Internet Banking News

March 28, 2010

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

You can rely on the Review to help you prepare for your IT examination. Designed especially for IT management, The Weekly IT Security Review provides a analysis of IT security issues covered in the FFIEC IT Examination Handbook, which will help in preparing for your IT examination. For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Pennsylvania fires CISO over RSA talk - Terminated for disclosing security incident at Department of Transportation, source says - Pennsylvania's chief information security officer, Robert Maley, has been fired, apparently for talking publicly at the RSA security conference last week about a recent incident involving the Commonwealth's online driving exam scheduling system. http://www.computerworld.com/s/article/9169098/Pennsylvania_fires_CISO_over_RSA_talk

FYI - TJX Hacking Conspirator Gets 4 Years - Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking. http://www.wired.com/threatlevel/2010/03/tjx-conspirator-sentenced-to-46-month/

FYI - LifeLock to pay $12M to settle FTC, states' complaint - LifeLock, an Arizona company promising customers protection from identity theft, has agreed to pay $12 million to settle charges that the company overstated its benefits and used "scare tactics" to gain subscribers. http://www.computerworld.com/s/article/9168098/Update_LifeLock_to_pay_12M_to_settle_FTC_states_complaint?taxonomyId=17

FYI - Web fraud losses more than double in 2009, says report - Losses related to cybercrime more than doubled from 2008 to last year, according to a report from the Internet Crime Complaint Center. http://www.scmagazineus.com/web-fraud-losses-more-than-double-in-2009-says-report/article/165824/?DCMP=EMC-SCUS_Newswire

FYI - A new state data breach regulation - After a few delays, what has been termed the nation's strictest state data security regulation is set to go into effect on March 1 in Massachusetts. The legislation, 201 CMR 17.00, details a number of requirements that all companies, no matter where they are based, must follow to safeguard the paper or electronic records in their possession of any Massachusetts resident. http://www.scmagazineus.com/solid-state-a-new-state-data-breach-regulation/article/164042/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data theft incident broader than first thought - HSBC said on Thursday that about 15,000 accounts of its Swiss private banking unit were compromised after an employee allegedly stole data, some of which ended up in the hands of French tax authorities. http://www.computerworld.com/s/article/9169218/HSBC_Data_theft_incident_broader_than_first_thought?taxonomyId=17

FYI - Former TSA Worker Charged With Hacking - The Department of Justice indictment alleges that a former TSA employee tampered with servers containing data from the Terrorist Screening Database. The Department of Justice has charged a Colorado man and former Transportation Security Administration (TSA) employee with trying to inject malicious code into TSA databases. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=223500107

FYI - Citibank exposes 600,000 customers' Social Security numbers - In late January, Citibank mailed year-end tax statements to 600,000 Citi customers via the U.S. Postal Service that included the customers' Social Security numbers ... on the outside of the envelope. http://newsblogs.chicagotribune.com/the-problem-solver/2010/03/citibank-exposes-600000-customers-social-security-numbers.html

FYI - 'Cavalier' GCHQ online spy centre loses 35 laptops - The UK's electronic spy centre was today lambasted by MPs for having a "cavalier" attitude to data security. The centre is responsible for tracking the electronic communications of terrorists. http://www.computerworlduk.com/management/government-law/public-sector/news/index.cfm?RSS&NewsId=19344

FYI - Man accused of disabling 100 cars over Internet - Texan fired from dealership remotely set off car horns at old workplace - A man fired from a Texas auto dealership used an Internet service to remotely disable ignitions and set off car horns of more than 100 vehicles sold at his old workplace, police said. http://www.msnbc.msn.com/id/35919648/ns/technology_and_science-security/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (12 of 12)

What the Future Holds

In addition to meeting regulatory requirements and addressing applicable industry best practices, several characteristics tend to differentiate banks. The most successful banks will find a way to integrate incident response planning into normal operations and business processes. Assimilation efforts may include expanding security awareness and training initiatives to reinforce incident response actions, revising business continuity plans to incorporate security incident responses, and implementing additional security monitoring systems and procedures to provide timely incident notification. Ultimately, the adequacy of a bank's IRP reflects on the condition of the information security program along with management's willingness and ability to manage information technology risks. In essence, incident response planning is a management process, the comprehensiveness and success of which provide insight into the quality and attentiveness of management. In this respect, the condition of a bank's IRP, and the results of examiner review of the incident response planning process, fit well within the objectives of the information technology examination as described in the Information Technology-Risk Management Program.

An IRP is a critical component of a well-formed and effective information security program and has the potential to provide tangible value and benefit to a bank. Similar to the importance of a business continuity planning program as it relates to the threat of natural and man-made disasters, sound IRPs will be necessary to combat new and existing data security threats facing the banking community. Given the high value placed on the confidential customer information held within the financial services industry, coupled with the publicized success of known compromises, one can reasonably assume that criminals will continue to probe an organization's defenses in search of weak points. The need for response programs is real and has been recognized as such by not only state and Federal regulatory agencies (through passage of a variety of legal requirements), but by the banking industry itself. The challenges each bank faces are to develop a reasonable IRP providing protections for the bank and the consumer and to incorporate the IRP into a comprehensive, enterprise-wide information security program. The most successful banks will exceed regulatory requirements to leverage the IRP for business advantages and, in turn, improved protection for the banking industry as a whole.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

System Architecture and Design

Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems.

Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks. Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

INTERNET PRIVACY -

We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

The Exceptions

Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

1) To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution's own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. In a contract for a joint marketing agreement, the contract must provide that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the additional disclosure and confidentiality requirements of section 13. Disclosure under this exception could include the outsourcing of marketing to an advertising company. (Section 13)

2) As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or to provide an account statement. (Section 14)

3) For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators. (Section 15)