Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

REMINDER - This week September 13, 2010, I am attending the ISACA Information Security and Risk Management Conference in Las Vegas, Nevada.  I look forward to seeing you there.

FYI - A quarter of worms designed to spread via USB - A quarter of new worms this year specifically have been designed to spread through USB storage devices, researchers said. http://www.scmagazineus.com/a-quarter-of-worms-designed-to-spread-via-usb/article/177683/?DCMP=EMC-SCUS_Newswire

FYI - RIM gets 60 days reprieve; India evaluates its BlackBerry proposals - Proposals from Research In Motion (RIM) for lawful access of its networks by law enforcement agencies in India are being put into operation immediately, the government said. http://www.computerworld.com/s/article/9182679/RIM_gets_60_days_reprieve_India_evaluates_its_BlackBerry_proposals?taxonomyId=17

FYI - Virginia's IT outage continues, 3 agencies still affected - A memory card within a SAN caused the outage - Several Virginia state agencies continue to experience problems with data access due to an outage related to problems in a storage-area network (SAN) that began last week in a data center run by outsourcer Northrop Grumman. http://www.computerworld.com/s/article/9182719/Update_Virginia_s_IT_outage_continues_3_agencies_still_affected?taxonomyId=17

FYI - DARPA seeks assistance with insider threats - The Defense Advanced Research Projects Agency (DARPA) announced a new program that is looking for fresh approaches toward insider threat detection on government and military networks. http://www.infosecurity-us.com/view/12085/darpa-seeks-assistance-with-insider-threats/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bad flash drive caused worst U.S. military breach - A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the "most significant breach of" the nation's military computers ever, according to a new magazine article by a top defense official. http://news.cnet.com/8301-27080_3-20014732-245.html

FYI - Zurich Insurance fined £2.3m over customers' data loss - The UK operation of Zurich Insurance has been fined £2.27m by the Financial Services Authority (FSA) for losing personal details of 46,000 customers. http://www.bbc.co.uk/news/business-11070217

FYI - CAO website targeted for second time - THE CENTRAL Applications Office (CAO) was forced to shut down its website yesterday after an early-morning cyber attack resulted in new passwords being issued to 22,000 third-level applicants. http://www.irishtimes.com/newspaper/ireland/2010/0826/1224277612217.html

FYI - Alleged ring leader extradited in $9.4m RBS WorldPay heist - Like taking candy from a baby - Federal prosecutors say they have have extradited one of the leaders of an international crime ring accused of hacking in to bank card processor RBS WorldPay and stealing more than $9.4m in a 12-hour period. http://www.theregister.co.uk/2010/08/07/rbs_worldpay_extradition/

FYI - Major retail chain and building society found to be in breach of the Data Protection Act - Yorkshire Building Society has been found to be in breach of the Data Protection Act by the Information Commissioner's Office (ICO). http://www.scmagazineuk.com/major-retail-chain-and-building-society-found-to-be-in-breach-of-the-data-protection-act/article/177554/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 6 of  6)

President's Identity Theft Task Force

On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.

Conclusion

Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Potential Threats To Consider (Part 2 of 2)

Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:

Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.

Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.

Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced. 

Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

2)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]?