Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Cyber Camp Develops Tomorrow’s IT Security Pros - Players at the 2011 U.S. Cyber Challenge Summer Camp at Cal Poly Pomona entered a free-range network that tested their cyber security knowledge. http://www.govtech.com/security/Cyber-Camp-Develops-Tomorrows-IT-Security-Pros.html

FYI - Report says firms must rethink patching strategy - With two billion users now accessing the internet, even a small success rate of attacks on endpoints translates to huge numbers of compromised systems. http://www.scmagazineus.com/report-says-firms-must-rethink-patching-strategy/article/207478/?DCMP=EMC-SCUS_Newswire

FYI - Feds Defend Internet Domain Seizure in Piracy Crackdown - Federal prosecutors are asking a judge not to return the domain names of one of Spain’s most popular websites, seized as part of a major U.S. crackdown on internet piracy. http://www.wired.com/threatlevel/2011/07/domain-seizures-defended/

FYI - Wi-Fi–Hacking Neighbor From Hell Sentenced to 18 Years - A Minnesota hacker prosecutors described as a “depraved criminal” was handed an 18-year prison term Tuesday for unleashing a vendetta of cyberterror that turned his neighbors’ lives into a living nightmare. http://www.wired.com/threatlevel/2011/07/hacking-neighbor-from-hell/

FYI - US, Romanian authorities target Internet fraud scheme - Romanian law enforcement officials on Thursday executed 117 searches targeting more than 100 people in an ongoing effort with the U.S. Department of Justice to break up a large Internet auction fraud scheme, the DOJ said. http://www.computerworld.com/s/article/9218444/US_Romanian_authorities_target_Internet_fraud_scheme?taxonomyId=17

FYI - GAO - USDA Systems Modernization: Management and Oversight Improvements Are Needed. 
Release - http://www.gao.gov/products/GAO-11-586

FYI - Researcher finds serious vulnerability in Skype - A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone's account, according to details posted online. http://www.computerworld.com/s/article/9218440/Update_Researcher_finds_serious_vulnerability_in_Skype?taxonomyId=17

FYI - GAO - Complex Financial Institutions and International Coordination Pose Challenges. 
Release - http://www.gao.gov/products/GAO-11-707
Highlights - http://www.gao.gov/highlights/d11707high.pdf

FYI - FBI charges Anonymous members with PayPal DDoS - The FBI on Wednesday charged 14 people, mostly twenty-somethings, for their alleged involvement in an Anonymous-inspired attack on the PayPal website in December. http://www.scmagazineus.com/fbi-charges-anonymous-members-with-paypal-ddos/article/207879/?DCMP=EMC-SCUS_Newswire

FYI - Reddit co-founder charged with intrusion, data theft - The co-founder of social news website Reddit was indicted Tuesday in Boston on charges of breaking into the Massachusetts Institute of Technology (MIT) network and stealing more than four million documents from JSTOR, an archive of scientific and academic journals. http://www.scmagazineus.com/reddit-co-founder-charged-with-intrusion-data-theft/article/207842/?DCMP=EMC-SCUS_Newswire

FYI - Lessons of the Sony PlayStation hack - If we haven't yet been taught to protect our data, certainly the past six months should have changed that. http://www.scmagazineus.com/lessons-of-the-sony-playstation-hack/article/207788/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Pentagon Admits Major Data Breach as It Unveils Defensive Cyber-Strategy - A foreign government was behind a March cyber-attack against military computers that led to 24,000 files being stolen from a defense contractor, the Department of Defense said. The intruders were after files related to missile tracking systems, unmanned aerial vehicles and the Joint Strike Fighter. http://www.eweek.com/c/a/Security/Pentagon-Admits-Major-Data-Breach-as-It-Unveils-Defensive-CyberStrategy-869009/

FYI - Hack of Energy’s Pacific Northwest lab exploited zero-day vulnerability - The cyberattack that took the Energy Department’s Pacific Northwest National Laboratory offline on July 1 exploited a zero-day vulnerability to infect the systems with an Advanced Persistent Threat. http://gcn.com/articles/2011/07/12/energy-lab-attack-zero-day-exploit.aspx

FYI - Sega forums still closed a month after mystery hack - Digital pillage leaves lasting damage - Sega's forum remains offline almost a month after its forums and other sites were hit by hacktivists. http://www.theregister.co.uk/2011/07/14/sega_forum_still_suspending/

FYI - Hackers were in German police computers for months - German police took months to notice that computer hackers had infiltrated federal police and customs service computers, media reports said Sunday, citing unnamed cyber security officials. http://www.monstersandcritics.com/news/europe/news/article_1651622.php/Officials-hackers-were-in-German-police-computers-for-months

FYI - Tosh admits customer accounts pillaged - Toshiba says that unidentified hackers have stolen customer records belonging to 7,500 of its customers. http://www.theregister.co.uk/2011/07/18/tosh_customer_hack/

FYI - Hacked SBS links to risky content - The website of the Special Broadcasting Service (SBS) has been victim of a hacking attack over the weekend, with users visiting the site exposed to malware. http://www.zdnet.com.au/hacked-sbs-links-to-risky-content-339318734.htm

FYI - Energy lab back online after cyberattack - Almost two weeks after a cyberattack forced the Energy Department’s Pacific Northwest National Laboratory in Richland, Wash., to go offline, the lab has restored Internet access and most public websites. http://fcw.com/articles/2011/07/15/pnnl-back-online-after-hack.aspx

FYI - Computer theft impacts 400K S. Carolina patients - In one of the largest health care data breaches this year, a computer containing hundreds of thousands of patient records was stolen from South Carolina's Spartanburg Regional Healthcare System. http://www.scmagazineus.com/computer-theft-impacts-400k-s-carolina-patients/article/207820/?DCMP=EMC-SCUS_Newswire

FYI - Lady Gaga website hacked to expose users' data - The personal information belonging to thousands of Lady Gaga fans was stolen after hackers breached the singer's U.K. website. http://www.scmagazineus.com/lady-gaga-website-hacked-to-expose-users-data/article/207774/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 8 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 1 of 2)

Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.

A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination.  Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.

A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.
 
Return to the top of the newsletter

INTERNET PRIVACY - This concludes our series listing the regulatory-privacy examination questions.  Next week, we will begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Other Exceptions to Notice and Opt Out Requirements

50.  If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a.  with the consent or at the direction of the consumer; [§15(a)(1)]
b.
1.  to protect the confidentiality or security of records; [§15(a)(2)(i)]
2.  to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3.  for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
4.  to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
5.  to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c.  to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]
d.  in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e.  to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f.  in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g.  to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h.  to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i.  to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")