Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - 7 Lessons: Surviving A Zero-Day Attack - Pacific Northwest National Laboratory CIO Jerry Johnson takes you inside the cyber attack that he faced down--and shares his security lessons learned. When Pacific Northwest National Laboratory detected a cyber attack--actually two of them--against its tech infrastructure in July, the lab acted quickly to root out the exploits and secure its network. http://www.informationweek.com/news/security/attacks/231601692

FYI - Telecommunications regulator bars DigiNotar from issuing certificates - The Dutch telecommunications regulator (OPTA) has barred the DigiNotar Certificate Authority from issuing further qualified certificates. http://www.h-online.com/security/news/item/Telecommunications-regulator-bars-DigiNotar-from-issuing-certificates-1344786.html

FYI - Man stole data from U.S. service members via P2P - A California man who dug up sensitive information belonging to U.S. service members on peer-to-peer networks, and then used it to order iPods, cameras, and even washing machines from an online store, was sentenced to 75 months in federal prison Thursday. http://www.computerworld.com/s/article/9220078/Man_stole_data_from_U.S._service_members_via_P2P?taxonomyId=17

FYI - FISMA Mandates Monthly Security Reports For Agencies - Move from annual reports to consistent CyberScope submissions expected to lighten agencies' compliance burden, tighten federal cybersecurity. Federal agencies must begin reporting security data to an online compliance tool as part of fiscal year 2011 requirements for the Federal Information Security Management Act (FISMA). http://www.informationweek.com/news/government/security/231601481
http://www.scmagazineus.com/fisma-compliance-to-require-monthly-reports/article/212348/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FBI investigating 400 bank account takeovers - Despite fresh guidance and quicker fraud detection, the FBI actively is investigating more than 400 cases of corporate bank account takeovers, an official told federal lawmakers last week. http://www.scmagazineus.com/official-fbi-investigating-400-bank-account-takeovers/article/212338/?DCMP=EMC-SCUS_Newswire

FYI - SpyEye hacking kit adds Android infection to bag of tricks - Intercepts text messages bank use as secondary authentication for account access - The SpyEye hacking toolkit has added an Android component that collects the text messages some banks use as an extra security precaution, a researcher said today. http://www.computerworld.com/s/article/9219963/SpyEye_hacking_kit_adds_Android_infection_to_bag_of_tricks

FYI - Hacker "soldier" steals $3.2 million from U.S. companies - A hacker known in the cybercriminal underground as “soldier” has stolen $3.2 million from major U.S. corporations in the past six months, according to researchers at anti-virus firm Trend Micro. http://www.scmagazineus.com/hacker-soldier-steals-32-million-from-us-companies/article/212070/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 3 of 3)

Financial institutions can reduce their vulnerability to these attacks somewhat through network configuration and design, sound implementation of its firewall architecture that includes multiple filter points, active firewall monitoring and management, and integrated intrusion detection. In most cases, additional access controls within the operating system or application will provide an additional means of defense.

Given the importance of firewalls as a means of access control, good practices include:

! Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit;
! Restricting network mapping capabilities through the firewall, primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not specifically allowed;
! Using NAT and split DNS (domain name service) to hide internal system names and addresses from external networks (split DNS uses two domain name servers, one to communicate outside the network, and the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and strong authentication, only accessing the firewall from secure devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control procedures.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 2 of 6)

Notice Duties to Customers:

In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times.

1)  A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulations describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship.

2)  A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship.

3)  Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service.

4)  When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.