|
FYI - NIST releases
computer security documents - The National Institute of Standards
and Technology has published final versions of three computer
security documents and released one draft document for public
comment.
http://gcn.com/vol1_no1/daily-updates/25881-1.html
FYI - IT oversight gets
attention at board level - A small number of companies, including
Novell Inc. and FedEx Corp., have elevated responsibility for IT
governance to their boards of directors in an attempt to ensure that
they have high-level oversight of technology investments.
http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,93168,00.html?nas=PM-93168
FYI - GAO - Information
Technology: The Federal Enterprise Architecture and Agencies'
Enterprise Architectures Are Still Maturing.
http://www.gao.gov/new.items/d04798t.pdf
FYI - Top execs urged to
zero in on security - The Business Roundtable, a national trade
association for corporate executives, said Wednesday that company
board members and chief executives need to pay more attention to
computer security.
http://news.com.com/Top+execs+urged+to+zero+in+on+security/2100-7355_3-5216395.html?tag=cd.top
Return to the top of the
newsletter
INTERNET
COMPLIANCE - Part 2 of 3 - FDIC's "Guidance on
Safeguarding Customers Against E-Mail and Internet-Related
Fraudulent Schemes" that was published March 12, 2004.
Risks Associated With
E-Mail and Internet-Related Fraudulent Schemes
Internet-related
fraudulent schemes present a substantial risk to the reputation of
any financial institution that is impersonated or spoofed. Financial
institution customers and potential customers may mistakenly
perceive that weak information security resulted in security
breaches that allowed someone to obtain confidential information
from the financial institution. Potential negative publicity
regarding an institution's business practices may cause a decline in
the institution's customer base, a loss in confidence or costly
litigation.
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
messages:
! A financial
institution's Web page should never be accessed from a link
provided by a third party. It should only be accessed by typing
the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial
institution should not be sending e-mail messages that request
confidential information, such as account numbers, passwords, or
PINs. Financial institution customers should be reminded to report
any such requests to the institution.
! Financial
institutions should maintain current Web site certificates and
describe how the customer can authenticate the institution's Web
pages by checking the properties on a secure Web page.
To explain the red
flags and risks of phishing and identity theft, financial
institutions can refer customers to or use resources distributed by
the Federal Trade Commission (FTC), including the following FTC
brochures:
! "How Not to Get
Hooked by the ‘Phishing' Scam," published in July 2003, which is
available at:
http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
! "ID Theft: When
Bad Things Happen to Your Good Name," published in September 2002,
which is available at:
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
Responding to E-Mail and
Internet-Related Fraudulent Schemes
Financial
institutions should consider enhancing incident response programs to
address possible e-mail and Internet-related fraudulent schemes.
Enhancements may include:
! Incorporating
notification procedures to alert customers of known e-mail and
Internet-related fraudulent schemes and to caution them against
responding;
! Establishing a
process to notify Internet service providers, domain name-issuing
companies, and law enforcement to shut down fraudulent Web sites
and other Internet resources that may be used to facilitate
phishing or other e-mail and Internet-related fraudulent schemes;
! Increasing
suspicious activity monitoring and employing additional identity
verification controls;
! Offering
customers assistance when fraud is detected in connection with
customer accounts;
! Notifying the
proper authorities when e-mail and Internet-related fraudulent
schemes are detected, including promptly notifying their FDIC
Regional Office and the appropriate law enforcement agencies; and
! Filing a
Suspicious Activity Report when incidents of e-mail and
Internet-related fraudulent schemes are suspected.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
ENCRYPTION TYPES
Three types of encryption exist: the cryptographic hash, symmetric
encryption, and asymmetric encryption.
A cryptographic hash reduces a variable - length input to a
fixed-length output. The fixedlength output is a unique
cryptographic representation of the input. Hashes are used to verify
file and message integrity. For instance, if hashes are obtained
from key operating system binaries when the system is first
installed, the hashes can be compared to subsequently obtained
hashes to determine if any binaries were changed. Hashes are also
used to protect passwords from disclosure. A hash, by definition, is
a one - way encryption. An attacker who obtains the password cannot
run the hash through an algorithm to decrypt the password. However,
the attacker can perform a dictionary attack, feeding all possible
password combinations through the algorithm and look for matching
hashes, thereby deducing the password. To protect against that
attack, "salt," or additional bits, are added to the password before
encryption. The addition of the bits means the attacker must
increase the dictionary to include all possible additional bits,
thereby increasing the difficulty of the attack.
Symmetric encryption is the use of the same key and algorithm by the
creator and reader of a file or message. The creator uses the key
and algorithm to encrypt, and the reader uses both to decrypt.
Symmetric encryption relies on the secrecy of the key. If the key is
captured by an attacker either when it is exchanged between the
communicating parties, or while one of the parties uses or stores
the key, the attacker can use the key and the algorithm to decrypt
messages, or to masquerade as a message creator.
Asymmetric encryption lessens the risk of key exposure by using two
mathematically related keys, the private key and the public key.
When one key is used to encrypt, only the other key can decrypt.
Therefore, only one key (the private key) must be kept secret. The
key that is exchanged (the public key) poses no risk if it becomes
known. For instance, if individual A has a private key and publishes
the public key, individual B can obtain the public key, encrypt a
message to individual A, and send it. As long as individual A keeps
his private key secure from discovery, only individual A will be
able to decrypt the message.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
F. PERSONNEL SECURITY
1. Determine if the institution performs appropriate background
checks on its personnel, during the hiring process and thereafter,
according to the employee’s authority over the institution’s systems
and information.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
46.
Does the institution refrain from disclosing,
directly or through affiliates, account numbers or similar forms of
access numbers or access codes for a consumer's credit card account,
deposit account, or transaction account to any nonaffiliated third
party (other than to a consumer reporting agency) for telemarketing,
direct mail or electronic mail marketing to the consumer, except:
a. to the institution's agents or service providers solely to
market the institution's own products or services, as long as the
agent or service provider is not authorized to directly initiate
charges to the account; [§12(b)(1)] or
b. to a participant in a private label credit card program or
an affinity or similar program where the participants in the program
are identified to the customer when the customer enters into the
program? [§12(b)(2)]
(Note: an "account number or similar form of access
number or access code" does not include numbers in encrypted
form, so long as the institution does not provide the recipient with
a means of decryption. [§12(c)(1)] A transaction account does not
include an account to which third parties cannot initiate charges. [§12(c)(2)])
|
