FYI - This is our ninth anniversary publishing the newsletters. We want to thank all our subscribers for reading our newsletters.  We enjoy brining them to you.  If you have any suggestions to improve the newsletters, please email R. Kinney Williams at examiner@yennik.com. 

FYI - Information Security: Application Security - This bulletin reminds national banks and their technology service providers that application security is an important component of their information security program. www.occ.treas.gov/ftp/bulletin/2008-16.html 

FYI - Brute-force SSH Attacks on the Rise - There has been a significant amount of brute force scanning reported by some of our readers and on other mailing lists. And there does appear to be a bit of a spike reflected in the port 22/tcp sources in the past week in the Dshield data. http://isc.sans.org/diary.html?storyid=4408

FYI - Comcast Restricted Bandwidth To BitTorrent Users 24/7, Study Charges - Casting doubt on previous assertions from cable giant Comcast about its traffic management policies, the Max Planck Institute today released a study showing that the U.S. company has engaged in routine blocking or throttling of BitTorrent files at all hours of the day -- not just in periods of "peak congestion" as the company has claimed. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207800375

FYI - Federal agencies' FISMA grade up slightly - Federal agencies continued showed slight improvement in 2007 in their ability to protect sensitive data, scoring a "C," up from a "C-minus" in 2006, according to the annual Federal Information Security Management Act (FISMA) report card released Tuesday. http://www.scmagazineus.com/Federal-agencies-FISMA-grade-up-slightly/article/110375/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - One million euro stolen in bank card fraud - Around one million euro has been stolen from 300 bank accounts in one of the largest incidents of bank card fraud ever in Ireland. http://www.independent.ie/breaking-news/national-news/1-million-euro-stolen-in-bank-card-fraud-1379228.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)

Define what constitutes an incident.

An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.

Detection

The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.

Identify indicators of unauthorized system access.

Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Involve legal counsel.

Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Token Systems (1 of 2)

Token systems typically authenticate the token and assume that the user who was issued the token is the one requesting access. One example is a token that generates dynamic passwords every X seconds. When prompted for a password, the user enters the password generated by the token. The token's password - generating system is identical and synchronized to that in the system, allowing the system to recognize the password as valid. The strength of this system of authentication rests in the frequent changing of the password and the inability of an attacker to guess the seed and password at any point in time.

Another example of a token system uses a challenge/response mechanism. In this case, the user identifies him/herself to the system, and the system returns a code to enter into the password - generating token. The token and the system use identical logic and initial starting points to separately calculate a new password. The user enters that password into the system. If the system's calculated password matches that entered by the user, the user is authenticated. The strengths of this system are the frequency of password change and the difficulty in guessing the challenge, seed, and password.

Other token methods involve multi - factor authentication, or the use of more than one authentication method. For instance, an ATM card is a token. The magnetic strip on the back of the card contains a code that is recognized in the authentication process. However, the user is not authenticated until he or she also provides a PIN, or shared secret. This method is two - factor, using both something the user has and something the user knows. Two - factor authentication is generally stronger than single - factor authentication. This method can allow the institution to authenticate the user as well as the token.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

7. Determine whether network users are authenticated, and that the type and nature of the authentication (user and machine) is supported by the risk assessment.  Access should only be provided where specific authorization occurs.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

(Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])