To protect the confidentiality of your personal account information contained in future electronic mail, Parkside Financial Bank & Trust will be sending emails that contain protected client information through Parkside’s secure email system.  This system uses encryption to protect your information from being viewed by someone else as it is transmitted across the Internet. 

Here’s how the secure email system works:

1.  The first time you receive a secure email, you will be invited to register with the secure email system by creating a password that you will use each time you view a secure email.  You will also enter three security questions that will help you reset your password if you forget it.

2.  When we send you secure emails in the future, you will receive a secure email notification.

3.  To read the message, simply open the attachment and enter your password.  You will then be able to view the message and any attachments.

4.  Once you have registered, you will only need to click to open the attachment and enter your password to view future secure messages.

Below is a link to instructions for enrolling and opening secure email from Parkside.  Please contact us should you have any questions.

Receiving Secure Email from Parkside

Thank you.



Source: SECURITYWEEK

Europe has quickly caught on to the perceived invasion of privacy that location services pose on mobile device users. The U.K,’s Data Protection Act sets limits on location data collection. A person’s location in the U.K. can only be traced to the physical address of their Internet service provider. Many European Union countries have privacy laws in place regulating how Google, Yahoo and other tech firms can tag the location of individuals to provide relevant location-based content.

Many people believe the data could be abused. A device user’s location can be an extremely valuable piece of data for marketers. It also can add important and valuable functionality for certain applications. In April, Apple came under fire when a researcher discovered a file on the iPhone that contained a record of everywhere a user had been. Apple said it had never tracked users locations and it quickly updated its firmware to eliminate the data leakage.

Andrew Jaquith, CTO of Perimeter E-Security predicts the U.S. will follow Europe with a new privacy protection law in 2012. Privacy protection legislation will mostly address location-based services, but look for loopholes put in place for mobile carriers and other entities, Jaquith said.

“We’re going to see indiscriminant use of location-based information become a crime,” Jaquith said.

Other experts predict cybercriminals could eventually latch onto this location-based services trend with malware and other tricks that take advantage of location data to trick users into giving up more sensitive information about themselves, including account credentials.

2. Excessive permissions

Application permission requests were built into mobile platforms as a way to improve security, but those notifications, which require the end user to confirm an application’s breadth on a device, are being largely disregarded by device users. People are quick to choose functionality over security and privacy, said James Lyne, senior technologist at U.K.-based Sophos. Most device owners continue to give applications elevated privileges and that means the latest game they downloaded may have the functionality to tap into the device’s messaging app or location data.

“We don’t yet have the same security concerns and paranoia on the mobile device,” Lyne said. “As long as users think these devices are magically secure, they’re much more likely to fall for basic attacks.”

The permissions model isn’t perfect, but it does increase transparency, Lyne said. In November a researcher discovered a rogue mobile carrier diagnostics application running stealthily on some mobile devices. Carrier IQ software was placed on some devices by mobile carriers, but the software was not always optional, and in many cases users didn’t even know it was on their devices. Security and privacy advocates were outraged because the software could report GPS location data, record which dialer buttons were being pressed and the URLs being visited by device owners.

Any service provider is going to want to be able to track the usage of their network and their systems to improve and diagnose failures, said Veracode’s Wysopal. “The problem is people were surprised because it wasn’t disclosed to them,” Wysopal said. “It should be really clear what it’s used for, when it is turned on and what it collects so it’s not a mystery for anybody.”

3. Mobile application vulnerabilities

Researchers have been warning that the Google Android and Apple iOS app stores have given rise to a new crop of mobile application developers. Mobile application frameworks lack maturity, and when combined with the need for speed, that has resulted in applications with shoddy code, flaws and functionality that is not needed. Some developers churn out new mobile applications too quickly, Wysopal said. “We have customers who tell us they actually built their mobile app in two weeks. … That’s an indicator that a lot of security thinking isn’t going into this kind of development.”

Researchers studying mobile applications are finding a lot of coding errors. In an analysis conducted by researchers Mike Zusman and Zach Lanier of New York-based security consultancy Intrepidus Group, many applications had hidden coding errors that could lead to data leakage or privilege-escalation vulnerabilities. Speed leads to costly mistakes, such as authentication or authorization errors, poor file-system permissions and application permissions that are too lax, Lanier told SearchSecurity.com.

4. Unsecure Wi-Fi

At the airport or the local café, most devices automatically roam for the nearest open Wi-Fi hotspot. Unfortunately, automated tools make it easy for just about anyone to snoop on people or even take over their browsing session. Researchers have demonstrated that by using basic tools of the trade they could take over a person’s unsecure webmail session, Twitter or other social media account. Many services, including Google, have responded, supporting encrypted sessions that protect users on open Wi-Fi, but the threat remains.

