FYI - Court allows suit against bank for lax security - Citizens Financial Bank should have offered strong authentication, plaintiffs claim - A couple whose bank account was breached can sue their bank for its alleged failure to implement the latest security measures designed to prevent such compromises. http://www.computerworld.com/s/article/9137451/Court_allows_suit_against_bank_for_lax_security?source=rss_security

FYI - Five men named in racket that netted $4m in stolen card data - Prosecutors in Manhattan have named five additional men from Eastern Europe in an alleged scheme that pilfered $4m using more than 95,000 stolen credit cards. http://www.theregister.co.uk/2009/09/01/international_payment_card_ring/

FYI - TJX agrees to settle another breach lawsuit for $525,000 - Two-and-a-half years later, the retailer is still handling fallout from data compromise - TJX Companies Inc. has agreed to pay $525,000 to settle a lawsuit brought by several banks in connection with the massive data breach disclosed by the retailer in January 2007.
http://www.computerworld.com/s/article/9137491/TJX_agrees_to_settle_another_breach_lawsuit_for_525_000
http://www.scmagazineus.com/TJX-settles-for-525K-with-four-banks-over-breach/article/148095/?DCMP=EMC-SCUS_Newswire

FYI - GAO - DOD Needs to Strengthen Management of Its Statutorily Mandated Software and System Process Improvement Efforts.
Report - http://www.gao.gov/new.items/d09888.pdf
Highlights - http://www.gao.gov/highlights/d09888high.pdf

FYI - Breaching Fort Apache.org - What went wrong? - Open-sourcers put locks on keys - Administrators at the Apache Software Foundation have pledged to restrict the use of Secure Shell keys for accessing servers over their network following a security breach on Monday that briefly forced the closure the popular open-source website. http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/

FYI - H1N1 Pandemic Preparedness Papers from SANS Technology Institute degree Candidates. If you are trying to decide how prepared you and your IT systems are for an H1N1 pandemic, you'll want to read the mini-thesis submitted by Jim Beechey and Rob VandenBrink as part of their candidacy for Master of Science in Security Engineering at the SANS Technology Institute. It's has an associated PowerPoint presentation you will find useful for educating others. http://www.sans.edu/resources/pandemic-preparedness/

FYI - Conficker borks London council - Dirty USB shuts systems for days - An Ealing council employee infected the UK local authority's IT systems with the Conficker-D worm after he plugged an infected USB into a work computer, causing tens of thousands of pounds in damages in the process. http://www.theregister.co.uk/2009/09/04/ealing_council_mystery_malware/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Navy laptop with personal info missing - Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop computer August 18 which contains personally identifiable information. http://www.fox10tv.com/dpp/news/local_news/pensacola/Navy_Laptop_With_Personal_Info_Missing

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 4: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.

In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.

In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE  (Part 1 of 2)

Insurance coverage is rapidly evolving to meet the growing number of security-related threats. Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:

! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure of data,
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public relations consultants, security and computer forensic consultants, programmers, replacement systems, etc.

Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third - party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.

When considering supplemental insurance coverage for security incidents, the institution should assess the specific threats in light of the impact these incidents will have on its financial, operational, and reputation risk profiles. Obviously, when a financial institution contracts for additional coverage, it should ensure that it is aware of and prepared to comply with any required security controls both at inception of the coverage and over the term of the policy.

Return to the top of the newsletter

IT SECURITY QUESTION:  ENCRYPTION

1. Review the information security risk assessment and identify those items and areas classified as requiring encryption.

2. Evaluate the appropriateness of the criteria used to select the type of encryption/cryptographic algorithms.

!  Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.
!  Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.
!  Identify management's understanding of cryptography and expectations of how it will be used to protect data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either: 

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]