FYI  - Risk Management of Wireless Networks - This advisory letter highlights risks associated with wireless networks and provides guidance for managing those risks. National banks can use this guidance to help in protecting company assets and confidential customer information, achieving service level requirements, maintaining safe and sound practices, and ensuring compliance with regulatory security expectations. www.occ.treas.gov/ftp/advisory/2003-10.txt

FYI  - Slip-up exposes database to prying eyes - The database--frequently used by law enforcement, credit agencies and private investigators--was accessible through a simple search form on the Web and contained millions of names, social security numbers, phone records and public records such as residential histories, confirmed LocatePlus.com, which provides the database service. 
Article:   http://news.com.com/2100-1029-5118138.html?part=dht&tag=ntop 
Article:  http://www.fcw.com/fcw/articles/2003/1208/web-grades-12-09-03.asp 

FYI  - Feds get a 'D' in computer security - U.S. federal departments and agencies are showing some improvement in protecting their computer networks, but many--including the Department of Homeland Security--are failing, according to a government report.  http://news.com.com/2100-7355_3-5118344.html?tag=nefd_top 

FYI  - FTC investigates PetCo.com security hole - Pet supply retailer PetCo disclosed this week that its security and privacy practices are the target of an investigation by the U.S. Federal Trade Commission (FTC), which is following up on an e-commerce security gaffe that left as many as 500,000 credit card numbers accessible from the Web earlier this year.  http://www.securityfocus.com/news/7581 

FYI  - Half of small firms want to ditch Windows for Linux - One in four small companies are testing Linux, and half of them hope to use it as their core operating system in place of Windows, according to a survey by IBM.  The companies surveyed believe the open-source operating system will not only save them money, but will be more secure, stable and flexible.  http://www.silicon.com/software/os/0,39024651,39117247,00.htm 

FYI - How do you manage IM and P2P in a business environment?? - With the growth of Instant Messaging and peer-to-peer (P2P) technologies, businesses are increasingly facing security and management challenges. Simply denying service to employees is not the answer, and that IT departments need not fear P2P networks, but instead must embrace these channels as the future of person to person messaging.  http://www.infosecnews.com/opinion/2003/12/10_03.htm 

FYI- Virus clean up costs four times higher than predicted - It costs four times more to clean up after a virus than previously thought, according to a survey of large enterprise IT departments.  http://www.silicon.com/software/security/print.htm?TYPE=story&AT=39117165-39024655t-40000024c 

FYI - IT security pros confident of defenses - Despite a significant increase in reported security incidents over the past year, a survey released this week by two industry groups reveals a high level of confidence on the part of IT security professionals.  http://www.computerworld.com/printthis/2003/0,4814,87800,00.html 

FYI - Congress OKs antispam legislation - The U.S. Congress on Monday gave final approval to the first federal law regulating spam, which President Bush has indicated he will sign before the end of the year.  http://zdnet.com.com/2100-1105_2-5116940.html 

FYI - Viruses, Worms Will Worsen in 2004 - Improved hacker tools, next-generation attacks will cause problems, experts predict.  http://www.pcworld.com/news/article/0,aid,113843,tk,dn121103X,00.asp 

Return to the top of the newsletter

INTERNET COMPLIANCE -

 We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques" issued in April 2003.

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

TCP/IP Packets

TCP/IP is a packet - based communications system. A packet consists of a header and a data payload. A header is analogous to a mail envelope, containing the information necessary for delivery of the envelope, and the return address. The data payload is the content of the envelope. The IP packet header contains the address of the sender (source address) and the intended recipient (destination address) and other information useful in handling the packet. Under IP, the addresses are unique numbers known as IP addresses. Each machine on an IP network is identified by a unique IP address. The vast majority of IP addresses are publicly accessible. Some IP addresses, however, are reserved for use in internal networks. Those addresses are 10.0.0.0  -  10.255.255.255, 172.16.0.0  -  172.31.255.255, and 192.168.0.0  -  192.168.255.255. Since those internal addresses are not accessible from outside the internal network, a gateway device is used to translate the external IP address to the internal address. The device that translates external and internal IP addresses is called a network address translation (NAT) device. Other IP packet header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether routers are allowed to fragment the packet, and other information.

If the IP packet indicates the protocol is TCP, a TCP header will immediately follow the IP header. The TCP header contains the source and destination ports, the sequence number, and other information. The sequence number is used to order packets upon receipt and to verify that all packets in the transmission were received.

Information in headers can be spoofed, or specially constructed to contain misleading information. For instance, the source address can be altered to reflect an IP address different from the true source address, and the protocol field can indicate a different protocol than actually carried. In the former case, an attacker can hide their attacking IP, and cause the financial institution to believe the attack came from a different IP and take action against that erroneous IP. In the latter case, the attacker can craft an attack to pass through a firewall and attack with an otherwise disallowed protocol.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

3. Determine if adequate processes exist to apply host security updates, such as patches and anti - virus signatures, and that such updating takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]

Return to the top of the newsletter

INTERNET AUDITING SERVICES - R. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.