FYI - Security report finds Chinese cyberspying threat growing - A new report prepared for the U.S.-China Economic and Security Review Commission has concluded that the Asian nation is likely using his sophisticated IT systems to spy on America. http://www.scmagazineus.com/Security-report-finds-Chinese-cyberspying-threat-growing/article/156013/

FYI - New ID theft rules may not pertain to small businesses - The U.S. House of Representatives this week unanimously passed legislation that would exempt certain small organizations from complying with the Red Flags Rules. http://www.scmagazineus.com/New-ID-theft-rules-may-not-pertain-to-small-businesses/article/155999/?DCMP=EMC-SCUS_Newswire

FYI - Pizza-making ATM hacker avoids jail - An Australian pizza store worker turned hacker has avoided prison after he was convicted of stealing A$30,000 ($28,000) from ATMs using computer hacking. http://www.theregister.co.uk/2009/10/23/oz_atm_hacker/

FYI - Identity theft is too easy and can even be automated says IT security expert - The realities of identity theft and the modus operandi of cybercriminals were explained to delegates at this week's RSA Security conference in London. http://www.infosecurity-magazine.com/view/4696/rsa-europe-identity-theft-is-too-easy-and-can-even-be-automated-says-it-security-expert/

FYI - New data shows website hacks continue to grow unabated - More than two million more web pages were infected with malware during the third quarter of 2009 compared to the same quarter last year, according to data gathered by a web anti-malware vendor. http://www.scmagazineus.com/New-data-shows-website-hacks-continue-to-grow-unabated/article/156291/?DCMP=EMC-SCUS_Newswire

FYI - Internet phone systems become the fraudster's tool - Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S. http://www.computerworld.com/s/article/print/9140018/Internet_phone_systems_become_the_fraudster_s_tool?taxonomyName=Networking+and+Internet&taxonomyId=16

FYI - GAO - Information Security - Concerted Effort Needed to Improve Federal Performance Measures.
Report - http://www.gao.gov/new.items/d09617.pdf
Highlights - http://www.gao.gov/highlights/d09617high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cyber crooks stole $40M from U.S. small, mid-sized firms - Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said. http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html

FYI - CalOptima says data on 68,000 members may be compromised - Plans notification after loss of disks containing the info - Personally identifiable information on about 68,000 members of CalOptima, a Medicaid managed care plan serving Orange County, Calif., may have been compromised after several CDs containing the information went missing earlier this month. http://www.computerworld.com/s/article/9139913/CalOptima_says_data_on_68_000_members_may_be_compromised

FYI - Guardian loses half a million CVs - Police probe massive hack - The Guardian newspaper's jobs website has warned 500,000 users that hackers may have got hold of private information held on the site after a "sophisticated and deliberate" attack. http://www.theregister.co.uk/2009/10/26/guardian_jobs_data/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 11: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.

Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.

To ensure effective response to unforeseen incidents, banks should develop: 

1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.

2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.

3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.

4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.

5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.

6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.

7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.

8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING

A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

2. Verify that data is protected consistent with the financial institution's risk assessment.

• Identify controls used to protect data and determine if the data is protected throughout its life cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the risk assessment.
• Consider data security controls in effect at key stages such as data creation/acquisition, storage, transmission, maintenance, and destruction.
• Review audit and security review reports that summarize if data is protected consistent with the risk assessment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]