FYI - Navy tightens grip on BlackBerrys - Print this Email this Purchase a Reprint Link to this page The Navy has implemented tougher security settings for BlackBerry devices used by naval personnel. Administrators for the Navy-Marine Corps Intranet activated the new settings Oct. 17 for the Navy and Oct. 23 for the Marine Corps. http://www.gcn.com/online/vol1_no1/45301-1.html

FYI - Vic police breached database - Victorian police officers committed at least 26 breaches of the force's confidential database in the last financial year, with 15 more under investigation, a report shows. http://www.thewest.com.au/aapstory.aspx?StoryName=432134 

FYI - Whistle-blower e-mail addresses exposed in Judiciary Committee snafu - The House Judiciary Committee yesterday apologized to would-be whistle-blowers for accidentally exposing their e-mail addresses to other individuals who, like them, had used a committee Web site to secretly submit tips about alleged abuses at the Department of Justice. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9044638&source=NLT_AM&nlid=1

FYI - Online Privacy Policies Don't Do Their Job, Critics Say - Privacy notices online need to be simpler and more easy to find, some privacy advocates say. Grant Gross, IDG News Service - Online privacy policies need to be easier to understand and more conspicuous because few people now actually read them, said panelists at a U.S. Federal Trade Commission workshop on targeted online advertising. http://www.pcworld.com/article/id,139238/article.html?tk=nl_dnxnws

FYI - GAO: Infrastructure plans lack cybersecurity strategy - With 85 percent of the country's critical infrastructure in private hands, the federal government must make sure that the 17 infrastructure sectors include cybersecurity in their plans to protect themselves against cyberattacks and disaster, an official of the Government Accountability Office has told two House panels. However, none of the sectors included in their sector plans all 30 cybersecurity criteria, such as key vulnerabilities and measures to reduce them, the official also testified. http://www.fcw.com/online/news/150679-1.html?type=pf

FYI - Public Safety data not secure, audit finds - Minnesota's chief law enforcement agency failed to adequately safeguard non-public information in its computers and did not keep an accurate inventory of some of its most critical property, such as its laptops and cell phones, an audit found. http://www.infosecnews.org/hypermail/0711/13945.html

MISSING COMPUTERS/DATA

FYI - Lost CD may put pension holders in peril - Thousands of customers of UK insurer Standard Life have been left at risk of fraud after their personal details were lost by HM Revenue & Customs (HMRC). http://www.theregister.co.uk/2007/11/05/standard_life_lost_cd_security_flap/print.html

FYI - Masked thieves storm into Chicago colocation (again!) - The recent armed robbery of a Chicago-based co-location facility has customers hopping mad after learning it was at least the fourth forced intrusion in two years. They want to know how C I Host, an operator that vaunts the security of its data centers, could allow the same one to be penetrated so many times. http://www.theregister.co.uk/2007/11/02/chicaco_datacenter_breaches/print.html

FYI - Dutch gov spies on Dutch newspapers (not true) - The Dutch Ministry of Social Affairs and Employment denies spying on the Dutch news agency GPD (Geassocieerde Pers Diensten), a joint news service run by 17 regional newspapers. The ministry has had access to a database with unpublished articles and a agenda with scheduled activities since July last year. http://www.theregister.co.uk/2007/11/03/spying_incident_storm_in_tea_cup/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 5 of  6)

Consumer Education

The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.

In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.

In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Firewalls  - Description, Configuration, and Placement 

A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise. 

The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.

Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.

Return to the top of the newsletter

IT SECURITY QUESTION:  Workstations: (Part 1 of 2)

a. Are the workstations personal computers, and are the personal computers connected to the network?
b. What is the workstation operating system(s)?
c. Is access to workstations restricted?
d. Will workstation access allow network viewing to other workstations and servers?
e. Do any workstations have modems?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

3)  Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]