Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - GAO - Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures - http://www.gao.gov/products/GAO-11-687R

FYI - MU hosts cyber security camp to train future defenders of cyberspace - Three winners walked away from the United States Cyber Challenge Regional Cyber Security Boot Camp at MU with $1,000 scholarships. http://www.columbiamissourian.com/stories/2011/07/30/cyber-security-camp-gives-lessons-future-midwest-students/

FYI - GAO - Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate
Release - http://www.gao.gov/products/GAO-11-605
Highlights - http://www.gao.gov/highlights/d11605high.pdf

FYI - GAO - DHS Needs to Improve Its Independent Acquisition Reviews
Release - http://www.gao.gov/products/GAO-11-581
Highlights - http://www.gao.gov/highlights/d11581high.pdf

FYI - ALDI sells hard drives with malware inside - The Australian Computer Emergency Response Team (AusCERT) released an alert yesterday on the Federal Government's Stay Smart Online alert service, alleging that the Fission External 4-in-1 Hard Drive, DVD, USB and Card Reader product offered by ALDI contains the components of the "Conficker" worm. http://www.zdnet.com.au/aldi-sells-hard-drives-with-malware-inside-339319481.htm

FYI - 'War texting' hacks car systems and possibly much more - Software that allows drivers to remotely unlock and start automobiles using cell phones is vulnerable to hacks that allow attackers to do the same thing, sometimes from thousands of miles away, it was widely reported. http://www.theregister.co.uk/2011/07/27/war_texting_hack/

FYI - SecurID breach cost RSA $66m - The security breach that targeted sensitive data relating to RSA's SecurID two-factor authentication product has cost parent company EMC $66m in the second quarter, The Washington Post has reported. http://www.theregister.co.uk/2011/07/27/rsa_security_breach/

FYI - In ‘Anonymous’ Raids, Feds Work From List of Top 1,000 Protesters - It turns out there’s a method behind the FBI’s raids of suspected Anonymous members around the country. The bureau is working from a list, provided by PayPal, of the 1,000 internet IP addresses responsible for the most protest traffic during Anonymous’ DDoS attacks against PayPal last December. http://www.wired.com/threatlevel/2011/07/op_payback/

FYI - Criminals abusing Amazon cloud to spread SpyEye - Criminals for the past several weeks have been exploiting Amazon's Simple Storage Service (S3) cloud offering to spread SpyEye malware, according to researchers at anti-virus firm Kaspersky Lab. http://www.scmagazineus.com/criminals-abusing-amazon-cloud-to-spread-spyeye/article/208689/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - British phone hacking inquiry opens - A British judge has formally opened an inquiry into the phone-hacking scandal that has rocked the country, saying the first public hearings will be in September and will focus on media ethics. http://www.abc.net.au/news/2011-07-29/british-phone-hacking-inquiry-opens/2815008?section=world

FYI - 35m Cyworld, Nate users’ information hacked - SK Communications Co. said on Thursday that personal information of its 35 million online users has been hacked, marking South Korea’s worst online security breach and sparking fears that the leak could lead to massive online and voice scams in coming weeks. http://www.koreaherald.com/national/Detail.jsp?newsMLId=20110728000881

FYI - Seattle hospital data exposed online - Swedish Medical Center, the largest nonprofit health care provider in the greater Seattle area, is alerting current and former employees that their personal information was inadvertently accessible online for several weeks. http://www.scmagazineus.com/seattle-hospital-data-exposed-online/article/208680/?DCMP=EMC-SCUS_Newswire

FYI - Hackers strike government cybersecurity contractor - Hackers flying the AntiSec banner today released what they said was 400 megabytes of internal data from a government cybersecurity contractor, ManTech, as part of their campaign to embarrass the FBI every Friday, as well as target other government agencies and their partners. http://news.cnet.com/8301-27080_3-20085723-245/hackers-strike-government-cybersecurity-contractor/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewalls

A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as a choke point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network IDS systems.

Financial institutions have four primary firewall types from which to choose: packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types. The selection of firewall type is dependent on many characteristics of the security zone, such as the amount of traffic, the sensitivity of the systems and data, and applications.  Over the next few weeks we will discussed the different types of firewalls.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.