What if you could manage your IT operations throughout the year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying on The Weekly IT Security Review.  Designed especially for management, the Review provides a weekly analysis of IT security issues.  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Registrar 'incredibly' changed our e-mail for hacker - A hacker who took down top Chinese search engine Baidu.com last month broke into its account with a U.S. domain name registrar by pretending to be from Baidu in an online chat with the registrar's tech help, according to a lawsuit filed by Baidu. http://www.computerworld.com/s/article/9162118/Baidu_Registrar_incredibly_changed_our_e_mail_for_hacker?taxonomyId=17

FYI - Threee Bulgarians charged in 44-day ATM hacking spree - Three Bulgarian men were charged Wednesday with defrauding banks of more than $137,000 in a scheme that attached electronic skimming devices to numerous automatic teller machines in Massachusetts. http://www.theregister.co.uk/2010/02/24/atm_skimming_charges/

FYI - Vulnerabilities fell in '09, attacks rose - The 2009 cybersecurity landscape had its peaks and its valleys - the number of new and unpatched vulnerabilities decreased compared to 2008, but attack volume grew substantially, according to a research report from IBM ISS. http://www.scmagazineus.com/ibm-report-vulnerabilities-fell-in-09-attacks-rose/article/164547/?DCMP=EMC-SCUS_Newswire

FYI - Deposit money by taking a photo - In the near future, you might not even have to visit a bank or an ATM to deposit a check. You'll simply snap a couple of photos of it with your cell phone. http://www.technologyreview.com/printer_friendly_article.aspx?id=24648&channel=communications&section

FYI - DoD Loosens Social Media Restrictions - Soldiers and Defense Department employees will now be able to access Facebook, Twitter, YouTube, and other social media sites on the military's unclassified network, according to new policy issued this week. http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=223100879&cid=RSSfeed_IWK_News

FYI - Medical identity theft is costly for victims - When your wallet is lost or stolen, the first thing you probably do is call your credit card companies. You should also notify your medical insurance provider judging from the conclusions of a report to be released on Wednesday that finds that medical identity fraud can be very costly. http://news.cnet.com/8301-27080_3-10460902-245.html?tag=mncol;title

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Intel hit by 'sophisticated' hack last month - Intel says it was hit by a "sophisticated incident" in January in which hackers attempted to breach its digital defenses, making it the latest US company to admit it is being targeted by online miscreants. http://www.theregister.co.uk/2010/02/23/intel_hacking_incident/

FYI - HHS Posts Data Breach Notifications - The Office for Civil Rights in the Department of Health and Human Services has launched a Web page listing covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals.
http://www.healthdatamanagement.com/news/breach_notification_security_hitech-39814-1.html
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

FYI - Wyndham hotels hacked again - Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data. The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. http://www.computerworld.com/s/article/9163041/Wyndham_hotels_hacked_again

FYI - Four charged with hacking ticket vendors - In what may prove to be a big win for concert-goers, four men were indicted and charged with using fraud, deceit and computer hacking to get first dibs on tickets to major sporting events, theater productions and concerts, and then reselling them to ticket brokers. http://www.scmagazineus.com/four-charged-with-hacking-ticket-vendors/article/164777/?DCMP=EMC-SCUS_Newswire

FYI - PlainsCapital didn't halt cyber-robbery - A Plano business that lost nearly $230,000 through an alleged cyber-robbery last year says in court documents PlainsCapital Bank had plenty of chances to head off the heist as it started. http://www.lubbockonline.com/stories/022610/bus_567867261.shtml

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (10 of 12)

Test affected systems or procedures prior to implementation.

Testing is an important function in the incident response process. It helps ensure that reconfigured systems, updated procedures, or new technologies implemented in response to an incident are fully effective and performing as expected. Testing can also identify whether any adjustments are necessary prior to implementing the updated system, process, or procedure.

Follow-up

During the follow-up process, an institution has the opportunity to regroup after the incident and strengthen its control structure by learning from the incident. A number of institutions have included the following best practice in their IRPs.

Conduct a "lessons-learned" meeting.

1) Successful organizations can use the incident and build from the experience. Organizations can use a lessons-learned meeting to
2) discuss whether affected controls or procedures need to be strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed for the customer information security risk assessment and information security program;
5) determine if updated training is necessary regarding any new procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical resources to be better prepared going forward.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Digital Signatures 

Digital signatures authenticate the identity of a sender, through the private, cryptographic key.  In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated. 

Digital signatures can be applied to any data transmission, including e-mail.  To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data).  This process is known as the "hash."  The message digest is then encrypted with a private key, and sent along with the message.  The recipient receives both the message and the encrypted message digest.  The recipient decrypts the message digest, and then runs the message through the hash function again.  If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified.  Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message.  The digital signature cannot be reused, because it is unique to the message.  In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1)  a consumer provides to a financial institution to obtain a financial product or service from the institution;

2)  results from a transaction between the consumer and the institution involving a financial product or service; or

3)  a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.