Are you ready for your IT examination?  The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - German Wi-Fi networks liable for 3rd party piracy - Leave connection open, risk fine - German surfers risk fines of €100 if their open Wi-Fi connection gets used to download copyright-infringing material. http://www.theregister.co.uk/2010/05/13/open_wifi_fines_germany/

FYI - Senate confirms Alexander as chief of U.S. Cyber Command - The U.S. Senate has approved Lt. Gen. Keith Alexander, director of the National Security Agency, to also head the military's recently created U.S. Cyber Command. http://www.computerworld.com/s/article/9176573/Update_Senate_confirms_Alexander_as_chief_of_U.S._Cyber_Command?taxonomyId=82

FYI - Thieves Flood Victim's Phone With Calls to Loot Bank Accounts - have rolled out a new weapon in their arsenal of tactics - telephony denial-of-service attacks that flood a victim's phone with diversionary calls while the thieves drain the victim's account of money. http://www.wired.com/threatlevel/2010/05/telephony-dos/

FYI - PCI Council releases new PIN security standard - The group responsible for managing payment security rules has released version 3.0 of the PIN Transaction Security (PTS) standard. The new version replaces the PIN Entry Device (PED) standard in an effort to streamline point-of-sale security guidelines to also cover unattended payment terminals, such as fuel dispensers, and hardware security modules, which are nonuser facing devices used in PIN translations. http://www.scmagazineus.com/pci-council-releases-new-pin-security-standard/article/170122/?DCMP=EMC-SCUS_Newswire

FYI - Gov't agencies use unsafe methods to transfer files -Employees at many U.S. government agencies are using unsecure methods, including personal e-mail accounts, to transfer large files, often in violation of agency policy, according to a survey. http://www.computerworld.com/s/article/9176889/Survey_Gov_t_agencies_use_unsafe_methods_to_transfer_files?taxonomyId=17

FYI - Security guard pleads guilty to hacking his employer - A former security guard has pleaded guilty to charges that he broke into his employer's computers while working the night shift at a Dallas hospital. http://www.computerworld.com/s/article/9176811/Security_guard_pleads_guilty_to_hacking_his_employer?taxonomyId=17

FYI - GAO - Veterans Affairs Needs to Resolve Long-Standing Weaknesses.
Release - http://www.gao.gov/new.items/d10727t.pdf
Highlights - http://www.gao.gov/highlights/d10727thigh.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Stolen Laptop Exposes Personal Data on 207,000 Army Reservists - A laptop stolen from a government contractor last month contained names, addresses and Social Security numbers of more than 207,000 U.S. Army reservists. http://krebsonsecurity.com/2010/05/stolen-laptop-exposes-personal-data-on-207000-army-reservists/

FYI - Laptop theft puts thousands of N.M. Medicaid users at risk - An unencrypted laptop containing the personal information of thousands of New Mexico citizens enrolled in the state's Medicaid Salud plan was stolen in late March. http://www.scmagazineus.com/laptop-theft-puts-thousands-of-nm-medicaid-users-at-risk/article/170118/?DCMP=EMC-SCUS_Newswire

FYI - Students, Parents Allowed to View Webcam Scandal Photos - Suburban Philadelphia parents and their high school-age children soon will learn the extent of a potentially criminal webcam scandal. http://www.wired.com/threatlevel/2010/05/webcamscandal-parents/

FYI - Latvia's 'Robin Hood' hacker unmasked as AI researcher - Nabbed after baring fat-cat salaries - Latvian police have identified a computer science researcher as the folk hero who hacked government systems to expose the fat salaries received by state officials despite a draconian austerity drive in effect. http://www.theregister.co.uk/2010/05/14/latvian_hacker_whistleblower/

FYI - Ukrainian arrested in India on TJX data-theft charges - A Ukrainian national has been arrested in India in connection with the most notorious hacking incident in U.S. history. http://www.computerworld.com/s/article/9176779/Ukrainian_arrested_in_India_on_TJX_data_theft_charges?taxonomyId=82

FYI - Man charged with attacking O'Reilly, Coulter websites - A former college student has been charged with using the school's computer network to control a botnet and launch distributed denial-of-service (DDoS) attacks against conservative websites belonging to Bill O'Reilly, Ann Coulter and Rudy Giuliani. http://www.scmagazineus.com/man-charged-with-attacking-oreilly-coulter-websites/article/170524/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions.

Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following: 

1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.

2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.

3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.