FYI - This week September 13, I am attending the Network Security Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas.  I look forward to meeting any of you that will also be in attendance.

FYI - OMB asks agencies for cybersecurity check-up - Agencies have until Oct. 6 to report to the Office of Management and Budget on how they have improved their cybersecurity over the past year. http://www.gcn.com/vol1_no1/daily-updates/27089-1.html

FYI - FBI busts alleged DDoS Mafia - A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors, in what federal officials are calling the first criminal case to arise from a DDoS-for-hire scheme. http://www.securityfocus.com/printable/news/9411

FYI - Indiana man charged with hacking into former employer's systems -
He could face 10 years in prison and a $250,000 fine - A Columbus, Ind., man was charged yesterday in federal court with hacking into the systems of his former employer. http://www.computerworld.com/printthis/2004/0,4814,95450,00.html

FYI - The former federal counterterrorism czar offered 10 steps to help secure IT installations. Richard Clarke, best known as the former counterterrorism czar for presidents Bill Clinton and George W. Bush, ended his government career as the White House adviser to the President on Cyberspace Security. He's now bringing that expertise to the IT world. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=45400035

FYI - Secret Service and CERT analyze insider threats - It doesn't take a techie to abuse an IT system from the inside, and inside attackers do not fit any common profile. Those are among the findings of the Secret Service and the CERT Coordination Center in a study of insider attacks against financial organizations.
http://www.gcn.com/vol1_no1/daily-updates/27074-1.html

FYI - Japanese banks choose vein-recognition security system - Vein patterns under the palm are used for customer identification - Fujitsu Ltd. has commercialized a biometric security system based on vein pattern-recognition technology. The company has received orders from two Japanese banks, one of which is already using the technology. http://www.computerworld.com/printthis/2004/0,4814,95545,00.html

FYI - The FDIC is releasing a new, updated version of its interactive deposit insurance calculator to help bankers provide accurate information about deposit insurance coverage to customers.  www.fdic.gov/news/news/financial/2004/fil10004.html 

FYI - Security vendor directory to aid responsible disclosure - In a step that researchers hope will improve the responsible disclosure process, the Open Source Vulnerability Database (OSVDB) today published a free security vendor directory that it hopes will serve as a centralized resource for vendor contact information. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003346,00.html

FYI - Are hackers using your PC to spew spam and steal? http://www.usatoday.com/money/industries/technology/2004-09-08-zombieuser_x.htm 

FYI - Federal Bank, Thrift and Credit Union Regulatory Agencies Provide Brochure with Information on Internet "Phishing" - The federal bank, thrift and credit union agencies today announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as "phishing."
Press Release: www.federalreserve.gov/boarddocs/press/other/2004/20040908/default.htm 
Press Release: www.ncua.gov/news/press_releases/2004/JR04-0908.pdf 
Press Release: www.fdic.gov/news/news/press/2004/pr9304.html
Press Release: www.occ.treas.gov/scripts/newsrelease.aspx?JNR=1&Doc=CYVFS1NN.xml 
Attachment: www.occ.treas.gov/consumer/PhishBrochFINAL-SCREEN.pdf 
Press Release: www.ots.treas.gov/docs/7/77437.html 

FYI - New Trojans target online banks - Security experts have discovered a group of previously undocumented Trojan horses which target British users of online banking services by attempting to steal sensitive financial information. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=e13bcfe9-880b-49ee-8cf2-43d4147ddf26&newsType=Latest%20News

FYI - E-mails to individuals fraudulently claim to be from the FDIC. These e-mails request that recipients update personal bank account information, and they include a link to a fraudulent Web site for this purpose. http://www.fdic.gov/news/news/SpecialAlert/2004/sa6604.html

FYI - FDIC Warns About Fraudulent Request for Information - The Federal Deposit Insurance Corporation (FDIC) has received complaints from consumers who have received an e-mail that appears to have been sent by the FDIC. The fraudulent e-mail requests that recipients update account information due to inactive accounts, frauds and spoof reports, and that failure to do so will result in closure of the recipient's bank account. http://www.fdic.gov/news/news/press/2004/pr9504.html

Return to the top of the newsletter

INTERNET COMPLIANCE - Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

LOGGING AND DATA COLLECTION (Part 2 of 2)

When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.

Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:

! Encrypting log files that contain sensitive data or that are transmitting over the network,
! Ensuring adequate storage capacity to avoid gaps in data gathering,
! Securing backup and disposal of log files,
! Logging the data to a separate, isolated computer,
! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
! Setting logging parameters to disallow any modification to previously written data.

The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.

When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

IT SECURITY QUESTION:  BUSINESS CONTINUITY-SECURITY

1. Determine if adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/taken to storage, stored, retrieved and loaded, and destroyed.

!  Review the risk assessment to identify key control points in a data set's life cycle.
!  Verify controls are in place consistent with the level of risk presented.

CLIENTS - The complete Information Security Booklet can be found at http://www.ffiec.gov/ffiecinfobase/booklets/information_secruity/information_security.pdf. 

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.

IN CLOSING - The  FFIEC interagency Information Security Booklet, the regulators are requiring financial institutions to have at least an annual independent penetration test.  Did you know that there are over 3,700 known vulnerabilities with approximately 25 new vulnerabilities added every week, and that 99% of unauthorized intrusions resulted from known vulnerabilities?  We can provide you with an independent penetration testing to help protect {custom4} from unauthorized external access.  For more information, please visit our web site at http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.