|
December 29, 2002
THANK YOU -
Because of your help, more than 2,100 subscribers read our
e-newsletters each week. Further,
our web sites had over 1,600,000 hits during 2002.
Our web site audit and vulnerability-penetration testing
clients are located in 35 states.
Your comments and suggestions are always welcome.
Please let us know how we can serve your Internet security
needs. Thank you, R.
Kinney Williams, President, R. Kinney Williams & Associates.
FYI - Non-work-related Web
surfing activity is behind an explosion in virus-driven network
security disasters, according to a recent Australian survey.
ZDNet Article - http://www.zdnet.com.au/newstech/hr/story/0,2000024989,20270733,00.htm
Australian survey - http://www.websense.com/company/news/research/Australian_Web@Work_Survey_2002.doc
US Report - http://www.websense.com/company/news/research/webatwork2002.pdf
European Report - http://www.websense.com/company/news/research/Internet_Misuse_Survey_2002.pdf
FYI
- e-Commerce
Guide for Credit Unions - The guide offers
information to assist credit unions engaging in, or considering,
e-Commerce activities (electronic delivery of financial services via
the Internet). Credit unions can use this information as a
guide to aid in the planning, contracting, delivery, and support of
e-Commerce activities. www.ncua.gov/Ref/letters/02-CU-17.htm
FYI - Terrorists on the Net?
Who Cares? - To all those Chicken Littles clucking frantically
about the imminent threat of a terrorist attack on U.S. computer
networks, a new report says: Knock it off. Online attacks are
merely "weapons of mass annoyance," no more harmful than
the routine power failures, airplane delays and dropped phone calls
that take place every day. http://www.wired.com/news/infostructure/0,1377,56935,00.html
FYI - Ex-IT worker charged
with sabotage - A former system administrator
for UBS PaineWebber appeared in a New Jersey federal court Tuesday
on charges of sabotaging two-thirds of the company's computer
systems in an attempt to crash its stock price. http://news.com.com/2100-1001-978386.html
FYI - Bank Secrecy
Act/Anti-Money Laundering - This bulletin transmits a notice of
designation of Nauru and Ukraine as Primary Money Laundering
Concerns. www.occ.treas.gov/ftp/bulletin/2002-47.txt
INTERNET
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary
(OSC) also clarifies that terminal receipts are unnecessary for
transfers initiated on-line. Specifically, OSC regulations provides
that, because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
Host-Versus Network-Based Vulnerability Assessment Tools
As in intrusion detection systems, which are discussed later in this
appendix, there are generally two types of vulnerability assessment
tools: host-based and network-based.
Another category is sometimes used for products that assess
vulnerabilities of specific applications (application-based) on a
host. A host is
generally a single computer or workstation that can be connected to
a computer network. Host-based
tools assess the vulnerabilities of specific hosts.
They usually reside on servers, but can be placed on specific
desktop computers, routers, or even firewalls.
Network-based vulnerability assessment tools generally reside on the
network, specifically analyzing the network to determine if it is
vulnerable to known attacks. Both host- and network-based products offer valuable
features, and the risk assessment process should help an institution
determine which is best for its needs.
Information systems personnel should understand the types of
tools available, how they operate, where they are located, and the
output generated from the tools.
Host-based vulnerability assessment tools are effective at
identifying security risks that result from internal misuse or
hackers using a compromised system.
They can detect holes that would allow access to a system
such as unauthorized modems, easily guessed passwords, and unchanged
vendor default passwords. The
tools can detect system vulnerabilities such as poor virus
protection capabilities; identify hosts that are configured
improperly; and provide basic information such as user log-on hours,
password/account expiration settings, and users with dial-in access.
The tools may also provide a periodic check to confirm that
various security policies are being followed.
For instance, they can check user permissions to access files
and directories, and identify files and directories without
ownership.
Network-based vulnerability assessment tools are more effective than
host-based at detecting network attacks such as denial of service
and Internet Protocol (IP) spoofing.
Network tools can detect unauthorized systems on a network or
insecure connections to business partners.
Running a host-based scan does not consume network overhead,
but can consume processing time and available storage on the host.
Conversely, frequently running a network-based scan as part
of daily operations increases network traffic during the scan.
This may cause inadvertent network problems such as router
crashes.
FYI - Please remember that we
perform vulnerability-penetration studies and would be happy to
e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com
for more information.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
Servicing Transactions
48. If the institution discloses nonpublic personal
information to nonaffiliated third parties, do the requirements for
initial notice in §4(a)(2), opt out in §§7 and 10, revised notice
in §8, and for service providers and joint marketing in §13, not
apply because the information is disclosed as necessary to effect,
administer, or enforce a transaction that the consumer requests or
authorizes, or in connection with:
a. servicing or processing a financial product or service
requested or authorized by the consumer; [§14(a)(1)]
b. maintaining or servicing the consumer's account with the
institution or with another entity as part of a private label credit
card program or other credit extension on behalf of the entity; or [§14(a)(2)]
c. a proposed or actual securitization, secondary market sale
(including sale of servicing rights) or other similar transaction
related to a transaction of the consumer? [§14(a)(3)]
IN CLOSING - We hope you
have a prosperous New Year.
|
