What if you could continuously review your IT operations throughout the year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying on The Weekly IT Security Review by Yennik, Inc.  Readers have been asking us for a method that would allow them to continuously review their IT operations throughout the year.  We have responded by using our expertise to develop The Weekly IT Security Review.  Designed especially for IT professionals, this new offering from Yennik, Inc. provides a weekly review of information systems security issues.  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - The Federal Financial Institutions Examination Council today issued updated guidance for examiners, financial institutions, and technology service providers on the risks associated with retail payment systems.
Press Release: www.ffiec.gov/press/pr022510.htm 
Press Release: www.occ.treas.gov/ftp/bulletin/2010-9.html 

FYI - Simulation shows government lacks policies needed to respond to cyberattack - A simulation of a widespread cyberattack against the nation's critical infrastructure on Tuesday demonstrated the cascading effects an attack can have on networks and the difficulty the government would have in quickly responding, including dealing with civil liberties and how to work with corporations. http://www.nextgov.com/nextgov/ng_20100216_5378.php?oref=topnews

FYI - Hold vendors liable for buggy software, group says - SANS Institute, Mitre also release 2010 list of Top 25 - A loose consortium of security experts from more than 30 organizations today called on enterprises to exert more pressure on their software vendors to ensure that they use secure code development practices.
http://www.computerworld.com/s/article/9157218/Hold_vendors_liable_for_buggy_software_group_says
http://www.sans.org/top25-programming-errors/

FYI - Zeus Trojan found on 74,000 PCs in global botnet - More than 74,000 PCs at nearly 2,500 organizations around the globe were compromised over the past year and a half in a botnet infestation designed to steal login credentials to bank sites, social networks, and e-mail systems, a security firm said. http://news.cnet.com/8301-27080_3-10455525-245.html?tag=mncol;title

FYI - Military ban against USB drives partially lifted - After a more than yearlong ban, USB drives and other removable media devices may now be used on military networks under "very specific circumstances and guidelines," according to the U.S. Strategic Command. http://www.scmagazineus.com/military-ban-against-usb-drives-partially-lifted/article/164156/?DCMP=EMC-SCUS_Newswire

FYI - Deposit money by taking a photo - In the near future, you might not even have to visit a bank or an ATM to deposit a check. You'll simply snap a couple of photos of it with your cell phone. http://www.technologyreview.com/printer_friendly_article.aspx?id=24648&channel=communications&section

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Massive security breach suspected at Latvian tax office - The State Revenue Service (VID) in Latvia admitted Monday that its electronic security systems may have been breached and that millions of confidential documents could have been hacked. http://www.monstersandcritics.com/news/europe/news/article_1533738.php/Massive-security-breach-suspected-at-Latvian-tax-office

FYI - Irate parents in Pa. say schools use 'Peeping Tom technology' - FBI investigates, federal prosecutors subpoena documents in MacBook spying case, say reports - The parents of a Pennsylvania high school student have asked a federal judge to bar school district personnel from switching on cameras in school-issued MacBook laptops, calling the security feature "Peeping Tom technology." http://www.computerworld.com/s/article/9159778/Irate_parents_in_Pa._say_schools_use_Peeping_Tom_technology_?taxonomyId=17

FYI - Hackers Get Data on 10s of Thousands of Payment Cards - Helsinki police are investigating a computer system intrusion that gave hackers access to information on tens of thousands of different types of credit and bank cards. So far, the information for only a few cards has been exploited by the criminals. http://www.yle.fi/uutiset/news/2010/02/hackers_get_data_on_10s_of_thousands_of_payment_cards_1464115.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (9 of 12)

Organize a public relations program.

Whether a bank is a local, national, or global firm, negative publicity about a security compromise is a distinct possibility. To address potential reputation risks associated with a given incident, some banks have organized public relations programs and designated specific points of contact to oversee the program. A well-defined public relations program can provide a specific avenue for open communications with both the media and the institution's customers.

Recovery

Recovering from an incident essentially involves restoring systems to a known good state or returning processes and procedures to a functional state. Some banks have incorporated the following best practices related to the recovery process in their IRPs.

Determine whether configurations or processes should be changed.

If an institution is the subject of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimized. A key component of this process is determining whether system configurations or other processes should be changed. In the case of technical compromises, such as a successful network intrusion, the IRP can prompt management to update or modify system configurations to help prevent further incidents. Part of this process may include implementing an effective, ongoing patch management program, which can reduce exposure to identified technical vulnerabilities. In terms of non-technical compromises, the IRP can direct management to review operational procedures or processes and implement changes designed to prevent a repeat incident.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Symmetric and Asymmetric Key Systems 

There are two types of cryptographic key systems, symmetric and asymmetric.  With a  symmetric key system (also known as secret key or private key systems), all parties have the same key.  The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised.  For the parties to get the same key, there has to be a way to securely distribute the key to each party.  While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet.  Asymmetric key systems can solve this problem. 

In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key."  The other key is made widely available to anyone who wants it, and is referred to as the "public key."  The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key.  Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system.  Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key.  Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is.  The keys can be stored either on a computer or on a physically separate medium such as a smart card.

Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s).  In addition, the key itself must be strong enough for the intended application.  The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data.  Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods.  Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.