|
FYI
-The horseback ride to the Carson National Forest in northern New
Mexico was a success. The weather was great. You will
find pictures of the trip and Gray Ghost, my 16 year old appaloosa,
at http://www.yennik.com/pictures/index.htm.
Thank you for letting me take the week off.
FYI- FFIEC
Information Technology Examination Handbook - The Federal Financial
Institutions Examination Council has issued updated guidance in
three booklets on electronic banking, information technology audit,
and the FedLine electronic funds transfer application.
Press Release: www.occ.treas.gov/ftp/bulletin/2003-41.txt
Attachment: www.occ.treas.gov/ftp/bulletin/2003-41a.pdf
Attachment: www.ffiec.gov/ffiecinfobase//index.html
Attachment: www.ffiec.gov/ffiecinfobase/html_pages/it_01.html#ebank
FYI- Publicly traded
companies could be required to disclose whether they are doing
anything to secure information on their computer systems, U.S.
Office of Homeland Security Secretary Tom Ridge said. http://news.com.com/2100-7350-5089279.html?tag=cd_top
FYI-
Thieves nab private data of 120,000 Canadians - Four computers taken
from tax department had names, addresses and SIN numbers. www.nationalpost.com/components/printstory/printstory.asp?id=265166B5-49E3-4256-8C34-434D908C8DC5
FYI- Online vandals are
quickly exploiting flaws, leaving companies with little time to
patch their computer systems, according to a report published by
Symantec. http://zdnet.com.com/2102-1105_2-5084992.html?tag=printthis
FYI- The House passed
legislation that would allow banks to clear checks electronically,
potentially slashing paperwork in a speedier and less costly
process. http://www.salon.com/news/wire/2003/10/08/checks/index.html
FYI - Study: Regulations
driving security spending - A poll of corporate
executives found that companies are increasing spending on security
to satisfy legislation--not necessarily because their CEOs have seen
the light. http://news.com.com/2102-7355_3-5083758.html?tag=ni_print
FYI
- Web security executive accused of hacking
military - The head of an Internet security company who claimed to
have found dangerous loopholes in U.S. military computers pleaded
innocent Tuesday to charges that he hacked into government networks
for financial gain. http://www.cnn.com/2003/TECH/internet/09/30/computer.case.ap/index.html
FYI
- US p2p study reveals glaring security holes - A study into p2p
apps on government systems has revealed glaring security
holes. http://www.gnutellanews.com/article/8179
FYI - GAO
TESTIMONY - Critical Infrastructure Protection: Challenges
in Securing Control Systems.
Complete report: http://www.gao.gov/new.items/d04140t.pdf
Highlights: http://www.gao.gov/highlights/d04140thigh.pdf
Return to the top of the
newsletter
INTERNET
COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the
Official Staff Commentary (OSC,) an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated," is a consumer's
authorization via a home banking system.
To satisfy the regulatory requirements, the institution must
have some means to identify the consumer (such as a security code)
and make a paper copy of the authorization available (automatically
or upon request). The
text of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device. Therefore,
the institution should ensure that controls are in place to review
these notifications and also to ensure that an investigation is
initiated as required.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION
-
Biometrics (Part 2 of 2)
Weaknesses in biometric systems relate to the ability of an attacker
to submit false physical characteristics, or to take advantage of
system flaws to make the system erroneously report a match between
the characteristic submitted and the one stored in the system. In
the first situation, an attacker might submit to a thumbprint
recognition system a copy of a valid user’s thumbprint. The
control against this attack involves ensuring a live thumb was used
for the submission. That can be done by physically controlling the
thumb reader, for instance having a guard at the reader to make sure
no tampering or fake thumbs are used. In remote entry situations,
logical liveness tests can be performed to verify that the submitted
data is from a live subject.
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning. Degrees of
freedom relate to measurable differences between biometric readings,
with more degrees of freedom indicating a more unique biometric.
Facial recognition systems, for instance, may have only nine degrees
of freedom while other biometric systems have over one hundred.
Similar faces may be used to fool the system into improperly
authenticating an individual. Similar irises, however, are difficult
to find and even more difficult to fool a system into improperly
authenticating.
Attacks against system tuning also exist. Any biometric system has
rates at which it will falsely accept a reading and falsely reject a
reading. The two rates are inseparable; for any given system
improving one worsens the other. Systems that are tuned to maximize
user convenience typically have low rates of false rejection and
high rates of false acceptance. Those systems may be more open to
successful attack.
Return to the top of the
newsletter
INFORMATION SECURITY
QUESTION:
B. NETWORK
SECURITY
13. Determine if logs of security-related events
are appropriately secured against unauthorized access, change, and
deletion for an adequate time period, and that reporting to those
logs is adequately protected.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
10) Does the institution list the following categories of
nonpublic personal information that it discloses, as applicable, and
a few examples of each, or alternatively state that it reserves the
right to disclose all the nonpublic personal information that it
collects:
a) information from the consumer;
b) information about the consumer's transactions with the
institution or its affiliates;
c) information about the consumer's transactions with
nonaffiliated third parties; and
d) information from a consumer reporting agency? [§6(c)(2)]
Return to the top of the
newsletter
INTERNET AUDITING SERVICES
- We offer independent Internet auditing regarding web sites
compliance and penetration-vulnerability testing. Visit http://www.bankwebsiteaudits.com
for more information about web site audits. For information
regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
We have clients in 37 states and more than 40 years banking and bank
examining experience.
|
