REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

 

FYI - Fake tech gear has infiltrated the U.S. government - A record number of tech products used by the U.S. military and dozens of other federal agencies are fake. That opens up a myriad of national security risks, from dud missiles to short-circuiting airplane parts to cyberespionage. http://money.cnn.com/2012/11/08/technology/security/counterfeit-tech/index.html

FYI - BlackBerry 10 is FIPS certified in advance of platform's release - After several federal agencies said they will stop using BlackBerry devices and switch to iPhones, Research In Motion took the unusual step today of announcing a tough security certification for BlackBerry 10 in advance of the device's launch next quarter. http://www.computerworld.com/s/article/9233366/BlackBerry_10_is_FIPS_certified_in_advance_of_platform_s_release?taxonomyId=17

FYI - Patent troll sues just about the whole tech biz over 4 years- Lots and lots of billygoats you know went over its bridge - A patent holding firm has made it its business to sue just about every tech firm anyone has heard of in its quest to make money from an encryption patent, it has emerged. http://www.theregister.co.uk/2012/11/08/tqp_sues_everyone/

FYI - Cyber attacks have changed, but Australia is doing something about it: SANS - Australia knows how to fix things and is doing something about it, at least when it comes to online security. http://www.csoonline.com/article/720272/cyber-attacks-have-changed-but-australia-is-doing-something-about-it-sans

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Stuxnet Infected Chevron’s IT Network - Stuxnet, a sophisticated computer virus created by the United States and Israel, to spy on and attack Iran’s nuclear enrichment facilities in Natanz also infected Chevron ’s network in 2010, shortly after it escaped from its intended target.
http://blogs.wsj.com/cio/2012/11/08/stuxnet-infected-chevrons-it-network/?mod=wsjcio_hps_cioreport
http://www.scmagazine.com/chevron-confirms-2010-stuxnet-hit/article/267769/?DCMP=EMC-SCUS_Newswire

FYI - Backup tapes missing from health facilities in Mass. and R.I. - Unencrypted backup tapes, containing the personal information of several thousand patients who visited two Women & Infants Hospital walk-in facilities, have gone missing. http://www.scmagazine.com/backup-tapes-missing-from-health-facilities-in-mass-and-ri/article/267879/?DCMP=EMC-SCUS_Newswire

FYI - SEC staffers leave computers open to cyber attack, report says - The agency was forced to hire a third-party firm and pay it at least $200,000 to determine if any breaches occurred. Staffers in the SEC's Trading and Markets Division left their computers totally unprotected from possible security attacks, forcing the organization to scramble to determine if any sensitive data was stolen, Reuters reported, citing unidentified sources with knowledge of the situation. http://news.cnet.com/8301-1009_3-57547678-83/sec-staffers-leave-computers-open-to-cyber-attack-report-says/

FYI - Stolen laptop results in theft of 100k patient records - A laptop containing the unencrypted personal records of Alere Home Monitoring customers was stolen from an employee's car. http://www.scmagazine.com/stolen-laptop-results-in-theft-of-100k-patient-records/article/268062/?DCMP=EMC-SCUS_Newswire

FYI - Adobe Connect forum pulled offline after database breach - Connectusers.com, an Adobe customer forum for its Connect online-conferencing service, was pulled offline by Adobe after the forum's database was breached. http://www.scmagazine.com/adobe-connect-forum-pulled-offline-after-database-breach/article/268331/?DCMP=EMC-SCUS_Newswire

FYI - Anonymous targets Israeli sites, offers Gazans internet help - Anonymous hacktivists have united to stand with Gaza after Israeli forces on Wednesday launched a military operation against the Palestinian enclave. http://www.scmagazine.com/anonymous-targets-israeli-sites-offers-gazans-internet-help/article/268550/?DCMP=EMC-SCUS_Newswire

FYI - Sensitive NASA data at risk following stolen laptop - A laptop containing the unencrypted personal information belonging to NASA workers was stolen from an employee's car. http://www.scmagazine.com/sensitive-nasa-data-at-risk-following-stolen-laptop/article/268548/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (7 of 12)

Define what constitutes an incident.

An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.

Detection

The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.

Identify indicators of unauthorized system access.

Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Involve legal counsel.

Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We begin a new series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.

This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.

Security Risks 

The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design. 

Data Privacy and Confidentiality 

Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords. 

Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

45.  If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:

a.  to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]

b.  to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and

c.  to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]