Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Fake SSL Certificate Incident Highlights Flaws in DNS - Security industry professionals should be focusing on the vulnerabilities inherent in the DNS infrastructure and not that Comodo Security incorrectly issued certificates.
http://www.eweek.com/c/a/Security/Fake-SSL-Certificate-Incident-Highlights-Flaws-in-DNS-Comodo-CEO-440985/
http://www.scmagazineus.com/experts-weigh-in-on-comodo-ssl-certificate-fraud/article/199109/?DCMP=EMC-SCUS_Newswire

FYI - Rise in federal cyberattacks partly due to better monitoring - The number of cyber incidents affecting U.S. federal agencies shot up 39 percent in 2010, according to a new report from the Office of Management and Budget (OMB), but experts said the increase is partly a reflection of improved discovery capabilities within government. http://www.scmagazineus.com/rise-in-federal-cyberattacks-partly-due-to-better-monitoring/article/199387/?DCMP=EMC-SCUS_Newswire

FYI - PM's dept vows to block Hotmail, Gmail - The department which houses Prime Minister Julia Gillard and the Cabinet yesterday signalled it would bow to a request from the Federal Auditor-General and block access to public email services such as Hotmail and Gmail from 1 July, with the auditor seeing the platforms as an inherent security risk. http://www.zdnet.com.au/pm-s-dept-vows-to-block-hotmail-gmail-339311898.htm?omnRef=NULL

FYI - Survey shows we're too lazy about mobile phone security - A new survey shows U.S. consumers are shockingly lax about basic security on their mobile phones. http://www.cnn.com/2011/TECH/mobile/03/28/survey.security.mashable/index.html

FYI - Corporate data is new target of cybercrime - Cybercrime Intellectual Property Internal Threats Hackers Hacking CompanyMcAfeeCybercriminals have shifted their efforts from targeting individuals' personal information to the intellectual capital of global corporations, according to a report released Monday by McAfee and defense contractor Science Applications International Corp. (SAIC). http://www.scmagazineus.com/corporate-data-is-new-target-of-cybercrime/article/199420/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - BP "leaks" data of 13,000 Gulf oil spill victims - A BP employee lost a laptop containing the personal information of thousands of Louisiana residents who filed compensation claims after last year's devastating oil spill in the Gulf of Mexico. http://www.scmagazineus.com/bp-leaks-data-of-13000-gulf-oil-spill-victims/article/199554/?DCMP=EMC-SCUS_Newswire

FYI - EU admits deep impact cyberattack in run-up to key summit - Internal docs suggest longer-term problem - The EU has admitted to having been hit by a deep, penetrating cyber-attack. http://www.theregister.co.uk/2011/03/24/eu_cyber_attack/

FYI - Student used spyware to steal passwords, change grades is expected to be sentenced to a month in prison for altering his school record - A former high school senior from Orange County, California, has pleaded guilty to charges that he installed spyware on school computers in order to boost his grades. http://www.networkworld.com/news/2011/032211-student-used-spyware-to-steal.html?source=nww_rss

FYI - TripAdvisor users may receive more spam due to breach - Travel website TripAdvisor on Thursday warned users to expect more spam after hackers stole a portion of its 20 million member database. http://www.scmagazineus.com/tripadvisor-users-may-receive-more-spam-due-to-breach/article/199221/?DCMP=EMC-SCUS_Newswire

FYI - MySQL Web site falls victim to SQL injection attack - Oracle's MySQL.com customer Web site was compromised over the weekend by a pair of hackers who publicly posted usernames, and in some cases passwords, of the site's users. http://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQL_injection_attack?taxonomyId=17

FYI - Hackers target business secrets - Intellectual property and business secrets are fast becoming a target for cyber thieves, a study suggests. http://www.bbc.co.uk/news/technology-12864666

FYI - Restaurant group settles privacy case for $110,000 - The Briar Group LLC, which runs Ned Devine's, the Green Briar, The Lenox, and other popular restaurants, has agreed to pay $110,000 to resolve allegations that the Boston chain failed to take reasonable steps to protect diners' personal information and put at risk the information on tens of thousands of credit and debit cards. http://www.boston.com/business/ticker/2011/03/restaurant_grou.html

FYI - Second-hand phones often contain personal data - Second-hand mobile phones often contain personal data, despite the attempts of owners to wipe devices before selling them on, according to data protection company CPP. Just over half of second-hand mobiles and SIM cards sold online - some 54 percent - contained sensitive personal data, a study commissioned by CPP found. http://www.zdnet.co.uk/news/security-management/2011/03/23/study-second-hand-phones-often-contain-personal-data-40092236/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Security and Confidentiality

The contract should address the service provider’s responsibility for security and confidentiality of the institution’s resources (e.g., information, hardware). The agreement should prohibit the service provider and its agents from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s customers, the institution should notify the service provider to assess the applicability of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when material intrusions occur, the effect on the institution, and corrective action to respond to the intrusion.

Controls

Consideration should be given to contract provisions addressing control over operations such as:

• Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and the institution’s approval rights
regarding material changes to services, systems, controls, key project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial functions, such as payments
processing and any extensions of credit on behalf of the institution.
• Insurance coverage to be maintained by the service provider.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Token Systems (1 of 2)

Token systems typically authenticate the token and assume that the user who was issued the token is the one requesting access. One example is a token that generates dynamic passwords every X seconds. When prompted for a password, the user enters the password generated by the token. The token's password - generating system is identical and synchronized to that in the system, allowing the system to recognize the password as valid. The strength of this system of authentication rests in the frequent changing of the password and the inability of an attacker to guess the seed and password at any point in time.

Another example of a token system uses a challenge/response mechanism. In this case, the user identifies him/herself to the system, and the system returns a code to enter into the password - generating token. The token and the system use identical logic and initial starting points to separately calculate a new password. The user enters that password into the system. If the system's calculated password matches that entered by the user, the user is authenticated. The strengths of this system are the frequency of password change and the difficulty in guessing the challenge, seed, and password.

Other token methods involve multi - factor authentication, or the use of more than one authentication method. For instance, an ATM card is a token. The magnetic strip on the back of the card contains a code that is recognized in the authentication process. However, the user is not authenticated until he or she also provides a PIN, or shared secret. This method is two - factor, using both something the user has and something the user knows. Two - factor authentication is generally stronger than single - factor authentication. This method can allow the institution to authenticate the user as well as the token.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

(Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])