Internet Banking News

March 18, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The following Audit and Evaluation Reports were recently posted to the Federal Deposit Insurance Corporation's (FDIC) Office of Inspector General (OIG) Web site:
1) Information Technology Examination Coverage of Financial Institutions' Oversight of Technology Service Providers. http://www.fdicig.gov/reports07/07-005.pdf
2) Interagency Agreement With the General Services Administration for the Infrastructure Services Contract. http://www.fdicig.gov/reports07/07-004-redact.pdf
3) The FDIC's Compliance with Section 522 of the Consolidated Appropriations Act, 2005. http://www.fdicig.gov/reports07/07-003.pdf
4) The Division of Supervision and Consumer Protection's Information Technology-Risk Management Program. http://www.fdicig.gov/reports07/07-002.pdf
5) FDIC's Supervision of Financial Institutions' OFAC Compliance Programs. http://www.fdicig.gov/reports07/07-001.pdf

FYI - Laptop Security, Part One: Preventing Laptop Theft: http://www.securityfocus.com/infocus/1186
Laptop Security, Part Two: Protecting Information on a Stolen Laptop. http://www.securityfocus.com/infocus/1187

FYI - Scanners makes depositing checks more simple - It used to be that if a small bank wanted to grow, it had to acquire another bank or open new branches. Now, a little black box may help small banks compete with larger banks, analysts say. http://www.contracostatimes.com/mld/cctimes/business/16836685.htm

FYI - Texas counties illegally posting Social Security numbers online, AG says - County, district clerks are pushing for legislation to make the practice legal. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012221&source=rss_topic17

FYI - Phishing Sites Explode on the Web - Online criminals are thriving even in the face of new automated defenses. http://www.pcworld.com/article/id,129288/article.html?tk=nl_wbxnws

MISSING COMPUTERS/DATA

FYI - Hack Attack Forces Texas A&M To Change 96,000 Passwords - Students, faculty, and staff are required to change their passwords after a hacker tried to break into files containing encrypted passwords to university accounts.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=197700420
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070305/636752/

FYI - Tokyo University of Science has lost personal information on about 8,800 students and graduates, including their names, addresses and scores, university officials said. http://mdn.mainichi-msn.co.jp/national/news/20070301p2a00m0na026000c.html

FYI - Laptop Computers Stolen From Hospital Parking Lot - Thieves have swiped laptop computers from a hospital parking lot in the Hill Country. The two computers are missing from Burnet. But it's the information on them that's important. http://www.kxan.com/Global/story.asp?S=6100779&nav=0s3d

FYI - Hackers swipe seed company's customers' data - The Web site of Johnny's Selected Seeds has been hacked by an intruder, resulting in the theft of thousands of private records and credit card numbers, a company official said. Bruce Harrington, the company's director of sales and marketing, said 11,500 credit card accounts were stolen electronically in February. http://kennebecjournal.mainetoday.com/news/local/3676190.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (7 of 12)

Define what constitutes an incident.

An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.

Detection

The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.

Identify indicators of unauthorized system access.

Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Involve legal counsel.

Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 4 of 4)

Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.

Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.

The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.

Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

8. Determine whether an incident response team:

! Contains appropriate membership,
! Is available at all times,
! Has appropriate training to investigate and report findings,
! Has access to back-up data and systems, an inventory of all approved hardware and software, and monitored access to systems (as appropriate), and
! Has appropriate authority and timely access to decision makers for actions that require higher approvals.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

45. If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:

a. to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]

b. to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and

c. to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]