|
FYI - North Korea ready
to launch cyber war: report - SEOUL: North Korea has trained more
than 500 computer hackers capable of launching cyber warfare against
the United States, South Korea's defense ministry says.
http://www.channelnewsasia.com/stories/afp_asiapacific/print/109911/1/.html
FYI - Judge disarms Patriot Act
proviso - A key part of the USA Patriot Act that allows the FBI to
secretly demand information from Internet providers violates the
U.S. Constitution, a federal judge said Wednesday in a ruling that
could have a broad impact on government surveillance.
http://news.com.com/2102-1028_3-5388764.html?tag=st.util.print
FYI - Worldpay struck by online
attack - Worldpay handles credit and debit card payments - The
internet payment system Worldpay is under attack from unknown
hackers, disrupting thousands of online retailers around the world.
http://news.bbc.co.uk/2/hi/business/3713174.stm
FYI - Outsourcing firms warned
of 'significant cost of security' - International enterprises cannot
afford to ignore the potentially serious IT security implications
that arise when they decide to outsource core business functions to
third party providers, industry analysts have warned.
http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=d946e652-cbfe-428c-8950-9fcce57d47c1&newsType=Latest%20News
FYI - Online extortion growing
more common - Online extortion is rife and that cybercrime is set to
get worse, the SANS Institute's research director said Friday.
http://news.com.com/Expert+Online+extortion+growing+more+common/2100-7349-5403162.html?part=dht&tag=ntop&tag=nl.e433
Return to the top of the newsletter
INTERNET COMPLIANCE -
Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
services.
Disclosures are generally required to be "clear and conspicuous."
Therefore, compliance officers should review the web site to
determine whether the disclosures have been designed to meet this
standard. Institutions may find that the format(s) previously used
for providing paper disclosures may need to be redesigned for an
electronic medium. Institutions may find it helpful to use "pointers
" and "hotlinks" that will automatically present the disclosures to
customers when selected. A financial institution's use solely of
asterisks or other symbols as pointers or hotlinks would not be as
clear as descriptive references that specifically indicate the
content of the linked material.
Return to the top of the newsletter
INFORMATION SYSTEMS SECURITY - We continue our series on
the FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
"Tuning" refers to the creation of signatures that can
distinguish between normal network traffic and potentially malicious
traffic. Proper tuning of these IDS units is essential to reliable
detection of both known attacks and newly developed attacks. Tuning
of some signature - based units for any particular network may take
an extended period of time, and involve extensive analysis of
expected traffic. If an IDS is not properly tuned, the volume of
alerts it generates may degrade the intrusion identification and
response capability.
Signatures may take several forms. The simplest form is the URL
submitted to a Web server, where certain references, such as cmd.exe,
are indicators of an attack. The nature of traffic to and from a
server can also serve as a signature. An example is the length of a
session and amount of traffic passed. A signature method meant to
focus on sophisticated attackers is protocol analysis, when the
contents of a packet or session are analyzed for activity that
violates standards or expected behavior. That method can catch, for
instance, indicators that servers are being attacked using Internet
control message protocol (ICMP).
Switched networks pose a problem for network IDS. Switches
ordinarily do not broadcast traffic to all ports, and a network IDS
may need to see all traffic to be effective. When switches do not
have a port that receives all traffic, the financial institution may
have to alter their network to include a hub or other device to
allow the IDS to monitor traffic.
Encrypted network traffic will drastically reduce the effectiveness
of a network IDS. Since a network IDS only reads traffic and does
not decrypt the traffic, encrypted traffic will avoid detection.
Return to the top of the newsletter
IT SECURITY QUESTION:
INTRUSION DETECTION AND RESPONSE
4. Determine whether logs of security-related events are sufficient
to assign accountability for intrusion detection system activities,
as well as support intrusion forensics and IDS.
5. Determine if logs of security-related events are appropriately
secured against unauthorized access, change, and deletion for an
adequate time period, and that reporting to those logs is adequately
protected.
6. Determine if an appropriate process exists to authorize employee
access to intrusion detection systems and that authentication and
authorization controls limit access to and control the access of
authorized individuals.
Return to the top of the newsletter
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions. When
you answer the question each week, you will help ensure compliance
with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify which
module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is applicable.
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and controls,
including review of new products and services and controls over
servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including the
use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training program;
5) Suitability of the compliance audit program for ensuring that:
a) the procedures address all regulatory provisions as
applicable;
b) the work is accurate and comprehensive with respect to the
institution's information sharing practices;
c) the frequency is appropriate;
d) conclusions are appropriately reached and presented to
responsible parties;
e) steps are taken to correct deficiencies and to follow-up on
previously identified deficiencies; and
6) Knowledge level of management and personnel.
IN CLOSING - R. Kinney, did you
know that we offer internal-VISTA security testing of your network?
To keep your cost affordable, we install our pre-programmed scanner
box on your network. To maintain the independent testing
required by the examiners, we control the programming and testing
procedures. For more information about the VISTA testing options
available, please visit
http://www.internetbankingaudits.com. |
