|
FYI - The Latest Tool in
Competition: Hacking - Your competitor has a wildly successful
Web-based tool which is being used by many of your customers. Do you
(A) give up and get out of the business; (B) set up a team of
product developers to make a competing product; or (C) hack into the
competitor's website, steal the code, and for good measure hire
their critical employees to develop an exact duplicate of their
website. If you answered (C) then congratulations and welcome to the
new world of competitive hacking.
http://www.securityfocus.com/printable/columnists/273
FYI - Secret Service
busts online organized crime ring - In what it called an
"Information Age undercover investigation," the U.S. Secret Service
today announced that it has arrested 28 people from eight U.S.
states and six countries allegedly involved in a global organized
cybercrime ring.
http://www.computerworld.com/printthis/2004/0,4814,97017,00.html
FYI - QuickTime,
RealPlayer spools broken by critical bugs - Two of the three most
popular media players on the market have highly critical bugs that
could allow remote system control by a hacker.
http://security.itworld.com/4345/041028mediabug/pfindex.html
FYI - Wells Fargo
computers stolen - Identity thieves may have obtained sensitive
information about thousands of Wells Fargo mortgage and student loan
customers, after four computers containing customer account numbers
and Social Security numbers were stolen last month.
http://news.com.com/Wells+Fargo+computers+stolen/2100-1029_3-5437481.html
FYI - Sloppy laptop
security leaves European firms open to legal and commercial risks -
Sloppy mobile device security is leaving European businesses and
their employees open to legal, commercial and financial damage,
newly published research has claimed.
http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=dd9ddf8d-f59c-44c0-a95b-57d4932d5e0e&newsType=Latest%20News
FYI - Trojan horse spies on Web banking - Security experts say
they've discovered a Trojan horse that records e-banking user
details and Web surfing habits. Antivirus company Sophos is warning
that the Banker-AJ Trojan is targeting online customers of British
banks such as Abbey, Barclays, Egg, HSBC, Lloyds TSB, Nationwide and
NatWest. The Trojan affects computers running Microsoft Windows.
http://news.com.com/Trojan+horse+spies+on+Web+banking/2100-7349_3-5448622.html?tag=nefd.top
FYI - The Cost of Security Training - It has been said before that
the cost of IT training for those of us in the computer security
industry is really quite high. After all, there is not only the cost
of the course itself, but also the associated costs of hotels, food,
and rental vehicles if the course is out of town. This quickly adds
up to a rather tidy sum for managers trying to maximize their often
decreasing budgets. But have those same managers considered what is
the cost of not providing training to their staff?
http://www.securityfocus.com/printable/columnists/275
Return to the top of the
newsletter
INTERNET
COMPLIANCE -
The
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INTRUSION DETECTION AND RESPONSE
Operational Anomalies
Operational anomalies may be evidence of a broad number of issues,
one of which is potential intrusion. Anomalies that act as
intrusion-warning indicators fall into two categories, those
apparent in system processing, and those apparent outside the
system.
System processing anomalies are evident in system logs and system
behavior. Good identification involves pre-establishing which system
processing data streams will be monitored for anomalies, defining
which anomalies constitute an indicator of an intrusion, and the
frequency of the monitoring. For example, remote access logs can be
reviewed daily for access during unusual times. Other logs can be
reviewed on other regular cycles for other unusual behaviors. System
behavior covers a broad range of issues, from CPU utilization to
network traffic protocols, quantity and destinations. One example of
a processing anomaly is CPU utilization approaching 100% when the
scheduled jobs typically require much less. Anomalous behavior,
however, may not signal an intrusion.
Outside the system, detection is typically based on system output,
such as unusual Automated Clearing House transactions or bill
payment transactions. Those unusual transactions may be flagged as a
part of ordinary transaction reviews, or customers and other system
users may report them. Customers and other users should be advised
as to where and how to report anomalies. The anomalous output,
however, may not signal an intrusion.
Central reporting and analysis of all IDS output, honeypot
monitoring, and anomalous system behavior assists in the intrusion
identification process. Any intrusion reporting should use
out-of-band communications mechanisms to protect the alert from
being intercepted or compromised by an intruder.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
INTRUSION DETECTION AND RESPONSE
12. Determine whether:
! Responsibilities and authorities of security personnel and
system administrators for monitoring are established, and
! Tools used are reviewed and approved by appropriate
management with appropriate conditions for use.
13. Determine if the responsibility and authority of system
administrators is appropriate for handling notifications generated
by monitoring systems.
14. Determine if users are trained to report unexpected network
behavior that may indicate an intrusion, and that clear reporting
lines exist.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt
out notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers
(customers and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written records where available, determine if the institution has
adequate procedures in place to provide the opt out notice and
comply with opt out directions of consumers (customers and those who
are not customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time
allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii),
10(a)(3)); and
d. Adequacy of procedures to implement and track the status of
a consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).
IN CLOSING - The FFIEC interagency
Internet guidelines require financial institution web sites to comply
with consumer compliance, advertising, notifications, weblinking, and other federal
regulations. We have identified 17 federal regulations and over 130 issues
that relate to an institution's web site. We also verify weblinks for
functionality and appropriateness. As a former bank examiner with
over 40 year experience, we audit web sites following the FFIEC Internet
guidelines for financial institutions across the country. Visit
http://www.bankwebsiteaudits.com
and learn how we can assist your financial insitution.. |
