FYI - Gangs infect 10,000 websites to steal users' bank details - Hackers have launched an assault on websites in Italy and around the world dubbed the Italian Job in a move seen by internet security experts as the next step in the escalating problem of cyber crime. http://technology.guardian.co.uk/news/story/0,,2106982,00.html?gusrc=rss&feed=12

FYI - Pentagon reports cyber attack - The Defense Department took as many as 1,500 computers off line because of a cyber attack, Pentagon officials said. http://www.azstarnet.com/allheadlines/188634

FYI - GAO - Health Information Technology: Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy.
Article - http://www.gao.gov/cgi-bin/getrpt?GAO-07-988T
Highlights - http://www.gao.gov/highlights/d07988thigh.pdf

FYI - ChoicePoint Details Data Breach Lessons - Few companies know as well as ChoicePoint the consequences of failing to secure the personal information of consumers. The organization's CIO explained how it recovered and offered lessons other enterprises that handle sensitive data can learn from ChoicePoint at the IDC IT Forum & Expo in Boston. http://www.pcworld.com/article/id,132795-c,cybercrime/article.html

FYI - Federal info security isn't just about FISMA compliance, auditor says - Most agencies still have security gaps, according to Gregory Wilshusen - Despite some progress in recent years, most federal agencies still have significant gaps in their information security controls, according to Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO). http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9024658

FYI - PayPal offers a key to secure transactions - Online payment service PayPal, a subsidiary of eBay, rolled out on Friday a second factor for authenticating users online -- a key fob that generates a pseudo random security code every 30 seconds. http://www.securityfocus.com/brief/528

FYI - IT Managers Say Risk Of Data Loss Is Bad And Getting Worse -Nearly half of IT and compliance professionals say their companies aren't doing enough to cut data loss, and many also say it's only going to get worse. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199905013

FYI - Data breaches seen to threaten IT job security - A majority of IT professionals believe they will lose their jobs if their organization suffers a security breach. Most IT professionals feel their jobs would be on the line in the event of a security breach and at the same time feel ill-equipped to prevent such corporate or personal data loss, according to a survey released this week. http://www.networkworld.com/news/2007/050207-data-breach-job-security.html

MISSING COMPUTERS/DATA

FYI - 10,000 documents leaked / Data from police officer's PC uploaded onto Internet via Winny - About 10,000 documents and images have been accidentally uploaded onto the Internet from the private computer of a senior policeman, including investigators' records and personal information of people subject to investigation, the Metropolitan Police Department said. http://www.yomiuri.co.jp/dy/national/20070614TDY01004.htm

FYI - State hires computer security expert - The state has hired a computer security expert who specializes in civil and criminal cases to determine the likelihood of someone getting access to the data on a stolen backup storage device, Gov. Ted Strickland said.
http://www.ohio.com/mld/beaconjournal/news/state/17383005.htm
http://zanesvilletimesrecorder.com/apps/pbcs.dll/article?AID=/20070616/UPDATES01/70616002/1002/NEWS01

FYI - Flash drive containing students' SSNs stolen from GVSU - A flash drive containing some confidential information was stolen from Lake Huron Hall on Grand Valley State University's Allendale Campus on May 24.
http://www.woodtv.com/Global/story.asp?S=6643715&nav=0Rce
http://www.mlive.com/news/grpress/index.ssf?/base/news-36/118173691983190.xml&coll=6

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)

PROCEDURES TO ADDRESS SPOOFING - Information Gathering

After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response.  The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation.  Below is a list of useful information that a bank can collect.  In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.

*  The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
*  Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
*  Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
*  Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
*  The geographic locations of the IP address (city, state, and country).

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING - MONITORING

Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:

! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.

! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.

! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:

 -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,

 -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and

 -  Providing effective oversight of service providers and vendors to identify and react to new security issues.

! Senior management should require periodic security selfassessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.

! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

3. Determine whether individual and group access to data is based on business needs.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.