The fear is that websites that don’t use SSL/TLS encryption correctly could be putting smartphone users at risk to a well-known Wi-Fi hotspot attack called sidejacking, network security expert Lisa Phifer told SearchSecurity.com in August. Last year, an automated tool called Firesheep was developed as a simple Mozilla Firefox plug-in that automates session hijacking attacks over unsecured Wi-Fi networks. The packet sniffer could analyze traffic between a Wi-Fi router and a person’s laptop or smartphone. Phifer said the tool reduces sidejacking to “point-and-click” simplicity on any network where other Web user’s session cookies can be captured.

As a result of Wi-Fi insecurities, IBM researchers have developed a new Secure Open Wireless standard. The system uses a digital certificate to secure the Wi-Fi hotspot itself, preventing sidejacking or man-in-the-middle attacks. “We’re simply checking to make sure the SSID of the wireless access point is legitimate and when a client connects they establish an encrypted connection,” Tom Cross, threat intelligence manager at IBM X-Force and lead researcher behind Secure Open Wireless, told SearchSecurity.com. Until the standard is broadly adopted, many security experts warn smartphone and laptop users to limit browsing on open wireless networks.

5. Lost and stolen devices

With all the chatter from security experts about mobile malware, phishing, and other attacks that can take place remotely, the number one threat to individuals and enterprises remains lost and stolen devices. In New York City, taxi cab drivers report dozens of lost mobile phones found in the back of their cabs each week.

Four in 10 organizations have had mobile devices lost or stolen, and half of those lost or stolen devices contained business critical data, according to a smartphone security study (.pdf) issued in May. The study, undertaken by researchers at Carnegie Mellon University, and commissioned by McAfee, found that enterprises need to set appropriate policies and deploy encryption of sensitive data. “It comes down to access control, key management for collaboration and data sharing,” Chris Burchett, CTO and co-founder of Addison, Texas-based data encryption vendor Credant Technologies, told SearchSecurity.com.

Device owners rarely use a passphrase or code to protect unauthorized access to their device. That leaves the phone wide open to a thief. Contacts, email messages and data saved in some applications can be easily accessed by the average criminal. While most enterprise mobile security software suites have device location and wipe features, but a lack of security policy around personally owned devices means many employees and their organizations remain at risk. By the time a device is reported lost or stolen, a thief could have already made off with the data.

Source: www.techtarget.com

A sample of the email is below:

************************************************************************************************
From: Federal Reserve Financial Services (fedcommunications numbers @ mail – frbservices dot org)
Subject: ATT : Your Name and Organization

This message is to be delivered to: Your Name at Your Organization

In an effort to notify and update all financial institutions and their employees of the recent fraud scenarios The Federal Reserve Banks in collaboration with IC3 and NW3C issued the following message:

A Public Service Announcement has been issued by the Internet Crime Complaint Center (IC3), which is a joint partnership between the FBI and the National White Collar Crime Center (NW3C). Financial Institutions are encouraged to share this public service announcement with account holders.
Visit (Fraudulent link was inserted here) for exact instructions and details on fraud scenarios.

IC3′s website provides a vehicle for consumer’s to file Internet crime complaints. Complaint information will be combined with other related subject information and referred to federal, state, and local law enforcement for the initiation or enhancement of investigations.

A Best Practice Strategy to help reduce the security risks for your organization

1.  Establish a Password Policy

•  Establish a well-defined password policy for your company.

This should include the following:

• Enforce password complexity (e.g., P@assword1)
• Create a unique password for each user
• Use passwords with 8+ characters
• Change passwords at least quarterly
• Enable account lockout
• Disable passwords of former employees

2.     Protect from Hackers

• Install a Business-class firewall

(select a vendor that provides regular update)

• Block all unnecessary inbound and outbound access
• Strongly consider a second layer of protection

(Intrusion Prevention System (IPS)

• Perform regular reviews of firewall logs
• Test your protection; select “Shields Up” scan, http://grc.com
• Install a business-class Wireless Access Point (WAP):
  • Encrypt data transmission
  • Disable SSID broadcast
  • (Optional) Restrict access to specific computers on your network

3.      Close Security Holes

• Establish centralized software updates
  • Deploy Windows Server Update Service (WSUS) FREE

    From http://Microsoft.com/downloads

• Get automatic security updates
  • Sign up at http://Microsoft.com/security.msrc/
  • Double check security updates
    • http://Microsoft.com/MBSA

4.     Malware/Virus Protection

• Establish a layered defense, including:
  • Centralized anti-virus management
  • Centralized spyware management
  • SPAM filtering
  • Enable scheduled anti-virus/spyware scanning
  • Schedule automated daily updates
  • Monitor subscription status

