Internet Banking News

January 16, 2005

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

FYI - Wanted: Chief Espionage Officer - Corporate America faces a new kind of cracker. Information-technology managers and chief technology officers - the people charged with safeguarding corporate networks - are engaging in acts of digital espionage. In the past two years, a half-dozen cases have hit the courts, charging that technology executives have broken into the computer systems of a rival. http://www.baselinemag.com/article2/0,1397,1744061,00.asp

FYI - S. Korean Law Would Hold Banks Liable for Cyber Attacks - Starting from 2006, financial institutions will be held responsible for any damage consumers may suffer at the hands of hackers or from malfunctioning computer systems while engaging in financial transactions on the Internet. http://english.chosun.com/w21data/html/news/200412/200412300030.html

FYI - Online Privacy News - Spyware, Computer Worms Plague Internet - phishing - These were among the top Internet threats of 2004 as the perpetrators grew smarter and more sophisticated, driven more than ever by economic gains. And while technology to combat such threats has improved, experts concede that's not enough to address what's bound to emerge in the coming year.
http://www.computer-security-news.com/artman/publish/printer_plague-4998.shtml

FYI - No warrant needed to search your work PC - Police do not need a search warrant to examine an employee's computer for incriminating files, a Washington state appeals court has ruled. http://news.com.com/Court+No+warrant+needed+to+search+your+work+PC/2100-1030_3-5513266.html?tag=cd.top

FYI - The Legal Realities of Computer Logs - Business and technology leaders have historically been aware of issues related to information assurance, such as privacy and the reliability of information property within corporate computer networks. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5569

FYI - FFIEC Information Technology Examination Handbook - The Federal Financial Institutions Examination Council completed its update of the 1996 FFIEC Information Systems Examination Handbook earlier this year with the release of the last two of twelve booklets that now comprise the new FFIEC Information Technology Examination Handbook. www.federalreserve.gov/boarddocs/SRLETTERS/2004/sr0420.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)

Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:

! Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
! Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
! Increasing suspicious activity monitoring and employing additional identity verification controls;
! Offering customers assistance when fraud is detected in connection with customer accounts;
! Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
! Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.

Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet." Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:

! Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
! Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
! Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
! Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
! Monitoring for fraudulent Web sites using variations of the financial institution's name;
! Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
! Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Conclusion
E-mail and Internet-related fraudulent schemes present a substantial risk to financial institutions and their customers. Financial institutions should consider developing programs to educate customers about e-mail and Internet-related fraudulent schemes and how to avoid them, consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes, and implement appropriate information security controls to help mitigate the risks associated with e-mail and Internet-related fraudulent schemes.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
(FYI - This is the type of independent diagnostic testing that the VISTA penetration study covers. Please refer to http://www.internetbankingaudits.com/ for information.)

Independent diagnostic tests include penetration tests, audits, and assessments. Independence provides credibility to the test results. To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, as well as the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who also are independent of the design, installation, maintenance, and operation of the tested system.

Penetration tests, audits, and assessments can use the same set of tools in their methodologies. The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.

Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism’s effectiveness. Penetration tests generally are not a comprehensive test of the system’s security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.

Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.

Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.

Return to the top of the newsletter

IT SECURITY QUESTION: ENCRYPTION

6. Determine whether appropriate provisions are made for the recovery of data should a key be unusable.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

3) Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a security test of your Internet connection. The Vulnerability Internet Security Test Audit (VISTA) is an independent external penetration study of {custom4}'s network connection to the Internet that meets the regulatory requirements. We are trained information systems auditors that only work with financial institutions. As auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results. For more information, visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.