FYI - Corporate bank accounts targeted in online fraud - Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said. http://msn-cnet.com.com/8301-27080_3-10390118-245.html?part=msn-cnet&subj=ns&tag=feed

FYI - Judge says TD Ameritrade's proposed security fixes aren't enough - Court rejects company's proposed class-action settlement for 2007 data breach - A federal judge's rejection of a proposed settlement by TD Ameritrade Inc. in a data breach lawsuit marks the second time in recent months that a court has weighed in on what it considers to be basic security standards for protecting data. http://www.computerworld.com/s/article/9139988/Judge_says_TD_Ameritrade_s_proposed_security_fixes_aren_t_enough?taxonomyId=1&pageNumber=1

FYI - Small, medium firms cut security budgets - Small and medium businesses have, for the most part, frozen spending on security, despite an increase in perceived threats, according to a survey released this week. http://www.securityfocus.com/brief/1029

FYI - CalOptima recovers discs with personal data on 68,000 members - Discs appear untouched, breach notifications won't go out, spokesman says - Several missing CDs containing unencrypted personal data on 68,000 members of the CalOptima managed care plan have been traced to a secure postal facility in Atlanta. The discs went missing two weeks ago. http://www.computerworld.com/s/article/9140122/CalOptima_recovers_discs_with_personal_data_on_68_000_members?taxonomyId=17

FYI - Spoofed FDIC bank fail e-mail - Spam e-mails mimicking the Federal Deposit Insurance Corp. and warning of additional bank failures are instead the latest bid by cyber crooks to empty your bank account, security experts warn. http://voices.washingtonpost.com/securityfix/2009/10/nastygram_spoofed_fdic_bank_fa.html

FYI - US-CERT warns about free BlackBerry spyware app - The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.
http://news.cnet.com/8301-27080_3-10384179-245.html
http://www.scmagazineus.com/BlackBerry-snooping-application-released/article/156531/?DCMP=EMC-SCUS_Newswire

FYI - Data breach alerts linked to increased risk of ID theft - Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey. http://www.scmagazineus.com/Data-breach-alerts-linked-to-increased-risk-of-ID-theft/article/156376/?DCMP=EMC-SCUS_Newswire

FYI - Brussels criticises UK on privacy - The UK government has been accused of failing to protect citizens' privacy by the European Commission. It said the government should have done more to guarantee online privacy when trials of a controversial ad-serving system were carried out in 2006. http://news.bbc.co.uk/2/hi/technology/8337685.stm

FYI - Federal CIO Kundra Plans Cybersecurity Dashboard - The White House will introduce new tools and metrics for measuring and managing the federal government's cybersecurity efforts, federal CIO Vivek Kundra said in testimony to Congress. http://www.techweb.com/article/showArticle?articleID=221400138&section=security

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Massive bot attack spoofs Facebook password messages - 'Bredolab' Trojan rides fake reset messages, reaches at least 735,000 users - A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages, according to security researchers. http://www.computerworld.com/s/article/9140058/Massive_bot_attack_spoofs_Facebook_password_messages?source=rss_security

FYI - N.Y. bank computer technician charged with ID theft - A New York computer technician has been charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to orchestrate a scheme that netted him more than $1.1 million, prosecutors said.
http://www.scmagazineus.com/NY-bank-computer-technician-charged-with-ID-theft/article/156711/

FYI - Leaked House Ethics document spreads on the Net via P2P - Document lists dozens of lawmakers under scrutiny for conduct violations - A document containing the names of more than two dozen members of the U.S. House of Representatives who are being scrutinized for conduct violations is starting to get widely distributed over the Internet after being leaked on a peer-to-peer network earlier this week. http://www.computerworld.com/s/article/9140154/Leaked_House_Ethics_document_spreads_on_the_Net_via_P2P?taxonomyId=17

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Security Control Practices for E-Banking

1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.

2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.

3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.

4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.

5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:

a)  Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
b)  Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
c)  Penetration testing of internal and external networks.

6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING - MONITORING

Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:

! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.

! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.

! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:

 -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,

 -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and

 -  Providing effective oversight of service providers and vendors to identify and react to new security issues.

! Senior management should require periodic security self-assessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.

! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

3. Determine whether individual and group access to data is based on business needs.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [§9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution's electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or 

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)])