Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - U.S. Sources Exposed as Unredacted State Department Cables Are Unleashed Online - An encrypted WikiLeaks file containing 251,000 unredacted U.S. State Department cables is now widely available online, along with the passphrase to open it. The release of the documents in raw form, including the names of U.S. informants around the globe, has raised concerns that dozens of people could now be in danger. http://www.wired.com/threatlevel/2011/09/wikileaks-unredacted-cables/

FYI - Google Certificate Hackers May Have Stolen 200 Others - Hackers who obtained a fraudulent digital certificate for Google may have actually obtained more than 200 digital certificates for other top internet entities such as Mozilla, Yahoo and even the privacy and anonymizing service Tor. http://www.wired.com/threatlevel/2011/08/diginotar-breach/

FYI - Laptop Tracking Software Faces New Privacy Heat - Judge rules couple can sue maker of Lojack For Laptops software for intercepting and sharing couple's communications with police. How far can someone go when tracking stolen technology goods? http://www.informationweek.com/news/security/privacy/231600626

FYI - No pointing fingers: Defense in the cloud is everyone's responsibility - Over the last two decades, the now-famous 1993 New Yorker cartoon showing two canines in front of a PC with one saying to the other, “On the internet, nobody knows you are a dog” has become a staple of presentations on internet identity and privacy. http://www.scmagazineus.com/no-pointing-fingers-defense-in-the-cloud-is-everyones-responsibility/article/211074/?DCMP=EMC-SCUS_Newswire

FYI - Dutch CA banished for life from Chrome, Firefox - Game over for DigiNotar and its PKIoverheid fiefdom - The network breach in July that forged a near-perfect replica of a Google.com credential minted more than 200 other SSL certificates for more than 20 different domains, a top manager for Mozilla's Firefox browser said. http://www.theregister.co.uk/2011/09/03/diginotar_game_over/

FYI - Plods to get dot-uk takedown powers - without court order - Why? 'Cos we're the bleedin' law, you slaag - Police in the UK could get new powers to suspend internet domain names without a court order if they're being used for illegal activity, under rules proposed to .uk registry manager Nominet. http://www.theregister.co.uk/2011/09/02/cops_to_get_dot_uk_takedown_powers/

FYI - Pakistan May Have to Abandon Cryptography Ban - As other countries have discovered, businesses need encrypted communications. This week, a Pakistani Internet service provider (ISP) leaked a government regulatory memo requiring all ISPs to block encrypted communications sent over virtual private networks (VPNs). http://www.technologyreview.com/communications/38497/?p1=A3&a=f

FYI - Alleged 'Anonymous 14' plead innocent to PayPal DDoS - Fourteen individuals believed to be part of the hacktivist group Anonymous pleaded innocent on Thursday in federal court in San Jose, Calif to charges of participating in an attack against PayPal. http://www.scmagazineus.com/alleged-anonymous-14-plead-innocent-to-paypal-ddos/article/211199/?DCMP=EMC-SCUS_Newswire 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - California blazes trail again with enhanced breach alert law - After being vetoed twice by the prior administration, a bill that updates California's pioneering data breach notification law was signed into law Wednesday by Gov. Jerry Brown. http://www.scmagazineus.com/california-blazes-trail-again-with-enhanced-breach-alert-law/article/211005/

FYI - Kernel.org Linux repository rooted in hack attack - Multiple servers used to maintain and distribute the Linux operating system were infected with malware that gained root access, modified system software, and logged passwords and transactions of the people who used them, the official Linux Kernel Organization has confirmed. http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/

FYI - More insiders snooping into health records, says survey - Breaches into protected health information (PHI) are on the rise, and staffers are responsible for more than a third of the intrusions, a new survey has found. http://www.scmagazineus.com/more-insiders-snooping-into-health-records-says-survey/article/210927/?DCMP=EMC-SCUS_Newswire

FYI - Turkish net hijack hits big name websites - Visitors to the websites of Vodafone, the Daily Telegraph, UPS and four others were re-directed to a site set up by Turkish hackers on Sunday night. The diversion was the result of the group's attack on computers that hold web address information. http://www.bbc.co.uk/news/technology-14786524

FYI - Ex-employee hacks US military contractor's computer systems - After being terminated from his job, he logged into McLane Advanced Technologies and wiped customer data - At the Bar and Grill in Austin, Texas, you can get burgers and beer served to you by a waitresses. And if you're a recently fired IT worker, you can also log on using their WiFi, break into a US military contractor's computer systems and wipe out payroll files. http://news.techworld.com/security/3301315/ex-employee-hacks-us-military-contractors-computer-systems/ 

FYI - Anonymous targets Texas police chiefs site - In the face of new arrests and the arraignments of 14 Anonymous members accused of launching attacks last year against PayPal, the hacktivist group continues to expose security weaknesses and embarrassing documents. In its latest digital heist, Anonymous on Thursday leaked 3 GB of data from TexasPoliceChiefs.org. http://www.scmagazineus.com/anonymous-targets-texas-police-chiefs-site/article/211203/?DCMP=EMC-SCUS_Newswire 

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 5 of  6)

Consumer Education

The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.

In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.

In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -

We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 1 of 3)

A firewall policy states management's expectations for how the firewall should function and is a component of the overall security policy. It should establish rules for traffic coming into and going out of the security domain and how the firewall will be managed and updated. Therefore, it is a type of security policy for the firewall, and forms the basis for the firewall rules. The firewall selection and the firewall policy should stem from the ongoing security risk assessment process. Accordingly, management needs to update the firewall policy as the institution's security needs and the risks change. At a minimum, the policy should address:

! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, and
! Contingency planning.

Financial institutions should also appropriately train and manage their staffs to ensure the firewall policy is implemented properly. Alternatively, institutions can outsource the firewall management, while ensuring that the outsourcer complies with the institution's specific firewall policy.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.