FYI - Hacking Damage Limited, Bank Reports- Commerce Bank says it deflected most of a hacking attempt on its database, but some customer information was divulged. A regional bank in the U.S. said it was able to deflect most of a hacking attempt on its database, but not before some customer information was divulged. http://www.pcworld.com/article/id,138276/article.html?tk=nl_dnxnws

FYI - Feds pull the domain name plug on state of California - The federal government pulled the plug on the Web domain name used by the state of California on Tuesday, setting into motion a chain of events that threatened to grind government business to a standstill within the state. State IT staffers were able to fix the problem within a few hours, narrowly averting disaster, but the situation shed light on what observers are calling a shocking weakness in the state's IT infrastructure. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040858&source=rss_topic17

FYI - The National Institute of Standards and Technology (NIST) has released five new and revised publications related to information security.
800-44 version 2, "Guidelines on Securing Public Web Servers;" Draft SP
800-55 Revision 1, "Performance Measurement Guide for Information Security;" Draft SP 800-61 Revision 1, "Computer Security Incident Handling Guide;" SP 800-82, "Guide to Industrial Control Systems Security;" and Draft SP 800-110, Information System Security Reference Model."
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
http://csrc.nist.gov/publications/drafts/800-55-rev1/Draft-SP800-55r1.pdf
http://csrc.nist.gov/publications/drafts/sp800-61-rev1/Draft-SP800-61rev1.pdf

FYI - Chinese internet security response team under attack - A recent post by the team at the Chinese Internet Security Response Team to their English-language site indicates that some of the site visitors are experiencing an attack from the CISRT.org site as a result of an injected IFRAME tag. http://www.theregister.co.uk/2007/10/02/chinese_internet_security_response_team_attacked/

FYI - VistA outage disrupts Calif. VA hospitals - The Veterans Affairs Department suffered an outage of its electronic health record system for nine hours Aug. 31 at 17 medical facilities in northern California, VA health care officials said. http://www.fcw.com/online/news/150412-1.html?type=pf

FYI - Financial institutions spending on security and governance - Four out of five firms have adopted a security governance framework - The Deloitte & Touche annual survey of security practices at 169 financial institutions found that 98% of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance. http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=5522

MISSING COMPUTERS/DATA

FYI - Hacker breaks into eBay server, locks users out - A malicious hacker broke into an eBay server late last week and temporarily suspended the accounts of a "very small" number of members, the company said.
http://www.linuxworld.com.au/index.php/id;852852913;fp;4;fpid;1
http://www.pcworld.com/article/id,138193/article.html?tk=nl_dnxnws

FYI - Tax man praised for owning up to lost laptop - HM Revenue and Customs (HMRC) has become the latest organisation to apologise to clients as the result of a lost laptop. A machine containing personal data was stolen from the car of an HMRC staff member last month, the UK tax department confirmed on Monday. The tax worker had been using the laptop for a routine audit of tax information from several investment firms. http://www.theregister.co.uk/2007/10/08/hmrc_lost_laptop/print.html

FYI - Privacy breach at MacEwan - A city college chose not to inform students and others whose personal credit information was left publicly available through its Internet site, it has confirmed. MacEwan College was cited in the auditor general's report this week after a tipster told the AG's office about the security breach in 2006. It mirrored access problems in 2002-2003, the AG's report confirmed. http://www.edmontonsun.com/News/Edmonton/2007/10/04/pf-4550530.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 1 of  6)

Supervisory Policy on Identity Theft

Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.  This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Symmetric and Asymmetric Key Systems 

There are two types of cryptographic key systems, symmetric and asymmetric.  With a  symmetric key system (also known as secret key or private key systems), all parties have the same key.  The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised.  For the parties to get the same key, there has to be a way to securely distribute the key to each party.  While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet.  Asymmetric key systems can solve this problem. 

In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key."  The other key is made widely available to anyone who wants it, and is referred to as the "public key."  The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key.  Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system.  Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key.  Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is.  The keys can be stored either on a computer or on a physically separate medium such as a smart card.

Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s).  In addition, the key itself must be strong enough for the intended application.  The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data.  Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods.  Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.

Return to the top of the newsletter

IT SECURITY QUESTION:  Disaster recovery planning:

a. Is there a written disaster recover plan?
b. Has the disaster recovery plan been tested within the past year?
c. Does the bank have a backup site?
d. Is a current copy the disaster recovery plan kept off-site with the backup tapes?
e. Do appropriate personnel have a current copy of the disaster recovery plan at their residence?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (§11(b)). 

B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i) and (ii)).

2.  If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (§11(b)(1)(iii)).

3.  Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (§§10, 11(b)(1)(iii)).