REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Top firewall management blunders - We've all made one in our career, I'm talking about that blunder for which you thought you would be fired. http://www.scmagazine.com/top-firewall-management-blunders/article/273887/?DCMP=EMC-SCUS_Newswire

FYI - National banking regulator advises on DDoS deluge - The regulator for national banks issued an alert Friday about the apparent uptick in distributed denial-of-service (DDoS) attacks being waged against financial institutions. http://www.scmagazine.com/national-banking-regulator-advises-on-ddos-deluge/article/273769/?DCMP=EMC-SCUS_Newswire

FYI - Obama Administration Outlines National Information Sharing Strategy - The NSISS broadly outlines how the Obama administration wants to promote the secure sharing of national security information. http://www.eweek.com/security/obama-administration-outlines-national-information-sharing-strategy/

FYI - FCC offers security advice to smartphone users - FCC publishes 10-step plan for securing mobile devices and their data - The U.S. Federal Communications Commission is advising smartphone users on how to protect their mobile devices and data from mobile security threats. http://www.computerworld.com/s/article/9234928/FCC_offers_security_advice_to_smartphone_users?taxonomyId=17

FYI - US: We'll drag cyber-spies into COURT from their hideouts - 'And Iran to prosecute American programmers for Stuxnet?' - The US Department of Justice has floated a plan to advance criminal prosecutions against cyber-spies. http://www.theregister.co.uk/2012/12/20/prosecute_foreign_hackers_plan/

FYI - Children's privacy law catches on to apps, social networks - The FTC updates rules tied to the Children's Online Privacy Protection Act, or COPPA, but the changes won't really affect companies like Apple or Facebook. he Federal Trade Commission today moved to make a key children's online privacy law more up-to-date in a world of smartphones and social networks. http://news.cnet.com/8301-1009_3-57560037-83/childrens-privacy-law-catches-on-to-apps-social-networks/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wells Fargo's website buckles under flood of traffic - Customers who can't access the website should go to a branch or bank over the phone, Wells Fargo said - Well Fargo urged its customers on Thursday to visit bank branches or use telephone banking due to continuing problems with its website. http://www.computerworld.com/s/article/9234957/Wells_Fargo_39_s_website_buckles_under_flood_of_traffic

FYI - Costs mount as NASA responds to October data breach - The fallout from the theft of a NASA laptop bearing personal information on 10,000 current and former agency employees could cost taxpayers nearly $960,000, according to the space agency’s inspector general. http://www.nextgov.com/cybersecurity/2012/12/costs-mount-nasa-responds-october-data-breech/60232/?oref=ng-channeltopstory

FYI - Stabuniq trojan found on servers at U.S. banks - An information-gathering trojan has successfully compromised servers at a number of U.S. financial institutions, according to researchers at security firm Symantec. http://www.scmagazine.com/stabuniq-trojan-found-on-servers-at-us-banks/article/273616/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents  (Part 1 of 5)

BACKGROUND

Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank.  Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques.  Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities.  Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.

PROCEDURES TO ADDRESS SPOOFING

Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin.  A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively.  If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.

Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident.  These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents.  Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.

Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks.  In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Encryption 

Encryption, or cryptography, is a method of converting information to an unintelligible code.  The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.

Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters.  Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.

Return to the top of the newsletter

INTERNET PRIVACY - With this issue, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below. 

1)  A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2)  Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3)  A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4)  A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.