|
Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
examination.
For more
information and to subscribe visit
http://www.yennik.com/it-review/.
FYI -
ATM hacking spree foiled by tip from ex-con - A North Carolina man's
scheme to steal as much as $350,000 during an automatic teller
machine hacking spree was thwarted by an ex-convict, who turned the
man in to authorities, federal prosecutors allege.
http://www.theregister.co.uk/2010/05/04/atm_hacking_spree_foiled/
FYI -
Web cam report blasts Lower Merion school district - Inconsistent
policies. Shoddy record-keeping. Misstep after misstep.
"Overzealous" use of technology "without any apparent regard for
privacy considerations."
Atricle -
http://www.philly.com/inquirer/education/20100504_Web_cam_report_blasts_Lower_Merion_school_district.html?viewAll=y
Investigation Report -
http://www.lmsd.org/documents/news/100503_ballard_spahr_report.pdf
FYI -
Mandatory data breach notification on the horizon, says ICO - The
Information Commissioners Office (ICO) plans to use its new powers
to enforce data protection in the UK, says the deputy information
commissioner.
http://www.computerweekly.com/Articles/2010/04/27/241061/Mandatory-data-breach-notification-on-the-horizon-says.htm
FYI -
Outsourced managed security: What should you outsource? Should we be
surprised that roughly one in five managed security service programs
fail?
http://www.scmagazineus.com/outsourced-managed-security-what-should-you-outsource/article/169593/?DCMP=EMC-SCUS_Newswire
FYI -
Wash. Supreme Court rules Internet filters OK - Case sparked by 2006
lawsuit filed by the American Civil Liberties Union - Public
libraries' use of Internet filters to block content does not run
afoul of the state constitution, the Washington state Supreme Court.
http://www.msnbc.msn.com/id/37001589/ns/us_news/
FYI -
The impact of virtualization on network security - Affordable
network storage has driven server virtualization adoption over the
past few years, and most organizations today have a virtual machine
(VM) somewhere in their environment.
http://www.scmagazineus.com/avenging-host-the-impact-of-virtualization-on-network-security/article/169844/?DCMP=EMC-SCUS_Newswire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI -
Mass Injection Attack Hits WordPress Blogs across Multiple Hosters -
The malicious code hides from Google's crawler - Hundreds of
WordPress blogs hosted on shared servers were compromised over the
weekend and had malicious code injected into their pages. A detailed
analysis of the affected sites uncovered instructions to hide the
attack from Google's web crawler.
http://news.softpedia.com/news/Mass-Injection-Attack-Hits-WordPress-Blogs-Across-Multiple-Hosters-141694.shtml
FYI -
Court gives preliminary OK to $4M consumer settlement in Heartland
case - Payment processor agrees to reimburse consumers for costs
associated with 2009 breach - A federal court in Texas has given
preliminary approval to a $4 million settlement of a consumer
class-action lawsuit against Heartland Payment Systems Inc. over the
massive data breach the payment processor disclosed in January 2009.
http://www.computerworld.com/s/article/9176431/Court_gives_preliminary_OK_to_4M_consumer_settlement_in_Heartland_case?taxonomyId=84
FYI -
Privacy watchdog looks into NHS data breach - The loss of a data
stick containing information on psychiatric patients in Scotland is
to be investigated by UK privacy watchdog the Information
Commissioner's Office.
http://www.zdnet.co.uk/news/security-threats/2010/05/06/privacy-watchdog-looks-into-nhs-data-breach-40088863/
FYI -
Widespread attacks continue against WordPress sites - Intruders in
recent weeks have hacked a large number of websites created through
the WordPress blogging platform to spread malware, with another
major campaign launched, security researchers said.
http://www.scmagazineus.com/widespread-attacks-continue-against-wordpress-sites/article/169956/?DCMP=EMC-SCUS_Newswire
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding
Customers Against E-Mail and Internet-Related Fraudulent Schemes
(Part 3 of 3)
Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes. Enhancements may include:
! Incorporating notification procedures to alert customers of known
e-mail and Internet-related fraudulent schemes and to caution them
against responding;
! Establishing a process to notify Internet service providers,
domain name-issuing companies, and law enforcement to shut down
fraudulent Web sites and other Internet resources that may be used
to facilitate phishing or other e-mail and Internet-related
fraudulent schemes;
! Increasing suspicious activity monitoring and employing
additional identity verification controls;
! Offering customers assistance when fraud is detected in
connection with customer accounts;
! Notifying the proper authorities when e-mail and Internet-related
fraudulent schemes are detected, including promptly notifying their
FDIC Regional Office and the appropriate law enforcement agencies;
and
! Filing a Suspicious Activity Report when incidents of e-mail and
Internet-related fraudulent schemes are suspected.
