Internet Banking News

February 15, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Energy Efficiency of the FDIC's Virginia Square Facility and Information Technology Data Center - As outlined in our engagement letter,our objective was to evaluate the Corporation's efforts to conserve energy in its operations of the Virginia Square facility, including the Student Residence Center and Information Technology (IT) data center and identify opportunities to further conserve energy and/or reduce utility costs. http://www.fdicig.gov/reports08/08-005EV.pdf

FYI - Independent Evaluation of the FDIC's Information Security Program-2008 - Audit Results - In general, with respect to the information technology systems and common controls reviewed, KPMG found that the related program and operational controls demonstrated effectiveness while management and technical controls warranted management attention. http://www.fdicig.gov/reports08/08-020.pdf

FYI - Banks, credit unions scramble in wake of Heartland breach - Several have begun reporting fraud associated with exposed cards - In the first real indication of the scope of the recently disclosed data breach at Heartland Payment Systems Inc., banks and credit unions from Washington to Maine have begun to reissue thousands of credit and debit cards over the past few days. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126879&intsrc=hm_list

FYI - Cybercrime cost firms $1 trillion globally - Data theft and breaches from cybercrime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage last year, according to a new study from McAfee. http://news.cnet.com/8301-1009_3-10152246-83.html

FYI - Educators see secure coding training challenges, improvements - College-level courses designed to train aspiring application developers in the latest secure coding practices are generally hard to find, but professors that run two of the most prestigious security training programs in the United States say course offerings are improving and students are lining up to take them. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1346086,00.html#

FYI - GAO - Further Actions Needed to Address Risks to Bank Secrecy Act Data.
http://gcn.com/Articles/2009/02/02/FinCEN-020209.aspx
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-09-195
Highlights - http://www.gao.gov/highlights/d09195high.pdf

FYI - GAO - Federal Information System Controls Audit Manual (FISCAM). http://www.gao.gov/cgi-bin/getrpt?GAO-09-232G

FYI - Stimulus bill includes protection for digital health care records - A portion of the $818 billion stimulus bill that was passed this week by the U.S. House calls for computerizing all health records in five years, but the legislation also contains stringent privacy and security controls to protect this online data. http://www.scmagazineus.com/Stimulus-bill-includes-protection-for-digital-health-care-records/article/126694/?DCMP=EMC-SCUS_Newswire

FYI - U.S. Veteran Affairs Department settles data breach case - The U.S. Department of Veterans Affairs (VA) has settled a class-action lawsuit resulting from a massive data breach that left 26.5 million active duty troops and veterans open to the risk of identity theft. http://www.scmagazineus.com/US-Veteran-Affairs-Department-settles-data-breach-case/article/126518/?DCMP=EMC-SCUS_Newswire

FYI - Three hospital worm infection dubbed 'substantive failure' - A worm attack that forced three London hospitals to shut down their computer networks late last year was entirely avoidable and represented a major failing by the organizations' IT staff, according to an independent review of the incident. http://www.theregister.co.uk/2009/02/02/nhs_worm_infection_aftermath/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Austin road sign warns motorists of zombies - An Austin road sign meant to warn motorists about road conditions instead read: "The end is near! Caution! Zombies ahead!" http://www.dallasnews.com/sharedcontent/dws/news/localnews/transportation/stories/013009dnmetzombies.1595f453.html

FYI - Hackers get into government jobs site - The database that stores users' information for the federal government's jobs Web site, USAJobs, has been hacked. Some account data, including user IDs, passwords, e-mail addresses, names and phone numbers was taken, according to an alert posted on the site. http://fcw.com/Articles/2009/02/02/Government-jobs-site-is-hacked.aspx

FYI - Techwatch weathers DDoS extortion attack - Techwatch is back online following a sustained denial of service attack that left the digital TV news site unavailable for two days earlier this week. The botnet-powered assault was accompanied by blackmail demands posted on the site's forum through compromised zombie machines. These threatening messages claimed the site was being carpetbombed with spurious traffic generated through a 9,000 strong botnet of compromised machines. http://www.theregister.co.uk/2009/01/30/techwatch_ddos/

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

ENCRYPTION KEY MANAGEMENT

Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address

! Generating keys for different cryptographic systems and different applications;
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be activated when received;
! Storing keys, including how authorized users obtain access to keys;
! Changing or updating keys including rules on when keys should be changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or deactivated;
! Recovering keys that are lost or corrupted as part of business continuity management;
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting the usage period of keys.

Secure key management systems are characterized by the following precautions.

! Key management is fully automated (e.g. personnel do not have the opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by hardware.
! Key - encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key - encrypting key. (A key - encrypting key is used to encrypt other keys, securing them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well - authenticated parties.
! Key generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

4. Determine whether information processing and communications devices and transmissions are appropriately protected against physical attacks perpetrated by individuals or groups, as well as against environmental damage and improper maintenance. Consider the use of halon gas, computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other protective and detective devices.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13). (Part 3 of 3)

C. Opt Out Right

1) Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:

a. Are clear and conspicuous (§§3(b) and 7(a)(1));

b. Accurately explain the right to opt out (§7(a)(1));

c. Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (§7(a)(1)); and

d. Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (§7(d)).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:

a. Timeliness of delivery (§10(a)(1));

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c. Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii), 10(a)(3)); and

d. Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (§7(e), (f), (g)).