Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Security education: We're doing it wrong - Have you ever had one of those moments where you read something that makes you smack yourself in the forehead because it points out how you've been looking sideways at a thing for all these years? http://www.scmagazineus.com/security-education-were-doing-it-wrong/article/201123/?DCMP=EMC-SCUS_Newswire

FYI - Google Shows Data Center Security Following Facebook Open Compute - Google provides a sneak peek at its Moncks Corner, S.C., data center's security practices, showing both the physical and virtual security measures used to protect user data. http://www.eweek.com/c/a/Security/Google-Shows-Data-Center-Security-Following-Facebook-Open-Compute-850172/

FYI - iPhone Software Tracks Location Of Users - Apple's iOS 4 operating system collects information about where iPhone users travel, two programmers revealed at the Where 2.0 conference. http://www.informationweek.com/news/security/privacy/229401960

FYI - Feds to Supreme Court: Allow Warrantless GPS Monitoring - The Obama administration is urging the Supreme Court to allow the government, without a court warrant, to affix GPS devices on suspects’ vehicles to track their every move. http://www.wired.com/threatlevel/2011/04/scotus-gps-monitoring/

FYI - Seattle Police Say 'wardrivers' Are Hitting Small Businesses - Seattle police are investigating a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses. http://www.pcworld.com/businesscenter/article/226086/seattle_police_say_wardrivers_are_hitting_small_businesses.html 

FYI - Schmidt says cyber progress being made quietly behind the scenes - Howard Schmidt isn't interested in measuring the progress the Obama administration is making in securing federal computer systems by the number of policies or initiatives it announces. http://www.federalnewsradio.com/index.php?nid=35&sid=2355677

FYI - Covert hard drive fragmentation embeds a spy's secrets - GOOD news for spies. There is now a way to hide data on a hard drive without using encryption. Instead of using a cipher to scramble text, the method involves manipulating the location of data fragments. http://www.newscientist.com/article/mg21028095.200-covert-hard-drive-fragmentation-embeds-a-spys-secrets.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - US Man Pleads Guilty to $36.6 Million Worth of ID Theft - A Georgia man connected to US$36.6 million in credit card fraud pleaded guilty Thursday to trafficking in counterfeit credit cards and aggravated identity theft, the U.S. Department of Justice said. http://www.pcworld.com/businesscenter/article/225898/us_man_pleads_guilty_to_366_million_worth_of_id_theft.html

FYI - Texas fires two tech chiefs over breach - Data of 3.2M people was inadvertently posted on a publicly accessible Web site - The Texas State Comptroller's office has fired its heads of information security and of innovation and technology following an inadvertent data leak that exposed Social Security numbers and other personal information on over 3.2 million people in the state. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach?taxonomyId=17

FYI - Engineer who sued Cisco arrested for hacking it - Collusion between Cisco and prosecutors alleged - A former Cisco engineer was arrested for allegedly hacking into the company's network 18 months after he waged a civil lawsuit accusing Cisco of monopolizing the business of servicing and maintaining its networking gear, according to a report citing a Canadian arrest warrant issue in the case. http://www.theregister.co.uk/2011/04/20/cisco_engineer_hacking_arrest/

FYI - More breaches but less data lost. Huh?! - Verizon's Data Breach Investigations Report for last year is a bit of a head scratcher. It shows that while the number of data breaches from cyber attacks rose, the amount of compromised records lost has fallen. http://news.cnet.com/8301-27080_3-20055116-245.html?tag=mncol;title

FYI - Hacker pleads after busted with 675K stolen cards - A Georgia man has pleaded guilty to fraud and identity theft after authorities found him in possession of more than 675,000 credit card numbers, some of which he obtained by hacking into business networks. http://www.scmagazineus.com/hacker-pleads-after-busted-with-675k-stolen-cards/article/201187/?DCMP=EMC-SCUS_Newswire

FYI - Oak Ridge still without Internet access due to malware attack - Technicians trying to identify and clean up the infection - Internet access to the Energy Department’s Oak Ridge National Laboratory remains shut down for a second week as technicians work to identity, isolate and clean up malicious code delivered to the lab’s network through a successful spear phishing attack. http://gcn.com/articles/2011/04/25/oak-ridge-internet-access-still-down.aspx?admgarea=TC_SECCYBERSSEC

FYI - PlayStation outage caused by hacking attack - Sony has confirmed that a hacking attack was to blame for its PlayStation Network being taken offline. http://www.bbc.co.uk/news/technology-13169518

FYI - Hackers breach security vendor's defences - Ashampoo informs 14 million customers. German software developer Ashampoo has informed its 14 million customers that hackers gained access to its customer database in an embarrassing security breach. http://www.itnews.com.au/News/255273,hackers-breach-security-vendors-defences.aspx

FYI - FBI warns of millions lost in fraudulent transfers to China - The FBI is asking U.S. banks to be on the lookout for large wire transfers being sent to accounts registered to companies located in Chinese port cities near the Russian border. http://www.scmagazineus.com/fbi-warns-of-millions-lost-in-fraudulent-transfers-to-china/article/201573/?DCMP=EMC-SCUS_Newswire

FYI - PlayStation Network hacked, data on millions at risk - Sony may have sustained the largest cyber intrusion since the Heartland Payment Systems breach, disclosing Tuesday that its PlayStation Network (PSN) was hacked to steal sensitive information belonging to users. http://www.scmagazineus.com/playstation-network-hacked-data-on-millions-at-risk/article/201540/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Dispute Resolution

The institution should consider including in the contract a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period.

Indemnification

Indemnification provisions generally require the financial institution to hold the service provider harmless from liability for the negligence of the institution, and vice versa. These provisions should be reviewed to reduce the likelihood of potential situations in which the institution may be liable for claims arising as a result of the negligence of the service provider.

Limitation of Liability

Some service provider standard contracts may contain clauses limiting the amount of liability that can be incurred by the service provider. If the institution is considering such a contract, consideration should be given to whether the damage limitation bears an adequate relationship to the amount of loss the financial institution might reasonably experience as a result of the service provider’s failure to perform its obligations.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 3 of 3)

When utilizing PKI policies and controls, financial institutions need to consider the following:

! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;

! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;

! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;

! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;

! Updating the database of revoked certificates frequently, ideally in real - time mode;

! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;

! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;

! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;

! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and

! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.

The encryption components of PKI are addressed more fully under "Encryption."

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]