Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - System failure is seen as a greater concern than negligence, as cost of average data breach to organisations reaches £1.9 million - System failure has overtaken the insider as the most common threat in terms of data loss. According to a study by Symantec and the Ponemon Institute, 37 per cent of all data loss cases involved a system failure, up seven per cent on 2009. http://www.scmagazineuk.com/system-failure-is-seen-as-a-greater-concern-than-negligence-as-cost-of-average-data-breach-to-organisations-reaches-19-million/article/198789/

FYI - Hacker vs. Hacker - The hacking and public humiliation of cyber-security firm HBGary isn't just entertaining geek theater. It's a cautionary tale for businesses everywhere. http://www.businessweek.com/magazine/content/11_12/b4220066790741.htm

FYI - Cyberattack could put customers at risk - Information about RSA's SecurID authentication tokens used by millions of people, including government and bank employees, was stolen during an "extremely sophisticated cyberattack," putting customers relying on them to secure their networks at risk, the company said today. http://news.cnet.com/8301-27080_3-20044455-245.html

FYI - ICO says 40% of wireless home internet users have no knowledge of WiFi security - Research just published by the Information Commissioner's Office (ICO) claims to show that 40% of people who have WiFi at home do not understand how to change the security settings on their networks. http://www.infosecurity-magazine.com/view/16701/ico-says-40-of-wireless-home-internet-users-have-no-knowledge-of-wifi-security/

FYI - GAO Says IRS Data Security Problems Persist - The General Accountability Office reported that the Internal Revenue Service is still exposing taxpayer and financial information to insider-threat risks, despite making some access-control improvements. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=229301206

FYI - Goldman Sachs programmer sentenced for code theft - A software programmer charged with copying secret financial trading code from Goldman Sachs computers was sentenced Friday to eight years in prison. http://www.scmagazineus.com/goldman-sachs-programmer-sentenced-for-code-theft/article/198826/?DCMP=EMC-SCUS_Newswire

FYI - Microsoft launches new PC tool for small businesses - Microsoft wants to convince small and midsize businesses that they need the same sort of PC-management tools that large corporations use. http://news.cnet.com/8301-10805_3-20046080-75.html

FYI - Banking via mobile device jumps 54 percent - The number of people accessing their bank or brokerage accounts through mobile devices surged 54 percent in the fourth quarter last year compared with the same period in 2009. http://news.cnet.com/8301-1023_3-20046807-93.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Medical ID theft on the rise, says new study - Even though nearly 1.5 million Americans were victims of medical identity theft last year, many are doing little to protect their health records, according to a second annual study released Tuesday. http://www.scmagazineus.com/medical-id-theft-on-the-rise-says-new-study/article/198370/?DCMP=EMC-SCUS_Newswire

FYI - US-Cert warns of phishing attacks that bypass filters - The US Computer Emergency Response Team (US-Cert) is warning users and administrators following the discovery of a potent new phishing operation. The scam is targeting a number of institutions, including Bank of America, Lloyds, PayPal and TSB. http://www.v3.co.uk/v3-uk/news/2035559/-cert-warns-phishing-attacks

FYI - Leader of Hacker Gang Sentenced to 9 Years For Hospital Malware - The former leader of an anarchistic hacking group called the Electronik Tribulation Army was sentenced Thursday to 9 years and 2 months in prison for installing malware on computers at a Texas hospital. http://www.wired.com/threatlevel/2011/03/ghostexodus-2/

FYI - Texas ringleader of pump-and-dump scam arrested - Federal agents have arrested the alleged ringleader of an international securities fraud gang that used hackers, botnet operators and email spam to artificially drive up the value of stocks, the Department of Justice (DoJ) said Thursday. http://www.scmagazineus.com/texas-ringleader-of-pump-and-dump-scam-arrested/article/198904/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Some considerations for contracting with service providers are discussed below. This listing is
not all-inclusive and the institution may need to evaluate other considerations based on its unique
circumstances. The level of detail and relative importance of contract provisions varies with the
scope and risks of the services outsourced.

Scope of Service

The contract should clearly describe the rights and responsibilities of parties to the contract.
Considerations include:

• Timeframes and activities for implementation and assignment of responsibility.  Implementation provisions should take into consideration other existing systems or interrelated systems to be developed by different service providers (e.g., an Internet banking system being integrated with existing core applications or systems customization).
• Services to be performed by the service provider including duties such as software support and maintenance, training of employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services performed under the contract.
• Guidelines for adding new or different services and for contract re-negotiation.

Performance Standards

Institutions should generally include performance standards defining minimum service level requirements and remedies for failure to meet standards in the contract. For example, common service level metrics include percent system uptime, deadlines for completing batch processing, or number of processing errors. Industry standards for service levels may provide a reference point. The institution should periodically review overall performance standards to ensure consistency with its goals and objectives.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Shared Secret Systems (Part 2 of 2)

Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.

! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.

Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.

! An additional attack method targets a specific account and submits passwords until the correct password is discovered.

Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.

! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.

Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.

! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

! Some attacks depend on patience, waiting until the logged - in workstation is unattended.

Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.

! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.

Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.

! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

Controls include a policy that forbids the same or similar password on particular network devices.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]