Internet Banking News

February 25, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - The Internet Banking News is emailed to you every weekend. If you do not receive by Monday, please check your spam filter settings. If this was not the reason, please email R. Kinney Williams at examiner@yenni.com. We will do our best to figure out the problem.

FYI - Daylight Savings Time Change: Risk Management Guidance - Banks may be exposed to a variety of risks from the upcoming change in the schedule for Daylight Savings Time.
OCC - www.occ.treas.gov/ftp/bulletin/2007-9.html
FDIC - http://www.fdic.gov/news/news/financial/2007/fil07017.html

FYI - Internet DOS attacks spur exchange between government, private sector - Tuesday's denial-of-service attacks against three of the Internet's root DNS servers did not rise to the level of a major cyberincident, but it did highlight the government's efforts to coordinate responses with private-sector infrastructure providers. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=43105

FYI - Pa. coroner charged with giving reporters 911 center password - A county coroner was charged Monday with illegally giving newspaper reporters a password to access the emergency 911 system's confidential Web site and conspiring with the reporters to commit computer crime. http://www.phillyburbs.com/pb-dyn/news/103-02052007-1294444.html

FYI - Another good reason to stop using telnet - There is a major zero day bug announced in solaris 10 and 11 with the telnet and login combination. It has been verified. In my opinion NOBODY be should running telnet open to the internet. Versions of Solaris 9 and lower do not appear to have this vulnerability. http://isc2.sans.org/diary.html?storyid=2220

FYI - Mobile Attacks Jumped Fivefold in 2006, Study Says - The number of security attacks reported by mobile phone operators in 2006 jumped fivefold over the year before, a McAfee study reports. http://www.pcworld.com/article/id,128952-c,privacysecurity/article.html

FYI - Bank of America to Launch Mobile Banking - Online customers can soon move money, pay bills by cell phones and smart phones. http://www.pcworld.com/article/129030-1/article.html?tk=nl_dnxnws

MISSING COMPUTERS/DATA

FYI - Lost Computer Tapes Had Details on 135,000 Workers, Patients - Personal data on about 135,000 Johns Hopkins employees and patients were lost last month, the university announced yesterday, when a contractor did not return backup computer tapes from the hospital and the university payroll. http://www.washingtonpost.com/wp-dyn/content/article/2007/02/07/AR2007020701004_pf.html

FYI - Social Security numbers found on UNL Web site - A University of Nebraska-Lincoln employee accidentally posted the Social Security numbers of 72 students, professors and staff members on the university's public Web site, where they remained for more than two years before UNL officials caught the gaffe Tuesday. http://www.omaha.com/index.php?u_page=1000&u_sid=2326625

FYI - Burglary leads to ID theft concerns - More than 500 people whose personal information was stolen from a Bay Street apartment where a state tax auditor lives have been notified they may be susceptible to identity theft. http://poststar.com/articles/2007/02/06/news/doc45c8abf57b7ae609243186.txt

FYI - Thieves stole four computer hard drives containing financial, personnel and research files from the office of the International Monetary Fund in the Azerbaijani capital, police and a fund official said Tuesday. The theft happened sometime Monday morning at the fund's Baku offices, located in the Finance Ministry's main administrative building, a worker at the fund told The Associated Press. http://www.abcmoney.co.uk/news/06200718804.htm

FYI - FBI Loses 3 To 4 Laptops Every Month - Some of the recently lost or stolen computers contained 'sensitive' information, but the extent of the damage from the losses is unknown. Three to four laptops are lost or stolen from the FBI every month, according to a report issued this month from the Justice Department's Inspector General. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=197005446

FYI - VA loses sensitive information on 1.3 million doctors - The hard drive that went missing from a Birmingham, Ala., Veterans Affairs Department facility last month contained highly sensitive information on nearly all U.S. physicians and medical data for about 535,000 VA patients, agency officials announced over the weekend. http://www.govexec.com/story_page.cfm?articleid=36113&dcn=todaysnews

FYI - Hacker gets state credit card info - Web site breach affects thousands of Hoosiers, businesses - State technology officials sent letters Friday to 5,600 people and businesses informing them that a hacker obtained thousands of credit card numbers from the state Web site. http://www.fortwayne.com/mld/journalgazette/16667910.htm

FYI - Personal Identity Data Exposure Incident - On January 5, 2007, Radford University (RU) staff discovered a computer virus on University owned computers. This virus has caused a potential security breach involving personal information on a server located in the Waldron College of Health and Human Services. We view this matter with the highest degree of concern and immediately removed this server from the network while adopting efforts to prevent a recurrence of the experience. During the intervening days we have been conducting an investigation to determine who might be affected. http://wchs-web.asp.radford.edu/security/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (4 of 12)

Reaction Procedures

Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.

Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 1 of 4)

Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.

A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.

Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.

Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

2. Determine if the IDSs identified as necessary in the risk assessment process are properly installed and configured.

3. Determine whether an appropriate firewall ruleset and routing controls are in place and updated as needs warrant.

! Identify personnel responsible for defining and setting firewall rulesets and routing controls.
! Review procedures for updating and changing rulesets and routing controls.
! Determine that appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network entry and exit.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

42. Does the institution provide the consumer with a reasonable opportunity to opt out such as by:

a. mailing the notices required by §10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [§10(a)(3)(i)]

b. where the consumer opens an on-line account with the institution and agrees to receive the notices required by §10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [§10(a)(3)(ii)] or

c. for isolated transactions, providing the notices required by §10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? [§10(a)(3)(iii)]