of__08_hacking
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures
and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures
via electronic means has raised many issues with respect to the
format of the disclosures, the manner of delivery, and the ability
to ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
services.
Disclosures are generally required to be "clear and
conspicuous." Therefore, compliance officers should
review the web site to determine whether the disclosures have been
designed to meet this standard. Institutions may find that the
format(s) previously used for providing paper disclosures may need
to be redesigned for an electronic medium. Institutions may find it
helpful to use "pointers " and "hotlinks" that
will automatically present the disclosures to customers when
selected. A financial institution's use solely of asterisks or
other symbols as pointers or hotlinks would not be as clear as
descriptive references that specifically indicate the content of the
linked material.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We
continue our series on the FFIEC interagency Information Security
Booklet.
EXAMPLES OF ENCRYPTION USES
Asymmetric encryption is the basis of PKI, or public key
infrastructure. In theory, PKI allows two parties who do not know
each other to authenticate each other and maintain the
confidentiality, integrity, and accountability for their messages.
PKI rests on both communicating parties having a public and a
private key, and keeping their public keys registered with a third
party they both trust, called the certificate authority, or CA. The
use of and trust in the third party is a key element in the
authentication that takes place. For example, assume individual A
wants to communicate with individual B. A first hashes the message,
and encrypts the hash with A's private key. Then A obtains B's
public key from the CA, and encrypts the message and the hash with
B's public key. Obtaining B's public key from the trusted CA
provides A assurance that the public key really belongs to B and not
someone else. Using B's public key ensures that the message will
only be able to be read by B. When B receives the message, the
process is reversed. B decrypts the message and hash with B's
private key, obtains A's public key from the trusted CA, and
decrypts the hash again using A's public key. At that point, B has
the plain text of the message and the hash performed by A. To
determine whether the message was changed in transit, B must re -
perform the hashing of the message and compare the newly
computed hash to the one sent by A. If the new hash is the same as
the one sent by A, B knows that the message was not changed since
the original hash was created (integrity). Since B obtained A's
public key from the trusted CA and that key produced a matching
hash, B is assured that the message came from A and not someone else
(authentication).
Various communication protocols use both symmetric and asymmetric
encryption. Transaction layer security (TLS, the successor to SSL)
uses asymmetric encryption for authentication, and symmetric
encryption to protect the remainder of the communications session.
TLS can be used to secure electronic banking and other transmissions
between the institution and the customer. TLS may also be used to
secure e - mail, telnet, and FTP sessions. A wireless version of TLS
is called WTLS, for wireless transaction layer security.
Virtual Private Networks (VPNs) are used to provide employees,
contractors, and customers remote access over the Internet to
institution systems. VPN security is provided by authentication and
authorization for the connection and the user, as well as encryption
of the traffic between the institution and the user. While VPNs can
exist between client systems, and between servers, the typical
installation terminates the VPN connection at the institution
firewall. VPNs can use many different protocols for their
communications. Among the popular protocols are PPTP (point - to -
point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use
different authentication methods, and different components on the
host systems. Implementations between vendors, and between products,
may differ. Currently, the problems with VPN implementations
generally involve interfacing a VPN with different aspects of the
host systems, and reliance on passwords for authentication.
IPSec is a complex aggregation of protocols that together provide
authentication and confidentiality services to individual IP
packets. It can be used to create a VPN over the Internet or other
untrusted network, or between any two computers on a trusted
network. Since IPSec has many configuration options, and can provide
authentication and encryption using different protocols,
implementations between vendors and products may differ. Secure
Shell is frequently used for remote server administration. SSH
establishes an encrypted tunnel between a SSH client and a server,
as well as authentication services.
Disk encryption is typically used to protect data in storage.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
F. PERSONNEL SECURITY
2. Determine if the institution includes in its terms and
conditions of employment the employee's responsibilities for
information security.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual
privacy notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)). |
