Internet Banking News

March 16, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - C.I.A. Employees Face New Inquiry Amid Clashes on Detention Program - The Central Intelligence Agency’s attempt to keep secret the details of a defunct detention and interrogation program has escalated a battle between the agency and members of Congress and led to an investigation by the C.I.A.’s internal watchdog into the conduct of agency employees. http://www.nytimes.com/2014/03/05/us/new-inquiry-into-cia-employees-amid-clashes-over-interrogation-program.html?hp&_r=0

FYI - Two factor authentication for online banking - Eight or nine years ago, I was asking about banks that support two factor authentication. At that time I found eTrade bank and Charles Schwab and not much more. http://www.sans.edu/research/security-laboratory/article/2factor-banks

FYI - Russia and Ukraine in cyber 'stand-off' - As diplomatic efforts are stepped up to ease tensions in Ukraine, security experts have warned that Kiev and Moscow are locked in a cyber stand-off. http://www.bbc.com/news/technology-26447200

FYI - Duo arrested two hours after planting card skimmer - Two Romanian nationals planted a card skimmer at a bank ATM in Brooklyn, New York and were arrested two hours later. http://www.scmagazine.com/duo-arrested-two-hours-after-planting-card-skimmer/article/337259/

FYI - NIST Guide Aims to Ease Access Control - New Special Publication Explains Attribute-Based Approach - Advice on how to encourage information sharing while preserving control over access to data is provided in a new special publication from the National Institute of Standards and Technology. http://www.govinfosecurity.com/nist-guide-aims-to-ease-access-control-a-6612

FYI - Australian telcom fined less than $10k for privacy violations - An Australian telecommunications and media company was fined $9,161.18 (AU$10,200) for violating privacy laws as a result of a data breach affecting 15,775 of its customers. http://www.scmagazine.com/australian-telcom-fined-less-than-10k-for-privacy-violations/article/337763/

FYI - Health care orgs see modest decline in incidence, cost of data breaches - An annual study revealed that data breaches at health care organizations are, on average, less costly and occurring less frequently than in the previous year. http://www.scmagazine.com/study-health-care-orgs-see-modest-decline-in-incidence-cost-of-data-breaches/article/337968/

FYI - Atlanta chain banned from using software to spy via rental computers - An Atlanta-based retailer has officially settled Federal Trade Commission (FTC) charges related to monitoring software installed in rental computers. http://www.scmagazine.com/atlanta-chain-banned-from-using-software-to-spy-via-rental-computers/article/338002/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Thieves Jam Up Smucker’s, Card Processor - Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. http://krebsonsecurity.com/2014/03/thieves-jam-up-smuckers-card-processor/

FYI - Computers stolen, health data compromised for 168K in L.A. - Sutherland Healthcare Solutions (SHS), a billing and collections services provider for Los Angeles County, is notifying more than 168,000 clients of the Los Angeles County Department of Health Services that their personal information may be at risk after SHS offices were broken into and computers containing personal information were stolen. http://www.scmagazine.com/computers-stolen-health-data-compromised-for-168k-in-la/article/337360/

FYI - Johns Hopkins University web server breached; up to 1,300 affected - As many as 1,300 current and former Johns Hopkins University biomedical engineering students' personal information was posted online by an attacker claiming to be affiliated with hacktivist collective Anonymous. http://www.scmagazine.com/johns-hopkins-university-web-server-breached-up-to-1300-affected/article/337274/

FYI - Experian co. gave ID theft service access to 200 million records - Court records in a major identify theft case have revealed the extent of a mishap impacting major credit bureau Experian. http://www.scmagazine.com/experian-co-gave-id-theft-service-access-to-200-million-records/article/337616/

FYI - Iowa DHS data breach dates back 2008, more than 2,000 impacted - Information on more than 2,000 individuals – including Social Security numbers – leaked outside a secure network because, since 2008, two employees with the Iowa Department of Human Services (DHS) used personal online accounts and storage devices to maintain the data, which goes against department policy. http://www.scmagazine.com/iowa-dhs-data-breach-dates-back-2008-more-than-2000-impacted/article/337493/

FYI - Justin Bieber's Twitter account hacked - An unknown attacker gained access to Justin Bieber's Twitter account this past weekend and remained in control for about 15 minutes. http://www.scmagazine.com/justin-biebers-twitter-account-hacked/article/337597/

FYI - More than 162,000 WordPress sites used in DDoS attack - Under the right conditions, any WordPress site can be used to launch a denial-of-service (DoS) attack. http://www.scmagazine.com/more-than-162000-wordpress-sites-used-in-ddos-attack/article/337797/

FYI - Attacker exploits flaw, nabs info on 50,000 Statista customers - Online statistics portal Statista discovered a vulnerability in its administrative system that allowed an attacker to steal personal information on an estimated 50,000 customers. http://www.scmagazine.com/attacker-exploits-flaw-nabs-info-on-50000-statista-customers/article/337758/

FYI - Nearly 5,000 impacted after Ohio manufacturer stores info on insecure server - Ohio-based manufacturer The Timken Company stored the personal information - including Social Security numbers - of nearly 5,000 current and former associates, as well as past applicants, on an insecure server, during which time one unauthorized party accessed the file containing the data. http://www.scmagazine.com/nearly-5000-impacted-after-ohio-manufacturer-stores-info-on-insecure-server/article/337866/

FYI - Unencrypted desktops stolen from Calif. medical center, 10k impacted - Nearly 10,000 patients of University of California San Francisco (UCSF) Family Medicine Center at Lakeshore may have personal information at risk after unencrypted desktop computers containing their data were stolen. http://www.scmagazine.com/unencrypted-desktops-stolen-from-calif-medical-center-10k-impacted/article/338093/

Return to the top of the newsletter

WEB SITE COMPLIANCE -

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

INFORMATION SECURITY PROGRAM

A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components:

1) Prevention
2) Detection
3) Response

Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems.

Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.

Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Stateful Inspection Firewalls

Stateful inspection firewalls are packet filters that monitor the state of the TCP connection. Each TCP session starts with an initial handshake communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall.

Proxy Server Firewalls

Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. Essentially, they rewrite packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Due to that limited capability, proxy servers are commonly employed behind other firewall devices. The primary firewall receives all traffic, determines which application is being targeted, and hands off the traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and responses, providing potential performance benefits. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

40. Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]