5.     Secure Mobile Devices

Develop and implement a mobile device management plan

• Ensure you have a mobile strategy in place before allowing employees to use personal mobile devices
• Include device security protection (anti-virus, etc.)
• Include device data protections (ability to wipe the device)

6.      Data Loss Protection

• Ensure employees lock computers
• Ensure all documents, mail and contacts are on a server
• Establish an automated backup system
• Ensure backups , software media & licenses are taken offsite
• Document data restore procedures
• Conduct test data restores

7.      Data Access Restrictions

Only give employees what the need to perform their job

• Identify “Security and Data Access Roles” for each employee
• Create corresponding security groups
• Assign “Access Rights” to groups

8.     Contingency Plan

Develop a disaster recovery plan

• Data recovery plan
• Hardware recovery plan
• Software recovery plan
• Internet recovery plan
• Timeline/Sequencing
• Resource Planning
• Recurring Testing and Validation

9.     Manage Technology

Outdated hardware/software can be more susceptible to security breaches:

• Establish a hardware/software lifecycle
  • (e.g., 4 years means 25% of hardware/software is budgeted for and replaced each year)

10. Train your Employees

               Employees need to know security basics, including:

• Acceptable Use Policy
  • Systems Accounts
  • Computing Assets
  • Network Use
  • Electronic Communication

SOURCE: SSE Network Services

www.SSENetwork.com

A criminal might not be able to find your location on a map, but they can find you on the Internet and through email.

How does it happen?

Criminals use malicious software, commonly called malware, to infect business computers. Generally malware is delivered in an email disguised as a legitimate request which urges the user to click on the link or activate an attachment. Users can also become infected from some websites. In most cases, the malware is sophisticated enough to infect the entire business network, allowing criminals to view everything the business does.

What happens if our computers are infected?

Infected computers and networks allow criminals complete access to all information, including when you log into your online banking platform. The malware allows criminals to monitor everything you do, capture your online banking credentials and know your online behavior. Then, they use your credentials to initiate fraudulent transfers out of your accounts via wires or ACH or create counterfeit checks. To Parkside Financial Bank & Trust, it appears you are initiating the transfers because they are processed using your credentials. Too often, a business is not aware of the infection until after their accounts are taken over and funds are removed.

Criminal groups also harvest valuable information from your network such as employee identities, patient information and credit card numbers to sell on the black market. Criminals often monitor an infected business network for months to harvest as much information as possible before they take over the accounts.

What can I do to protect my network and accounts?

There are many things for a business to consider when protecting their network. Every business is unique so there is no single solution for all businesses. We encourage you to contact your IT provider about these threats to identify ways to protect your network.

Here are a few things to consider: (This is not a complete list of options)

· Keep your Security Suite up-to-date with all necessary patches. Ensure the Suite includes bot-net protection, anti-spyware, anti-malware, anti-spyware and scans every file before it is downloaded.

· Run network scans to identify malware already present or malware that slipped passed the Security Suite.

· Do not click on links or open attachments in emails from unknown senders or in emails that do not make sense (i.e. The U.S. District Courts will never send subpoenas via email).

· Avoid conducting online banking from public, free Wi-Fi connections.

· Use hardware and software firewalls.

· Encrypt VPN’s.

· Block websites that employees are prohibited from visiting and websites known to carry malware.

· Layer security options to put as much resistance between your network and the criminals as possible.

· Notify Parkside Financial Bank & Trust if you are experiencing problems with your online banking platform (i.e. pop-ups even though you have enabled pop-up blocker, can’t shut the computer down, you type in the address to one website and are redirected to a different website, your online banking sign-on page looks different than normal, etc).

· If you even suspect your computers are infected, contact Parkside Financial Bank & Trust immediately so we can monitor your accounts while you resolve the issue.

· Some small businesses use one computer for all online banking activities that is not attached to their network and does not have email capabilities. Use this computer solely for online banking activities.

Contact Parkside Financial Bank & Trust to discuss account security and other options that may be available to help protect your accounts. Here are a few things to consider:

· Ensure every employee has their own credentials and are not sharing with others.

· Have a method to review and approve new-user credentials created on your accounts.

· Avoid using the Administrator credentials unless necessary; create user accounts with limited authority for daily processing. If your credentials are compromised, this can help limit the damage a criminal can do.

· Review your account daily, especially pending or recently sent wires or ACH files.

· Report any suspicious activity to Parkside Financial Bank & Trust immediately.

· Use dual-control for wire and ACH activity.

· Discuss available security options

Cyber threats are very real. Take action today to protect your assets.

