|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
February 26, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
CONVENTION - The week of March 6, 2006, I am attending
the ICBA National Convention and Techworld in Las Vegas.
Please stop by my booth #539 to learn more about Internet and
network security testing. I look forward to meeting you.
R. Kinney Williams
FYI - Honeywell blames
ex-employee in data leak - Payroll, other information on 19,000
workers was published on Web, company says - Honeywell International
Inc. says a former employee has disclosed sensitive information
relating to 19,000 of the company's U.S. employees.
http://www.computerworld.com/printthis/2006/0,4814,108434,00.html
FYI - Group Crafts
Standards for Evaluating Outsourcers - Six large U.S. banks, an
industry group and four major accounting firms joined forces in
early 2004 to create standards for assessing the security practices
of outsourcing vendors that work with financial services firms.
http://www.computerworld.com/printthis/2006/0,4814,108379,00.html
FYI - Brigham sent bank
new moms' records - A world-renowned Hub hospital has been
mistakenly faxing confidential patient information - including the
results of tests for sexually transmitted diseases - to a Boston
investment bank despite repeated attempts by the bank to stop it.
http://news.bostonherald.com/localRegional/view.bg?articleid=124753&format=text
FYI - Spyware cost firms
$62B in 2005 - An alarming rise in the number of corporate data
breaches, combined with a climbing sophistication of spyware threats
and distribution methods, made 2005 the "biggest year yet for
spyware," new research has claimed.
http://www.scmagazine.com/us/news/article/540680/?n=us
FYI - Feds, firms
complete cyberterror drill - Key infrastructure leaders have
completed a trial run to measure reactions to a simulated
cyberattack, the U.S. Department of Homeland Security announced.
http://www.scmagazine.com/us/news/article/540857/?n=us
FYI - NIST Releases
Revised Guide for Systems Security - The National Institute of
Standards and Technology has released SP800-18, Guide for Developing
Security Plans for Federal Information Systems.
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf
FYI - Invasion of the Computer
Snatchers - Hackers are hijacking thousands of PCs to spy on users,
shake down online businesses, steal identities and send millions of
pieces of spam. If you think your computer is safe, think again.
http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342_pf.html
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Expedited Funds Availability Act
(Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION
-
Biometrics (Part 2 of 2)
Weaknesses in biometric systems relate to the ability of an attacker
to submit false physical characteristics, or to take advantage of
system flaws to make the system erroneously report a match between
the characteristic submitted and the one stored in the system. In
the first situation, an attacker might submit to a thumbprint
recognition system a copy of a valid user's thumbprint. The
control against this attack involves ensuring a live thumb was used
for the submission. That can be done by physically controlling the
thumb reader, for instance having a guard at the reader to make sure
no tampering or fake thumbs are used. In remote entry situations,
logical liveness tests can be performed to verify that the submitted
data is from a live subject.
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning. Degrees of
freedom relate to measurable differences between biometric readings,
with more degrees of freedom indicating a more unique biometric.
Facial recognition systems, for instance, may have only nine degrees
of freedom while other biometric systems have over one hundred.
Similar faces may be used to fool the system into improperly
authenticating an individual. Similar irises, however, are difficult
to find and even more difficult to fool a system into improperly
authenticating.
Attacks against system tuning also exist. Any biometric system has
rates at which it will falsely accept a reading and falsely reject a
reading. The two rates are inseparable; for any given system
improving one worsens the other. Systems that are tuned to maximize
user convenience typically have low rates of false rejection and
high rates of false acceptance. Those systems may be more open to
successful attack.
Return to the top of the
newsletter
INFORMATION SECURITY
QUESTION:
B. NETWORK
SECURITY
13. Determine if logs of security-related events
are appropriately secured against unauthorized access, change, and
deletion for an adequate time period, and that reporting to those
logs is adequately protected.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Other Matters
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
State Law
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
data security.
Next week we will start covering the examination objectives. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|