Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Cyber-security Hurts Federal Government Productivity, Survey Says - Officials from 28 federal agencies say cyber-security measures impact productivity by restricting access to information and delaying communications with others, according to a Government Business Council survey. Officials say they often bypass security controls on purpose to get things done. http://www.eweek.com/c/a/Security/CyberSecurity-Cutting-Federal-Government-Productivity-Survey-744792/

FYI - Android Apps More Open Than Users Know - One of the elements of Android that is often touted over iOS and other mobile platforms is that it is open source. The open nature of Android means that vendors can build on and extend the platform, or that developers are free to create apps unfettered by restrictive rules and approval processes. A new report, though, shows that many Android apps take that open nature a bit too far and share sensitive information without the user's knowledge. http://www.pcworld.com/businesscenter/article/206644/android_apps_more_open_than_users_know.html?tk=hp_new

FYI - State CISOs hampered by budget cuts - A full 46% of state chief information security officers (CISOs) have experienced cybersecurity budget cuts while internal and external cyber threats increase, whereas 33% have seen no change in funding. This is according to a survey by Deloitte and the National Association of State Chief Information Officers (NASCIO). http://www.infosecurity-us.com/view/12812/state-cisos-see-budget-cuts-coming/

FYI - UK faces EU case over online privacy - European commission says UK does not comply with EU law, after failing to investigate BT's trials of Phorm software - The European commission is taking the UK government to court for breaching European Union laws on internet privacy. http://www.guardian.co.uk/technology/2010/oct/01/eu-online-privacy 

FYI - India claims access to BlackBerry comms - Long way from resolution, with only weeks to go - The Indian government is claiming that RIM has offered it access to instant messaging conversations within hours of a request, though access to email remains unresolved with time running out. http://www.theregister.co.uk/2010/10/04/rim_india_blackberry/ 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Feds hit Zeus group, but the brains remain overseas - U.S. authorities dealt a significant blow to the most successful computer crime organization this week, but it's unclear whether the masterminds behind the Zeus malware will ever be brought to justice. http://www.computerworld.com/s/article/9189019/Feds_hit_Zeus_group_but_the_brains_remain_overseas?taxonomyId=17

FYI - French cops take down mobile phone hacking ring - Pick a number, any number - French police have arrested nine people, including mobile telco employees, suspected of running a multi-million Euro telecom charges fraud that may have been going for almost a decade. http://www.theregister.co.uk/2010/09/28/france_mobile_fraud_investigation/

FYI - Hackers Steal $600,000 from Brigantine, NJ - Organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials. http://krebsonsecurity.com/2010/10/hackers-steal-600000-from-brigantine-nj/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

INTRUSION DETECTION SYSTEMS

Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDS) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDS help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.

Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDS automate the review of logs and audit data, which increases the reviews' overall efficiency by reducing costs and the time and level of skill necessary to review the logs.

Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.

Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the users or systems normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.

Although IDS may be an integral part of an institutions overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDS often have overlapping features with other security products, such as firewalls. IDS provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDS need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.

IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]