Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Security concerns of computer automation and control: Where to start? - In today's industrial networks, supervisory control and data acquisition (SCADA) and distributed control systems (DCS) control many government infrastructures, which in turn impact many lives. http://www.scmagazineus.com/security-concerns-of-computer-automation-and-control-where-to-start/article/205702/?DCMP=EMC-SCUS_Newswire

FYI - Con artists pose as security companies in growing scam - Scareware has taken on a human face. Criminals posing as computer security engineers are having success in calling victims at home and stealing their money, according to a survey. http://www.scmagazineus.com/con-artists-pose-as-security-companies-in-growing-scam/article/205561/?DCMP=EMC-SCUS_Newswire

FYI - Met arrest alleged Lulz hacker - Essex boy picked up - Th Met's e-Crime unit has arrested a 19-year old alleged hacker in Essex on suspicion of involvement with network attacks and denial of service attacks. http://www.theregister.co.uk/2011/06/21/alleged_hacker_held/

FYI - Chinese Weapon Systems Vulnerable To SCADA Hack - Hackers could potentially gain control of Chinese weapon systems, US Homeland Security has warned. http://www.eweekeurope.co.uk/news/chinese-weapon-systems-vulnerable-to-scada-hack-32020

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Comerica Bank ordered to pay after customer hacked - A Michigan court has ruled that Comerica Bank is liable for a US$560,000 cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago. http://www.computerworld.com/s/article/9217662/Comerica_Bank_ordered_to_pay_after_customer_hacked?taxonomyId=17

FYI - Citi Credit Card Hack Bigger Than Originally Disclosed - Citigroup has been forced to reveal that a recent hack of its network exposed the financial data of more than 360,000 customers, a much higher number than the bank originally disclosed. http://www.wired.com/threatlevel/2011/06/citibank-hacked/

FYI - ADP Statement on Security Breach Investigation - Automatic Data Processing, Inc., today announced that it is investigating and taking measures to address the impact of a system intrusion that occurred with one client at Workscape, a recently acquired benefits administration provider. The intrusion, which occurred on a non-payroll legacy platform that is no longer sold by ADP's benefits administration business, was detected by the ADP security team during routine system monitoring. http://www.prnewswire.com/news-releases/adp-statement-on-security-breach-investigation-123933834.html

FYI - LulzSec Claims Credit For CIA Site Takedown - The hacking group said it rendered the CIA's public website inaccessible and launched phone DDoS attacks on FBI's Detroit office and other groups suggested by followers. The hacking group LulzSec, aka the Lulz Boat, on Wednesday claimed to have rendered the CIA's public website inaccessible. http://www.informationweek.com/news/security/cybercrime/230800019

FYI - NHS laptop loss could put millions of records at risk - A laptop containing unnamed patient information has gone missing from a subsidiary of the NHS North Central London health authority, putting the privacy of patients at risk. http://www.zdnet.co.uk/news/security-management/2011/06/15/nhs-laptop-loss-could-put-millions-of-records-at-risk-40093112/?tag=mncol;txt

FYI - Hacker Gets 2 Yrs. for Stealing $275K from MN Co. - Hacker was sentenced to two years in prison for hacking in to the computer networks of a subsidiary of Digital River and transferring about $275,000 to his bank account. http://tcbmag.blogs.com/daily_developments/2011/06/hacker-gets-2-yrs-for-stealing-275k-from-mn-co-.html

FYI - Bitcoin market flash-crash and database leak from Mt.Gox - It’s been a rough weekend for Bitcoin. First, new Bitcoin malware hit the Web last Friday which attempts to steal a Bitcoin user’s wallet and email it to an email address. http://www.zdnet.com/blog/security/bitcoin-market-flash-crash-and-database-leak-from-mtgox/8811

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 1 of 3)

Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.

The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming from a trusted host.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

46.  Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a.  to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; ['12(b)(1)] or

b.  to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? ['12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. ['12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. ['12(c)(2)])