Internet Banking News

April 1, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Oops! Techie wipes out $38 billion fund - Keystroke mistake deletes data for Alaska's oil-funded account - Perhaps you know that sinking feeling when a single keystroke accidentally destroys hours of work. Now imagine wiping out a disk drive containing an account worth $38 billion. http://www.msnbc.msn.com/id/17702021/from/ET/

FYI - NCUA - Proposed Regulation 12 CFR Parts 748 and 749 - Records Preservation Program - NCUA proposes to amend part 749 to address a federally-insured credit union's obligation to maintain a records preservation program. The proposed rule draws from existing guidance to clarify requirements for preserving vital records and to suggest important items for consideration in restoring vital member services. www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/P-748.pdf

FYI - Air Travelers Alerted to Battery Hazard - Airline passengers were warned yesterday by U.S. transportation officials to be extra careful while transporting batteries for laptop computers, cellphones and other gadgets in the wake of fires aboard aircraft. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/22/AR2007032201766.html

FYI - Data breaches: Blame sloppy companies, not hackers - Researchers say organizational mismanagement causes 60% of breaches - Electronic records in the United States are streaming out of companies at a rate of 6 million a month this year, up roughly 200,000 a month from last year, according to a University of Washington researcher. http://www.networkworld.com/news/2007/031307-data-breach-companies.html

FYI - Microsoft Suffers Latest Blow As NIST Bans Windows Vista - Tech staffers at NIST, a part of the Department of Commerce charged with promulgating technology standards, are scheduled to meet next month to discuss their concerns about the new operating system. In a new setback to Microsoft's public sector business, the influential National Institute of Standards and Technology has banned the software maker's Windows Vista operating system from its internal computing networks, according to an agency document obtained by InformationWeek. http://www.informationweek.com/news/showArticle.jhtml?articleID=198000229

FYI - FTC Launches Investigation Of T.J. Maxx Parent Company - The U.S. Federal Trade Commission Tuesday confirmed that it has launched an investigation of TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods, and other stores. While the FTC wouldn't reveal the nature of the investigation or when it began, it's likely the result of a large data breach that allowed cyberintruders to steal customer data.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198000608
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070319/643815/

FYI - Lab not wiping sensitive data before discarding machines, DOE finds - Published on March 12, 2007 The Lawrence Livermore National Laboratory in California may not be wiping sensitive information from excess computers it disposes of, according to a report released by the Energy Department's inspector general's office. http://www.fcw.com/article97898-03-12-07-Web&printLayout

FYI - Six Ways To Stop Data Leaks - During the five months when Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next most active user of the system. But he wasn't caught until after he left the company for a rival firm. http://computerworld.com/action/article.do?command=printArticleBasic&articleId=285138

FYI - To fight ID theft, a call for banks to disclose all incidents - Congress is taking aim at the identity theft scourge as a major consumer protection problem. There is little consensus on whether financial institutions and law enforcement agencies are making headway in combating identity theft. But Congress is nonetheless taking aim at the crime as a major consumer protection problem. http://msn-cnet.com.com/To+fight+ID+theft%2C+a+call+for+banks+to+disclose+all+incidents/2100-1029_3-6169320.html?tag=cd.top

FYI - FBI: Web fraud cost more than $200 million in 2006 - Male. Between 30 and 50 years old. Residing in California, Texas, Florida or New York. That's the most likely profile for a 2006 victim of web-based crime, according to a report from the FBI and the National White Collar Crime Center. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070321/645020/

MISSING COMPUTERS/DATA

FYI - CD with medical data of 75,000 is found - Missing CD containing confidential medical information on 75,000 Empire Blue Cross and Blue Shield members is recovered. http://news.com.com/CD+with+medical+data+of+75%2C000+is+found/2100-1029_3-6167435.html?tag=cd.top

FYI - Laptop with city school employees' information stolen - Nearly 2,000 current and former employees of Springfield City Schools are being notified their personal information was on a stolen laptop belonging to the state auditor's office. http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/03/16/sns031707laptop.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (9 of 12)

Organize a public relations program.

Whether a bank is a local, national, or global firm, negative publicity about a security compromise is a distinct possibility. To address potential reputation risks associated with a given incident, some banks have organized public relations programs and designated specific points of contact to oversee the program. A well-defined public relations program can provide a specific avenue for open communications with both the media and the institution's customers.

Recovery

Recovering from an incident essentially involves restoring systems to a known good state or returning processes and procedures to a functional state. Some banks have incorporated the following best practices related to the recovery process in their IRPs.

Determine whether configurations or processes should be changed.

If an institution is the subject of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimized. A key component of this process is determining whether system configurations or other processes should be changed. In the case of technical compromises, such as a successful network intrusion, the IRP can prompt management to update or modify system configurations to help prevent further incidents. Part of this process may include implementing an effective, ongoing patch management program, which can reduce exposure to identified technical vulnerabilities. In terms of non-technical compromises, the IRP can direct management to review operational procedures or processes and implement changes designed to prevent a repeat incident.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Operational Anomalies

Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

12. Determine whether:

! Responsibilities and authorities of security personnel and system administrators for monitoring are established, and
! Tools used are reviewed and approved by appropriate management with appropriate conditions for use.

13. Determine if the responsibility and authority of system administrators is appropriate for handling notifications generated by monitoring systems.

14. Determine if users are trained to report unexpected network behavior that may indicate an intrusion, and that clear reporting lines exist.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47. If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a. the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b. the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c. the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]