Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Shocking data breaches are rife in Irish public sector - Data Protection Commissioner Billy Hawkes has hit out at the reluctance of Irish public-sector bodies to deal with data protection issues. More than 900 breaches in the private and public sector were investigated and breaches were up 50pc year-on-year. http://www.siliconrepublic.com/news/article/15794/cio/shocking-data-breaches-are-rife-in-irish-public-sector

FYI - BofA insider to plead guilty to hacking ATMs - A Bank of America computer specialist is set to plead guilty to charges that he hacked the bank's automated tellers to dispense cash without recording the activity. http://www.computerworld.com/s/article/9174991/BofA_insider_to_plead_guilty_to_hacking_ATMs?source=rss_news

FYI - Romania Swoops In on 70 Cybertheft Suspects - Romanian police arrested 70 suspects Tuesday who they claim were involved in eBay scams and other cybercrimes since 2006. http://www.wired.com/threatlevel/2010/04/romania-cyber-thieves

FYI - GAO - Agencies Need to Implement Federal Desktop Core Configuration Requirements.
Release - http://www.gao.gov/new.items/d10202.pdf
Highlights - http://www.gao.gov/highlights/d10202high.pdf

FYI - Securing personal-liable mobile devices on the corporate network - Consumers are dizzy from the influx of smartphones in the marketplace. Each device brings its own unique set of bells and whistles and consequently, challenges for the IT enterprise as consumers look to use their personal devices at work. http://www.scmagazineus.com/securing-personal-liable-mobile-devices-on-the-corporate-network/article/167689/?DCMP=EMC-SCUS_Newswire

FYI - Agencies struggle with securing computers, GAO reports - Senators are taking action to get agencies on track with securing their computer systems from cyber attacks - Despite the frequency in cyberattacks against government networks, no major agency has fully secured its computers to the specifications in two major White House protection initiatives, a pair of new reports said. http://fcw.com/articles/2010/04/12/web-gao-fdcc-tic.aspx

FYI - Spam a Judge, Go to Jail? - A litigant in a civil lawsuit asked an appeals court Wednesday to overturn his 30-day contempt sentence for urging people to send e-mail to a federal judge. http://www.wired.com/threatlevel/2010/04/virtualpresence/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Identity theft and tax fraud ring busted - Federal authorities have uncovered a sophisticated tax fraud scheme carried out by a group of computer savvy criminals who used stolen identities to obtain income tax returns totaling $4 million, according to a 74-count federal indictment unsealed in Arizona. http://www.scmagazineus.com/identity-theft-and-tax-fraud-ring-busted/article/167698/?DCMP=EMC-SCUS_Newswire

FYI - Brokerage fined $375,000 in data-breach case; alleged hackers arrested and extradited from Eastern Europe - If you've got a brokerage account with D.A. Davidson, then it's likely that you've already heard about the breach in security and what the company has done to secure a remedy. http://blog.thenewstribune.com/business/2010/04/12/brokerage-fined-375000-in-data-breach-case-alleged-hackers-arrested-and-extradited-from-eastern-europe/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)

PROCEDURES TO ADDRESS SPOOFING - Spoofing Incident Response

To respond to spoofing incidents effectively, bank management should establish structured and consistent procedures.  These procedures should be designed to close fraudulent Web sites, obtain identifying information from the spoofed Web site to protect customers, and preserve evidence that may be helpful in connection with any subsequent law enforcement investigations.

Banks can take the following steps to disable a spoofed Web site and recover customer information.  Some of these steps will require the assistance of legal counsel.

*  Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
*  Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
*  Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
*  Work with law enforcement; and
*  Use other existing mechanisms to report suspected spoofing activity.

The following are other actions and types of legal documents that banks can use to respond to a spoofing incident:

*  Banks can write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
*  If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon.  This process allows banks to take action against domain name registrars to stop a spoofing incident.  However, banks must bear in mind that the UDRP can be relatively time-consuming.  For more details on this process see http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
*  Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d).  Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls (Part 1 of 2)

If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others. 

Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well. 

Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless. 

When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 2 of 6)

Notice Duties to Customers:

In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times.

1)  A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulations describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship.

2)  A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship.

3)  Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service.

4)  When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.