REMINDER - The Information Security and Risk Management Conference is being held September 28-30, 2009 in Las Vegas, Nevada. This is a great conference that I highly recommend. For more information and to register, please go to http://www.isaca.org/isrmc.

FYI - Incompetence a bigger IT security threat than malign insiders - Accidental security incidents involving workers happen more frequently and have the greater potential for negative impact than malicious insider attacks, according to new research from RSA.
http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/
http://news.bbc.co.uk/2/hi/technology/8215467.stm

FYI - FBI investigating mystery laptops sent to governors - There may be a new type of Trojan Horse attack to worry about - The U.S. Federal Bureau of Investigation is trying to figure out who sent five Hewlett-Packard laptop computers to West Virginia Governor Joe Mahchin a few weeks ago, with state officials worried that they may contain malicious software. http://www.computerworld.com/s/article/9137208/FBI_investigating_mystery_laptops_sent_to_governors?source=rss_security

FYI - Twitter fails to fix massive cross-site scripting bug, researcher says - Hackers can hijack accounts more easily by getting people to view a tweet, he says - A vulnerability in Twitter Inc.'s popular microblogging service remains unfixed and can be used by criminals to hijack accounts or redirect users to malicious Web sites, a developer claimed. http://www.computerworld.com/s/article/9137164/Twitter_fails_to_fix_massive_cross_site_scripting_bug_researcher_says_?source=rss_security

FYI - Phishing Attacks on the Wane - Phishing attacks have fallen out of favor among cyber crooks who make a living stealing personal and financial information, according to a report released this week by IBM. Instead, attackers increasingly are using malicious Web links and password-stealing Trojan horse programs to filch information from victims, the company found. http://voices.washingtonpost.com/securityfix/2009/08/phishing_attacks_on_the_wane.html

FYI - DHS Clarifies Laptop Border Searches - The new rules leave open the possibility that travelers may face penalties for refusing to provide passwords or encryption keys. The Department of Homeland Security on Thursday released new directives covering border searches of electronic devices and media, but the government's rules leave open the question of whether individuals can be compelled to provide passwords and encryption keys.
http://www.techweb.com/article/showArticle?articleID=219500468&section=News
http://fcw.com/Articles/2009/08/28/DHS-sets-new-policy-on-computer-searches-at-border.aspx

FYI - Security test prompts federal fraud alert - A sanctioned security test of a bank's computer systems had some unexpected consequences this week, leading the federal agency that oversees U.S. credit unions to issue a fraud alert.
http://www.computerworld.com/s/article/9137215/Security_test_prompts_federal_fraud_alert?source=rss_security
http://www.cutimes.com/News/2009/8/Pages/NCUA-Chastises-Computer-Security-Test.aspx 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Home Office data loss included drug records - The Home Office has confirmed that the volume of data on a lost memory stick was much larger than originally reported. http://news.zdnet.co.uk/security/0,1000000189,39730190,00.htm

FYI - Top hacker arrested - A top hacker has been arrested for manipulating 100,000 computers. Chinese news service Xinhua is reporting the tale of the super hacker who formed a 'corpse network' of some 100,000 computers, and used them to do his foul bidding. http://www.techspot.com/news/17248-top-hacker-arrested.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 3: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.

Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.

E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.

Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:

1)  Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.

2)  Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.

3)  E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.

4)  Segregation should be maintained between those developing and those administrating e-banking systems.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE  (Part 1 of 2)

Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:

! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic environment for these factors.
! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter

IT SECURITY QUESTION:  SERVICE PROVIDER OVERSIGHT-SECURITY

6. Determine if institution oversight of third party provider security controls is adequate.

7. Determine if any third party provider access to the institution's system is controlled according to "Authentication and Access Controls" and "Network Security" procedures.

8. Determine if the contract requires secure remote communications, as appropriate.

9. Determine if the institution appropriately assessed the third party provider's procedures for hiring and monitoring personnel who have access to the institution's systems and data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]