FYI - In 2008 U.S. government computers were infected 5,499 times with malware - According to the Department of Homeland Security, there were 5,499 known breaches of U.S. government computers with malicious software last year, comparing to 3,928 in 2007, and 2,172 in 2006. http://www.ecommerce-journal.com/news/14587_in_2008_u_s_government_computers_were_infected_5_499_times_with_malware

FYI - FERC needs to step up oversight of grid security, experts say - Responding to a report that the nation's electric grid has been hacked by foreign spies, experts recommended today that federal agencies show greater initiative and seek legislative action to strengthen their cybersecurity authority and controls over the grid.
http://fcw.com/Articles/2009/04/08/FERC-needs-to-step-up-oversight-to-safeguard-grid.aspx
http://www.scmagazineus.com/Report-US-power-grid-hit-by-hackers/article/130373/?DCMP=EMC-SCUS_Newswire

FYI - Cyberattack repairs cost Pentagon $100 million in six months - The Pentagon has spent more than $100 million in the past six months repairing damage to its networks caused by cyberattacks, according to military officials. http://www.scmagazineus.com/Cyberattack-repairs-cost-Pentagon-100-million-in-six-months/article/130376/

FYI - Conficker botnet stirs to distribute update payload - It's alive! - The Conficker superworm is stirring, with the spread of a new variant that spreads across P2P and drops a payload. It is thought to update machines infected by earlier strains of the worm.
http://www.theregister.co.uk/2009/04/09/conficker_botnet_update/
http://www.scmagazineus.com/Conficker-worm-updated-to-send-spam-hawk-fake-AV/article/130455/?DCMP=EMC-SCUS_Newswire

FYI - FBI Defends Disruptive Raids on Texas Data Centers - The FBI on Tuesday defended its raids on at least two data centers in Texas, in which agents carted out equipment and disrupted service to hundreds of businesses. http://blog.wired.com/27bstroke6/2009/04/data-centers-ra.html

FYI - Privacy laws: Leading the charge - With the nation's strictest data security law set to take effect Jan. 1 in Massachusetts, mobile phone merchant Dennis Kelly plans to parlay the regulations into a competitive advantage. http://www.scmagazineus.com/Privacy-laws-Leading-the-charge/article/130488/?DCMP=EMC-SCUS_Newswire

FYI - Job vetting practices may breach Privacy Act - The Privacy Commissioner warns that employers and vetting agencies may be breaching the Privacy Act with some practices of collecting and storing information about job applicants. http://www.odt.co.nz/news/national/51227/job-vetting-practices-may-breach-privacy-act

FYI - Conficker worm hits University of Utah - Virus infiltrated computers at hospitals, medical school and some colleges - University of Utah officials say a computer virus has infected more than 700 campus computers, including those at the school's three hospitals.
http://www.msnbc.msn.com/id/30179873/
http://www.sltrib.com/news/ci_12118088

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - State warns 1,900 license holders of security breach - Nearly 1,900 holders of Hawai'i commercial driver's licenses are being warned to take measures to prevent identity theft after a state computer containing personal information was stolen three weeks ago. http://www.honoluluadvertiser.com/article/20090407/BREAKING01/90407109/-1

FYI - Stolen laptop has information on 14,000 Moses Cone patients - Personal information from more than 14,000 Moses Cone Health System patients might have been compromised after a laptop computer was stolen. The computer contained information about cardiology and orthopedic patients treated at Moses Cone Memorial Hospital or Wesley Long Community Hospital from February 2004 to February 2009.
http://www.news-record.com/content/2009/04/13/article/laptop_stolen_contains_information_from_14000_moses_cone_patients
http://www.mosescone.com/body.cfm?xyzpdqabc=0&id=11&action=detail&ref=3840

FYI - Bank warns customers after theft - The theft of seven laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its customers saying their personal financial information may be in the hands of criminals. http://www3.signonsandiego.com/stories/2009/apr/10/1b10data191738-bank-warns-customers-after-theft/

FYI - Gexa Energy data system hacked last spring - Company officials say there is no evidence any of the personal data was used by hacker - Former and current customers of Gexa Energy may have had their personal information compromised last year.
http://www.caller.com/news/2009/apr/10/gexa_energy_lost_info/
http://abclocal.go.com/ktrk/story?section=news/consumer&id=6740632

FYI - Hackers prey on Ford Motor Co. searches to boost rankings - Attackers are using the Ford Motor Co. name to poison search engine results with some 1.2 million malicious links that lead to rogue security software. http://www.scmagazineus.com/Hackers-prey-on-Ford-Motor-Co-searches-to-boost-rankings/article/130635/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

Hardening Systems

Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.

When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:

! Determining the purpose of the system and minimum software and hardware requirements;
! Documenting the minimum hardware, software and services to be included on the system;
! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of applications;
! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
! Changing all default passwords; and
! Testing the resulting systems.

After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

4. Determine if access to sensitive information and processes require appropriate authentication and verification of authorized use before access is granted.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

4)  Does the institution provide initial notice after establishing a customer relationship only if:

a.  the customer relationship is not established at the customer's election; [§4(e)(1)(i)] or

b.  to do otherwise would substantially delay the customer's transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]