FYI- Study: ISPs should block 'Net attack ports - Internet service providers should take security matters into their own hands by blocking access to communications ports on their customers' computers which are commonly exploited by Internet worms and other malicious programs, according to a SANS Institute report.  
http://www.nwfusion.com/edge/news/2003/0908studyisps.html 
SANS paper:  http://www.sans.org/rr/special/isp_blocking.pdf   

FYI- GAO Report - Information Security: Effective Patch Management is Critical to Mitigating Software Vulnerabilities. http://www.gao.gov/cgi-bin/getrpt?GAO-03-1138T 
Highlights - http://www.gao.gov/highlights/d031138thigh.pdf

FYI- GAO Report - Information Security: Challenges in Using Biometrics.  
http://www.gao.gov/cgi-bin/getrpt?GAO-03-1137T
Highlights - http://www.gao.gov/highlights/d031137thigh.pdf 

FYI- GAO Report - File-Sharing Programs: Users of Peer-to-Peer Networks Can Readily Access Child Pornography.  http://www.gao.gov/cgi-bin/getrpt?GAO-03-1115T 

FYI - Greensburg Man Pleads Guilty To Trafficking Passwords - former employee at American Eagle Outfitters pleaded guilty to trafficking passwords used by the retail clothing store as well as to computer damage.  http://www.thepittsburghchannel.com/news/2451248/detail.html 

FYI - Surprising percentage of public fears cyberattacks - About half of Americans fear terrorists will launch cyberattacks on the large networks that operate the banking, electrical transportation and water systems, disrupting everyday life and possibly crippling economic activity, according to a survey conducted by Federal Computer Week and the Pew Internet & American Life Project.  http://www.fcw.com/fcw/articles/2003/0901/cov-pew2-09-01-03.asp 

FYI - OCC alert is intended to raise awareness of an increasingly common Internet fraud called “phishing” and encourages banks to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers.  http://www.occ.treas.gov/ftp/alert/2003-11.txt 

FYI - Woman jailed after cell phone disrupts courtroom  http://www.charlotte.com/mld/charlotte/6712097.htm 

FYI - Colleges toughen rules on Net viruses - Still recovering from a summer of Internet infections, colleges are taking unusually aggressive steps to protect campus computer networks from virus outbreaks.  http://stacks.msnbc.com/news/961943.asp?0dm=c14mt 

FYI - New York Times hacker surrendered, booked-official - A 22-year-old who admits to hacking into corporate computer networks turned himself in to federal authorities in California on Tuesday to face charges related to breaking into the internal network of The New York Times newspaper.  http://famulus.msnbc.com/famulusgen/reuters09-09-120838.asp?t=RETEK 

Return to the top of the newsletter

INTERNET COMPLIANCE - - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)

The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user’s identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution’s systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution’s computer system were performed by that user.

The user’s private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.

PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

10. Determine if firewall and routing controls are in place and updated as needs warrant.

• Identify personnel responsible for defining and setting firewall rulesets and routing controls.
• Review procedures for updating and changing rulesets and routing controls.
• Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is denied, and that the firewall’s capabilities for identifying and blocking traffic are effectively utilized.
• Confirm that network mapping through the firewall is disabled.
• Confirm that NAT and split DNS are used to hide internal names and addresses from external users. (Note: Split DNS is a method of segregating the internal DNS from the external DNS.)  
• Confirm that malicious code is effectively filtered.
• Confirm that firewalls are backed up to external media, and not to servers on protected networks.
• Determine that firewalls and routers are subject to appropriate and functioning host controls.
• Determine that firewalls and routers are securely administered.
• Confirm that routing tables are regularly reviewed for appropriateness on a schedule commensurate with risk.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice  

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable:  (Part 1 of 2)

a)  the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b)  the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c)  the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d)  the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]

Return to the top of the newsletter

INTERNET AUDITING SERVICES - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.  We have clients in 37 states and more than 40 years banking and bank examining experience.