FYI - Consultant Uses Social Skills to Trick Corporate Security - A security consultant managed to talk his way into a FTSE listed financial services firm and access company data in a social engineering exercise. A security consultant managed to talk his way into a FTSE listed financial services firm and access company data in a social engineering exercise. http://www.cio.com/article/492456/Consultant_Uses_Social_Skills_to_Trick_Corporate_Security

FYI - Audit finds 700 high-risk vulnerabilities in air traffic systems - Flaws could make air traffic control susceptible to cyberattacks, DOT report says - A government audit has found more than 760 high-risk vulnerabilities in Web applications used to support Air Traffic Control (ATC) operations around the country. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132663&source=rss_null17

FYI - Data-sniffing attack costs Heartland $12.6m - Credit card processor promises end-to-end encryption - Electronic payments processor Heartland Payment Systems said Thursday it has allocated $12.6m to cover a security breach that exposed sensitive card holder data crossing its network. http://www.theregister.co.uk/2009/05/07/heartland_breach_costs/

FYI - Nearly half of IT security budgets deemed insufficient - It's no news that the current economic situation has put a strain on companies' finances, but a recent survey aimed to quantify the toll the recession has taken on IT budgets. http://www.scmagazineus.com/Nearly-half-of-IT-security-budgets-deemed-insufficient/article/136727/?DCMP=EMC-SCUS_Newswire

FYI - ATMs on Staten Island rigged for identity theft; bandits steal $500G - A band of brazen thieves ripped off hundreds of New Yorkers by rigging ATMs to steal account and password information from bank customers. http://www.nydailynews.com/news/ny_crime/2009/05/11/2009-05-11_automated_theft_bandits_steal_500g_by_rigging_atms_with_pinreading_gizmos.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Web site offline as police, FBI investigate $10M extortion bid - Virginia health agency says all of its files have been backed up and secured - A week after a hacker claimed to have broken into a patient database and encrypted millions of prescription records at a Virginia health agency, its Web site remains offline except for a static Web page offering contact information. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132678

FYI - UC Berkeley computers hacked, 160,000 at risk - Hackers broke into the University of California at Berkeley's health services center computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced. http://news.cnet.com/8301-1009_3-10236793-83.html?tag=mncol;title

FYI - U.S. missile defense information found in disk bought on eBay - A hard disk containing the launch procedures for a U.S. military missile defense system was recently bought on eBay. The purchase was made as part of an ongoing study into discarded hard disks. http://www.scmagazineus.com/US-missile-defense-information-found-in-disk-bought-on-eBay/article/136403/?DCMP=EMC-SCUS_Newswire

FYI - Mass. police snooped on celebrities' records - Massachusetts law enforcement personnel tapped into the state criminal records database and inappropriately viewed the personal records of celebrities on dozens of occasions, according to a state audit released. http://www.scmagazineus.com/Mass-police-snooped-on-celebrities-records/article/136288/?DCMP=EMC-SCUS_Newswire 

FYI - ATMs on Staten Island rigged for identity theft; bandits steal $500G - One suspected member of the Staten Island ATM-rigging crew is caught on videotape. A band of brazen thieves ripped off hundreds of New Yorkers by rigging ATMs to steal account and password information from bank customers. http://www.nydailynews.com/news/ny_crime/2009/05/11/2009-05-11_automated_theft_bandits_steal_500g_by_rigging_atms_with_pinreading_gizmos.html

FYI - US Uni campus hack provokes security alert - Crash team on standby after medical centre hack - The personal info of more than 160,000 current and former students and staff at the University of California, Berkeley has potentially been exposed after hackers broke into campus health service computers. http://www.theregister.co.uk/2009/05/11/calif_uni_hack_alert/

FYI - Johns Hopkins tells patients: Employee stole data for fraud - Baltimore's Johns Hopkins Hospital is warning more than 10,000 patients about a data theft after linking a woman working in the hospital's patient registration area to fraud. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132860

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight 

Because the Board of Directors and senior management are responsible for developing the institution's business strategy and establishing an effective management oversight over risks, they are expected to take an explicit, informed and documented strategic decision as to whether and how the bank is to provide e-banking services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context. Effective management oversight is expected to encompass the review and approval of the key aspects of the bank's security control process, such as the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ELECTRONIC AND PAPER - BASED MEDIA HANDLING

Sensitive information is frequently contained on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation. Protection of that data requires protection of the media. The theft, destruction, or Information Security other loss of the media could result in the exposure of corporate secrets, breaches in customer confidentiality, alteration of data, and the disruption of business activities. The policies and procedures necessary to protect media may need revision as new data storage technologies are contemplated for use and new methods of attack are developed. The sensitivity of the data (as reflected in the data classification) dictates the extent of procedures and controls required. Many institutions find it easier to store and dispose of all media consistently without having to segregate out the most sensitive information. This approach also can help reduce the likelihood that someone could infer sensitive information by aggregating a large amount of less sensitive information. Management must address three components to secure media properly: handling and storage, disposal, and transit.

HANDLING AND STORAGE

IT management should ensure secure storage of media from unauthorized access. Controls could include physical and environmental controls including fire and flood protection, limited access (e.g., physical locks, keypad, passwords, biometrics), labeling, and logged access. Management should establish access controls to limit access to media, while ensuring all employees have authorization to access the minimum level of data required to perform their responsibilities. More sensitive media like system documentation, application source code, and production transaction data should have more extensive controls to guard against alteration (e.g., integrity checkers, cryptographic hashes). Furthermore, policies should minimize the distribution of sensitive media, including the printouts of sensitive information. Periodically, the security staff, audit staff, and data owners should review authorization levels and distribution lists to ensure they remain appropriate and current.

Return to the top of the newsletter

IT SECURITY QUESTION:  SOFTWARE DEVELOPMENT AND ACQUISITION

3. Determine if the group or individual establishing security requirements has appropriate credentials, background, and/or training.

4. Evaluate whether the software incorporates appropriate security controls, audit trails, and activity logs and that appropriate and timely audit trail and log reviews and alerts can take place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice  

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable:  (Part 1 of 2)

a)  the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b)  the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c)  the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d)  the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]