Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Recruiting and developing the 21st century cyber warrior - Last month, U.S. Deputy Secretary of Defense William Lynn III announced that the Department of Defense (DoD) was releasing a cybersecurity strategy explicitly recognizing cyberspace as a new and official warfare domain. http://www.scmagazineus.com/recruiting-and-developing-the-21st-century-cyber-warrior/article/210230/?DCMP=EMC-SCUS_Newswire

FYI - AES proved vulnerable by Microsoft researchers - Show that algorithm underlying most all of today's online transactions can be compromised - Researchers from Microsoft and Belgian Katholieke Universiteit Leuven have discovered a way to break the widely used Advanced Encryption Standard (AES), the encryption algorithm used to secure most all online transactions and wireless communications. http://www.computerworld.com/s/article/9219297/AES_proved_vulnerable_by_Microsoft_researchers

FYI - German state bans Facebook pages, 'Like' buttons - Facebook is in trouble in Germany yet again after the data-protection authority in Schleswig-Holstein ordered all institutions in the state to shut down their Facebook fan pages and remove plug-ins such as the 'Like' button from their websites. http://www.zdnet.co.uk/news/compliance/2011/08/22/german-state-bans-facebook-pages-like-buttons-40093735/

FYI - FTC fines firm $50,000 for collecting children's personal information - The Federal Trade Commission (FTC) has fined W3 Innovations, a mobile applications developer, $50,000 for illegally collecting and disclosing personal information on tens of thousands of children under the age of 13 without their parents’ consent. http://www.infosecurity-us.com/view/20194/ftc-fines-firm-50000-for-collecting-childrens-personal-information/

FYI - AT&T sues two over scheme to steal customer data - AT&T has accused two Utah men of carrying out a data mining scheme, using automatic dialing programs to harvest information from its customer database and costing the company more than $6.5 million. http://www.scmagazineus.com/att-sues-two-over-scheme-to-steal-customer-data/article/209763/

FYI - Met officers cleared over hacking misconduct claims - The former Metropolitan Police commissioner has been cleared of misconduct in his handling of the phone hacking inquiry by the police watchdog. http://www.bbc.co.uk/news/uk-14559802

FYI - GAO - Further Actions Needed to Re-examine Centralization Approach and to Better Document Associated Costs
Release - http://www.gao.gov/products/GAO-11-769
Highlights - http://www.gao.gov/highlights/d11769high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Second BART Hack Exposes Police Personal Info - Hackers gained access to the web site operated by The Bay Area Rapid Transit Police Officers' Association, posting personal details of more than 100 officers. The officers' home and e-mail addresses were leaked along with passwords. The hackers group Anonymous announced the most recent breach, but has not yet claimed responsibility. http://www.sci-tech-today.com/news/Second-BART-Cyberattack-Carried-Out/story.xhtml?story_id=10200CGUJFPI

FYI - Investigation reveals widespread insider hacking at immigration agency- A yearlong probe into computer fraud at an immigration application processing center uncovered multiple incidents of internal hacking where staff accessed management-level emails and other confidential files, according to Homeland Security Department interviews, network analyses and internal emails obtained by Nextgov. http://www.nextgov.com/nextgov/ng_20110818_1087.php?oref=topstory

FYI - IT admin cops to crippling ex-employer's network - A Georgia IT administrator has pleaded guilty to crippling the computer system of a Japanese pharmaceutical company's US subsidiary several months after his employment there ended. http://www.theregister.co.uk/2011/08/17/it_admin_revenge/

FYI - eThieves Steal $217k from Arena Firm - Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska. http://krebsonsecurity.com/2011/08/ethieves-steal-217k-from-arena-firm/

FYI - AntiSec hackers target another military contractor - A vigilante hacker group has attacked Vanguard Defense Industries (VDI), a contractor based in Conroe, Texas, that sells advanced weapons to law enforcement, military and private corporations. Among its products is the ShadowHawk, a robotic helicopter used for aerial surveillance that can also be equipped with a grenade launcher. http://www.scmagazineus.com/antisec-hackers-target-another-military-contractor/article/209962/?DCMP=EMC-SCUS_Newswire

FYI - Hackers break into sensitive Purdue University server - A computer server containing the personal information of thousands of former Purdue University students was accessed by hackers. http://www.scmagazineus.com/hackers-break-into-sensitive-purdue-university-server/article/209955/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 3 of  6)

FDIC Response to Identity Theft

The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Application - Level Firewalls

Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.

The primary disadvantages of application - level firewalls are:

! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.

! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

The Exceptions

Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

1)  To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution's own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. In a contract for a joint marketing agreement, the contract must provide that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the additional disclosure and confidentiality requirements of section 13. Disclosure under this exception could include the outsourcing of marketing to an advertising company. (Section 13)

2)  As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or to provide an account statement. (Section 14)

3)  For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators. (Section 15)