Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Security Incidents Rise In Industrial Control Systems - Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems - While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years. http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=224400280&pgno=1

FYI - Threat Level Privacy, Crime and Security Online Bank Worker Pleads Guilty to Hacking 100 ATMs - A Bank of America worker pleaded guilty Tuesday to installing malware on more than 100 ATMs, and stealing $304,000 over a seven-month period. http://www.wired.com/threatlevel/2010/04/malware-targeted-100-atms

FYI - Changing Passwords Isn't Worth the Effort - Nobody will argue that "123456" is a good choice for a password. But is forcing the user to change it worth the effort? http://www.pcmag.com/article2/0,2817,2362692,00.asp

FYI - TJX hacker sentenced to five years, fined - The sixth and final U.S. person charged two years ago with breaking into the computer networks at discount retail parent TJX was sentenced Thursday. http://www.scmagazineus.com/tjx-hacker-sentenced-to-five-years-fined/article/168153/?DCMP=EMC-SCUS_Newswire

FYI - Pa. school district snapped 'thousands' of student images, claims lawyer - District staffers called the photos taken by laptop software a 'little soap opera' - The suburban Philadelphia school district accused of spying on students using school-issued laptops snapped thousands of images of teenagers in their homes, including shots of a boy asleep in his bed, documents filed in a lawsuit claimed. http://www.computerworld.com/s/article/9175739/Pa._school_district_snapped_thousands_of_student_images_claims_lawyer?taxonomyId=17

FYI - NSA Official Faces Prison for Leaking to Newspaper - A former senior National Security Agency official was slammed with a 10-count indictment Thursday after allegedly leaking top secret information to a reporter at a national newspaper. http://www.wired.com/threatlevel/2010/04/nsa-executive-charged

FYI - Trial of Palin hacker gets underway - A 22-year-old former University of Tennessee-Knoxville student, accused of breaking into the Yahoo! email account of Sarah Palin as she campaigned for vice president in 2008, goes before a judge in Tennessee. http://www.scmagazineus.com/trial-of-palin-hacker-gets-underway/article/168443/?DCMP=EMC-SCUS_Newswire

FYI - Certegy to pay $975K, undergo annual security audit - Certegy Check Services has settled with the Florida attorney general's office over a 2007 data breach that resulted in the theft of nearly six million personal records. http://www.scmagazineus.com/certegy-to-pay-975k-undergo-annual-security-audit/article/168335/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Apache project server hacked, passwords compromised - Hackers broke into a server used by the Apache Software Foundation to keep track of software bugs. http://www.computerworld.com/s/article/9175459/Apache_project_server_hacked_passwords_compromised?taxonomyId=82

FYI - Network Solutions customers hit by mass hack attack - Second mystery outbreak in a week - Network Solutions' security team is battling a mysterious attack that has silently infected a "huge" number of the websites it hosts with malicious code.
http://www.theregister.co.uk/2010/04/19/network_solutions_mass_hack/
http://krebsonsecurity.com/2010/04/network-solutions-again-under-siege/

FYI - Nine year-old blamed for US school system hack - Youngster uses teacher's login to redraw Blackboard - Police hunting a hacker who had attacked a US school's systems found themselves cornering a "very intelligent" 9 year old instead, it has emerged. http://www.theregister.co.uk/2010/04/19/9yr_old_school_hacker/

FYI - Health information contained on physician's stolen laptop - A laptop containing the demographic and health information of thousands of patients was stolen from a physician affiliated with the Massachusetts Eye and Ear Infirmary. http://www.scmagazineus.com/health-information-contained-on-physicians-stolen-laptop/article/168404/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5)  Next week we will begin our series on the Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes. 

PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities

If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities.  Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ic3.gov), a partnership of the FBI and the National White Collar Crime Center.

In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack.  The data discussed under the "Information Gathering" section should meet this need.

In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities.  For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing.  Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers.  The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Finally, banks can forward suspicious e-mails to the FTC at spam@uce.gov.  For more information on how the FTC can assist in combating phishing and spoofing, see http://www.consumer.gov/idtheft.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls (Part 2 of 2)

Tokens

Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.

Smart Cards

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.

Biometrics 

Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.