Internet Banking News

March 25, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - VA to control, restrict use of mobile storage devices - In the next month, the Veterans Affairs Department will let employees plug into its network only those mobile storage devices issued by the CIO's office.
http://www.gcn.com/online/vol1_no1/43266-1.html?topic=security
Microsoft - HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers: http://support.microsoft.com/default.aspx?scid=kb;en-us;555324

FYI - Some Companies Lose Data Six Times a Year - TJX's massive data loss is just the tip of the iceberg. Almost seven out of 10 companies-68 percent-are losing sensitive data or having it stolen out from under them six times a year, according to new research from the IT Policy Compliance Group. An additional 20 percent are losing sensitive data a whopping 22 times or more per year. http://www.eweek.com/article2/0%2C1895%2C2101683%2C00.asp

FYI - Hanging on the telephone - Vulnerable Irish businesses are falling victim to a rising spate of telecoms fraud that is costing them €75m a year and growing at a rate of 15pc annually. The thorny subject of telecoms fraud on Irish businesses is one that is not highlighted enough in this country, admits detective inspector Paul Gillen. http://www.siliconrepublic.com/news/news.nv?storyid=single7916

FYI - SEC halts trading of 35 stocks for pump-and-dump scams - The Securities and Exchange Commission (SEC) today halted trading on shares of 35 companies believed to be involved in recent pump-and-dump spam campaigns. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070312/642688/
http://www.scmagazine.com/us/news/article/643126/sec-3-million-latvian-bank-frozen-part-hacking-pump-and-dump-trial/

MISSING COMPUTERS/DATA

FYI - Outsourcer to pay over laptop theft - IT services firm Serco has apologised and agreed to pay costs after one of its laptops, containing sensitive data on more than 16,000 Worcestershire council staff, was stolen. http://www.techworld.com/security/news/index.cfm?newsID=8204&pagtype=all

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (8 of 12)

Containment

During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.

Establish notification escalation procedures.

If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.

Document details, conversations, and actions.

Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Honeypots

A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.

Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.

Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

9. Evaluate the selection of systems to monitor and objectives for monitoring.

10. Determine whether the data and data streams to monitor are established and consistent with the risk assessment.

11. Determine whether users are appropriately notified regarding security monitoring.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

46. Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a. to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; [§12(b)(1)] or

b. to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? [§12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. [§12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. [§12(c)(2)])