~ ~ ~ ~ ~

Courtesy of EPCOR™. EPCOR is a not-for-profit trade association headquartered in Kansas City, Missouri, that provides Parkside Financial Bank & Trust and their business customers with reliable payments and risk management education, information, support and national industry representation.

To remove your name from lists:
Mail: www.dmachoice.org
Phone: www.donotcall.gov

To stop preapproved credit card offers:
www.optoutprescreen.com or 1-888-5-OPTOUT (567-8688)

To hold your mail: www.usps.com

If a loved one dies:

• Send a copy of the death certificate to the three credit reporting agencies
• Notify the Social Security Administration Immediately
• Don’t mention a woman’s maiden name or exact birth date in the obituary

Credit Report Bureaus

Equifax: (800) 525-6285
P.O. Box 740241 Atlanta, Georgia 30374

Experian: (888) 397-3742
P.O. Box 9530 Allen, Texas 75013

Trans Union: (800) 680-7289
P.O. Box 6790 Fullerton, California 92834

• To place a fraud alert on your account with all three credit reporting agencies:

www.fraudalerts.equifax.com

• You are allowed 3 free reports each year; to order: On Web: www.annualcreditreport.com

By Phone: 1-877-322-8228

Terms to understand:

1. Fraud Alert: Your credit file at all three credit reporting agencies if flagged and a potential lender should take steps to verify that you have authorized the request.
   Inside Scoop: Fraud alerts only work if the merchant pays attention and takes steps to verify the identity of the applicant. They expire in 90 days unless you have been a victim of identity theft, in which case you can file and extended alert—it lasts for seven years
2. Credit Monitoring: Your credit files are monitored by a third party—if activity occurs you are notified.
   Inside Scoop: Talk to your insurance agent about what they offer. It is most likely the least expensive way to protect you and your family. You might consider www.debix.com –it has a comprehensive protection plan.
3. Credit Freeze: A total lockdown of new account activity in your name. This requires unfreezing before you can open an account.
   Inside Scoop: A proven way to protect against identity theft. However, it can be cumbersome to start and stop. Credit freeze laws vary by state. To check your state, go to: www.consumersunion.org

To Report Internet Fraud: www.ic3.gov

Key Numbers:
FBI: (202) 324-3000 or your local field office
FTC: (1-877-IDTHEFT
Postal Inspection Service: 1-877-876-2455
IRS: 1-800-829-0433
Social Security Administration: 1-800-269-0271

• Take stock of what personal information you have. Keep only what you need for your business.
• Records you need should be protected by layers of security. All layers, including outer building, inner office and record storage areas should be secure from unauthorized entry.
• Protect digital media with the same secure safeguards as physical records.
• Personal information inside a business should be protected during regular hours if the area is not monitored.

Computer Security

• Ensure your computer is protected with a firewall and against viruses and spyware. Update this software and operating systems on a regular basis.
• Make sure all wireless access is encrypted and accessible only through a user created strong password.
• Use strong passwords to protect computer access. Don’t store passwords on computer hard drive or post near the computer.
• Employees should memorize passwords and should be required to change them every 90 days.
• Set computers to log-off automatically after a few minutes of non-use.
• Restrict the use of laptops to employees who need them to do their job.
• Limit take home laptops. If they most go home, remove or encrypt personal information from them or any other digital media that leaves the office.
• Require employees to store laptops in a secure place. Never leave a laptop visible in a car.
• Limit download capability on employee’s computers.
• Make sure a Web site has 128 bit encryption before conducting transactions.

Policy – Personnel – Training

• Establish and enforce a company-wide policy related to personal information.
• Regularly train employees to be sensitive to identity theft issues and personal information protection.
• Create a culture of security by holding employees accountable to the company policy.
• Have a defined and required way to report violations and suspicious activity related to information security.
• Establish a need-to-know policy and compartmentalize personal information to only those in your company who have a legitimate need to know before granting access.
• Disconnect ex-employees immediately from access to any personal information.

Information Security

• Use secure shredders or a secure shredding service.
• If you outsource shredding, make sure the shredding company complies with security standards such as employee background checks.
• Be cautious on the phone. Positively identify callers before providing personal information.
• Don’t e-mail personal information. This method is not secure.

Author Information: Jeff Lanza
Phone: 816-853-3929
Email: jefflanza@thelanzagroup.com
Web Site: www.thelanzagroup.com

Resources on the Web:
www.ftc.gov/privacy
www.ftc.gov/infosecurity
www.sans.org
www.onguardonline.gov

NABCAP is an unaffiliated, nonprofit organization based in Colorado that was created to tackle the challenge of identifying top practitioners, and through the process help reform the public’s perception of the industry and its professional membership.