|
FYI
- Security is one of
the major issues facing organizations that purchase software
services from application service providers (ASP). Security
issues exist at two key points in the ASP-client relationship:
transmission and access. Organizations must protect the data
moving between themselves and the ASP and secure the data that is
stored on the ASP's servers. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5462
FYI - European Union develops cyber crime
forensics standards - The IT industry has teamed up with academics
and the European Union researchers to develop standards for the
investigation of cybercrime. http://www.theregister.co.uk/content/55/33615.html
FYI - FFIEC
Information Technology Examination Handbook - The
Federal Financial Institutions Examination Council has issued three
booklets with guidance on: evaluating electronic banking activities;
IT audits; and the FedLine electronic funds transfer
application. www.fdic.gov/news/news/financial/2003/fil0383.html
FYI - New
law would require computer security audits, status reports - New
legislation being drafted in the U.S. House of Representatives,
which could be introduced as early as next week, would require all
publicly traded companies to conduct independent computer security
assessments and report the results yearly in their annual
reports. http://www.computerworld.com/printthis/2003/0,4814,86455,00.html
FYI - Check
Clearing for the 21st Century Act - The Check Clearing for
the 21st Century Act was signed into law on October 28, 2003, and
will become effective on October 28, 2004. Check 21 is
designed to foster innovation in the payments system and to enhance
its efficiency by reducing some of the legal impediments to check
truncation. www.federalreserve.gov/paymentsystems/truncation/default.htm
FYI - Citibank
Customers Hit With E-Mail Scam - Fake e-mail, spoof site used to
gain personal information. http://www.pcworld.com/news/article/0,aid,113118,tk,dn102703X,00.asp
Return to the top of the
newsletter
INTERNET
COMPLIANCE - "Member
FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
CLIENTS - For more information
regarding the "Member FDIC" logo, please visit
http://www.fdic.gov/regulations/resources/signage/index.html.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses, Attacks, and
Offsetting Controls (Part 2 of 2)
Social engineering involves an attacker obtaining
authenticators by simply asking for them. For instance, the attacker
may masquerade as a legitimate user who needs a password reset, or a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive, or using
other interpersonal skills, the attackers encourage a legitimate
user or other authorized person to give them authentication
credentials. Controls against these attacks involve strong
identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be captured
by hardware - or
software - based keystroke capture mechanisms. PKI private keys
could be captured or reverse - engineered from their tokens.
Protection against these attacks primarily consists of physically
securing the client systems, and, if a shared secret is used,
changing the secret on a frequency commensurate with risk. While
physically securing the client system is possible within areas under
the financial institution’s control, client systems outside the
institution may not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records the
authentication as it is communicated between a client and the
financial institution system, then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
Hijacking is an attacker’s use of an authenticated user’s
session to communicate with system components. Controls against
hijacking include encryption of the user’s session and the use of
encrypted cookies or other devices to authenticate each
communication between the client and the server.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
B. NETWORK
SECURITY
16. Determine whether appropriate notification is
made of requirements for authorized use, through banners or other
means.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
13. If the institution does not disclose nonpublic personal
information, and does not reserve the right to do so, other than
under exceptions in §14 and §15, does the institution provide a
simplified privacy notice that contains at a minimum:
a. a statement to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the
confidentiality and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to
other nonaffiliated third parties as permitted by law? [§6(c)(5)]
(Note: use of this type of simplified notice is optional; an
institution may always use a full notice.)
Return to the top of the
newsletter
INTERNET AUDITING SERVICES
- R.
Kinney Williams & Associates is recognized as a leader in independent
Internet auditing for financial institutions. With
clients in 37 states, and an outstanding record of successful
expedient testing, R. Kinney Williams & Associates is your ideal
choice as an independent entity to perform your
penetration assessment study, which includes the Vulnerability
Internet Security Test Audit (VISTA). You will
find information about VISTA at http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
