REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Supreme Court allows wiretapping immunity law to stand - Hepting v. AT&T, a suit challenging the FISA Amendments Act, comes to an end. The Supreme Court declined to review a lower court ruling in a case that challenged a Bush-era law (the FISA Amendments Act), retroactively giving telecommunications firms - including Verizon, Sprint, and AT&T - legal immunity after performing warrantless wiretapping at the government’s request. http://arstechnica.com/tech-policy/2012/10/supreme-court-allows-wiretapping-immunity-law-to-stand/

FYI - DLA Demands Chip Makers Tag Products With Plant DNA; A War On Counterfeiters - This November, the Defense Logistics Agency will require companies selling microcircuits to the military to stamp their products with an unlikely seal of authenticity: plant DNA. http://defense.aol.com/2012/10/08/dla-demands-chip-makers-tag-products-with-plant-dna-a-war-on-co/

FYI - Use of location data not well-disclosed - A GAO report says that mobile carriers and app developers provide inconsistent and unclear information about their use of location data - Mobile carriers and app providers do not consistently or clearly disclose to customers how they use location information and other personal data, according to a new report from government auditor the U.S. Government Accountability Office (GAO). http://www.computerworld.com/s/article/9232306/US_senator_Use_of_location_data_not_well_disclosed?taxonomyId=17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Irish Google, Yahoo Domains Taken Offline Briefly After Security Breach - Users of Google.ie and Yahoo.ie were impacted by the incident, which stemmed from an unauthorized access of a registrar's account. The DNS name server records of both domains were changed to point to other name servers associated with well-known hacking sites, officials say. http://www.eweek.com/security/irish-google-yahoo-domains-taken-offline-briefly-after-security-breach/

FYI - Thousands of student records stolen in Florida college breach - Confidential information of nearly 300,000 students, faculty, and employees is accessed in hack, education officials warn. Hackers have accessed the confidential information of nearly 300,000 students, employees, and faculty in a massive security breach at a Florida college, officials said today.
http://news.cnet.com/8301-1009_3-57530164-83/thousands-of-student-records-stolen-in-florida-college-breach/
http://www.scmagazine.com/massive-data-breach-at-florida-college/article/263497/?DCMP=EMC-SCUS_Newswire

FYI - Bank Hacks: Iran Blame Game Intensifies - Wells Fargo official says scale of the attacks was "pretty significant." Is this the face of "cyberwar"? Who's behind the continuing series of attacks against the websites of numerous U.S. banks? A flurry of news reports Friday pointed the finger squarely at Iran. http://www.informationweek.com/security/attacks/bank-hacks-iran-blame-game-intensifies/240009068

FYI - Cyberthieves loot $400,000 from city bank account - Cybertheft comes just days after RSA issued a warning that criminal gang planned massive attacks against U.S. banking customers - Burlington, Wash. officials have notified hundreds of employees and residents that their bank account information was compromised last week when hackers broke into city systems and stole more than $400,000 from a city account at Bank of America. http://www.computerworld.com/s/article/9232372/Cyberthieves_loot_400_000_from_city_bank_account?taxonomyId=82

FYI - NZ government network leaking data like a sieve - Ministry apologises, launches investigation - A row has broken out in New Zealand after a blogger exposed serious security flaws in that country’s job-seeker network. http://www.theregister.co.uk/2012/10/14/nz_mnd_leaks_data/

FYI - Hackers Breach 53 Universities and Dump Thousands of Personal Records Online - Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dump-thousands-of-personal-records-online/?elq=3c0a7e78ad19446eac41cc0334bf6d74&elqCampaignId=269

FYI - Cyberthieves steal $400,000 from Bank of America - The account -- now frozen -- is used to pay city government workers in Burlington, Wash., via direct deposit. http://news.cnet.com/8301-1009_3-57533007-83/cyberthieves-steal-$400000-from-bank-of-america/?tag=nl.e757&s_cid=e757

FYI - University of Georgia latest target of data breach - The University of Georgia (UGA) is investigating a data breach that may have led to compromised information of current and former school employees – marking the school's second breach in just over a year. http://www.scmagazine.com/university-of-georgia-latest-target-of-data-breach/article/263928/?DCMP=EMC-SCUS_Newswire

FYI - New cyber attacks on U.S. banks; Iran suspected - Cyber attacks on U.S. banks continued this week from suspected hackers believed to be supported by the Iranian government, according to U.S. http://security.blogs.cnn.com/2012/10/18/new-cyber-attacks-on-u-s-banks-iran-suspected/?hpt=us_c2

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (3of 12)

Elements of an Incident Response Program

Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.

Minimum Requirements

The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.

Develop reaction procedures for:

1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that have been accessed or misused; and
3)containing and controlling the security incident.

Establish notification procedures for:

1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
3) affected customers.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Using "Wired Equivalent Privacy" (WEP) by itself to provide wireless network security may lead a financial institution to a false sense of security. Information traveling over the network appears secure because it is encrypted. This appearance of security, however, can be defeated in a relatively short time.

Through these types of attacks, unauthorized personnel could gain access to the financial institution's data and systems. For example, an attacker with a laptop computer and a wireless network card could eavesdrop on the bank's network, obtain private customer information, obtain access to bank systems and initiate unauthorized transactions against customer accounts.

Another risk in implementing wireless networks is the potential disruption of wireless service caused by radio transmissions of other devices. For example, the frequency range used for 802.11b equipment is also shared by microwave ovens, cordless phones and other radio-wave-emitting equipment that can potentially interfere with transmissions and lower network performance. Also, as wireless workstations are added within a relatively small area, they will begin to compete with each other for wireless bandwidth, decreasing the overall performance of the wireless network.

Risk Mitigation Components -- Wireless Internal Networks

A key step in mitigating security risks related to the use of wireless technologies is to create policies, standards and procedures that establish minimum levels of security. Financial institutions should adopt standards that require end-to-end encryption for wireless communications based on proven encryption methods. Also, as wireless technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless network devices.

For wireless internal networks, financial institutions should adopt standards that require strong encryption of the data stream through technologies such as the IP Security Protocol (IPSEC). These methods effectively establish a virtual private network between the wireless workstation and other components of the network. Even though the underlying WEP encryption may be broken, an attacker would be faced with having to defeat an industry-proven security standard.

Financial institutions should also consider the proximity of their wireless networks to publicly available places. A wireless network that does not extend beyond the confines of the financial institution's office space carries with it far less risk than one that extends into neighboring buildings. Before bringing a wireless network online, the financial institution should perform a limited pilot to test the effective range of the wireless network and consider positioning devices in places where they will not broadcast beyond the office space. The institution should also be mindful that each workstation with a wireless card is a transmitter. Confidential customer information may be obtained by listening in on the workstation side of the conversation, even though the listener may be out of range of the access device.

The financial institution should consider having regular independent security testing performed on its wireless network environment. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless security implementation and the identification of rogue wireless devices that do not conform to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a.  it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b.  it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c.  it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d.  the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])