Steps Financial Institutions Can Take to Mitigate Risks
Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and
Internet-related fraudulent schemes, financial institutions should
implement appropriate information security controls as described in
the Federal Financial Institutions Examination Council's (FFIEC)
"Information Security Booklet." Specific actions that should be
considered to prevent and deter e-mail and Internet-related
fraudulent schemes include:
! Improving authentication methods and procedures to protect
against the risk of user ID and password theft from customers
through e-mail and other frauds;
! Reviewing and, if necessary, enhancing practices for protecting
confidential customer data;
! Maintaining current Web site certificates and describing how
customers can authenticate the financial institution's Web pages by
checking the properties on a secure Web page;
! Monitoring accounts individually or in aggregate for unusual
account activity such as address or phone number changes, a large or
high volume of transfers, and unusual customer service requests;
! Monitoring for fraudulent Web sites using variations of the
financial institution's name;
! Establishing a toll-free number for customers to verify requests
for confidential information or to report suspicious e-mail
messages; and
! Training customer service staff to refer customer concerns
regarding suspicious e-mail request activity to security staff.
Conclusion
E-mail and Internet-related fraudulent schemes present a
substantial risk to financial institutions and their customers.
Financial institutions should consider developing programs to
educate customers about e-mail and Internet-related fraudulent
schemes and how to avoid them, consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes, and implement appropriate information security controls to
help mitigate the risks associated with e-mail and Internet-related
fraudulent schemes.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
security strategies and plans.
Senior management and the board of directors are responsible for
overseeing the development and implementation of their bank's
security strategy and plan. Key elements to be included in those
strategies and plans are an intrusion risk assessment plan, risk
mitigation controls, intrusion response policies and procedures, and
testing processes. These elements are needed for both internal and
outsourced operations.
The first step in managing the risks of intrusions is to assess the
effects that intrusions could have on the institution. Effects may
include direct dollar loss, damaged reputation, improper disclosure,
lawsuits, or regulatory sanctions. In assessing the risks,
management should gather information from multiple sources,
including (1) the value and sensitivity of the data and processes to
be protected, (2) current and planned protection strategies, (3)
potential threats, and (4) the vulnerabilities present in the
network environment. Once information is collected, management
should identify threats and the likelihood of those threats
materializing, rank critical information assets and operations, and
estimate potential damage.
The analysis should be used to develop an intrusion protection
strategy and risk management plan. The intrusion protection strategy
and risk management plan should be consistent with the bank's
information security objectives. It also should balance the cost of
implementing adequate security controls with the bank's risk
tolerance and profile. The plan should be implemented within a
reasonable time. Management should document this information, its
analysis of the information, and decisions in forming the protection
strategy and risk management plan. By documenting this information,
management can better control the assessment process and facilitate
future risk assessments.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 6 of 6)
Redisclosure and Reuse Limitations on Nonpublic Personal
Information Received:
If a financial institution receives nonpublic personal
information from a nonaffiliated financial institution, its
disclosure and use of the information is limited.
A) For nonpublic personal information received under a section 14
or 15 exception, the financial institution is limited to:
1) Disclosing the information to the affiliates of the
financial institution from which it received the information;
2) Disclosing the information to its own affiliates, who may,
in turn, disclose and use the information only to the extent that
the financial institution can do so; and
3) Disclosing and using the information pursuant to a section
14 or 15 exception (for example, an institution receiving
information for account processing could disclose the information to
its auditors).
B) For nonpublic personal information received other than under a
section 14 or 15 exception, the recipient's use of the information
is unlimited, but its disclosure of the information is limited to:
1) Disclosing the information to the affiliates of the
financial institution from which it received the information;
2) Disclosing the information to its own affiliates, who may,
in turn disclose the information only to the extent that the
financial institution can do so; and
3) Disclosing the information to any other person, if the
disclosure would be lawful if made directly to that person by the
financial institution from which it received the information. For
example, an institution that received a customer list from another
financial institution could disclose the list (1) in accordance with
the privacy policy of the financial institution that provided the
list, (2) subject to any opt out election or revocation by the
consumers on the list, and (3) in accordance with appropriate
exceptions under sections 14 and 15. |
