Internet Banking News

April 5, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Heartland Data Breach: Visa Sets Deadline for Issuers to File Fraud Claims - Heartland, RBS WorldPay Removed from Visa's Compliant Service Providers List - Heartland Payment Systems (HPY) has been removed from Visa's list of compliant service providers, and banking institutions affected by the Heartland data breach have until May 19 to file their fraud claims with Visa. http://www.bankinfosecurity.com/articles.php?art_id=1277

FYI - As Jurors Turn to Web, Mistrials Are Popping Up - Last week, a juror in a big federal drug trial in Florida admitted to the judge that he had been doing research on the case on the Internet, directly violating the judge's instructions and centuries of legal rules. But when the judge questioned the rest of the jury, he got an even bigger shock. http://www.nytimes.com/2009/03/18/us/18juries.html

FYI - FBI agent in NY accused of tipping off informant - An FBI agent in New York has been accused of keeping in touch with an informant after their professional relationship ended and then claiming that he "squashed" a drug trafficking investigation involving the source, according to a criminal complaint. http://www.google.com/hostednews/ap/article/ALeqM5gc2zWZ8mIjB2SlSWzJaYdx4Hp1xgD970OSGG0

FYI - Obama CIO Vivek Kundra allowed back to work - FBI confirms that Kundra is no longer under investigation - Kundra is now back in charge of planning the national IT infrastructure, and the FBI has arrested two suspects from the District of Columbia's Office of the Chief Technology Officer. http://www.vnunet.com/vnunet/news/2238688/obama-cio-allowed-back-work

FYI - IT contractor indicted over oil company computer intrusion - IT contractor on charges he disrupted a computer system used, among other purposes, to notify an energy company if its oil properties are leaking. http://www.scmagazineus.com/IT-contractor-indicted-over-oil-company-computer-intrusion/article/129104/?DCMP=EMC-SCUS_Newswire

FYI - Virtumundo, now a worm, spreading via USB stick - A long-standing trojan that serves as a malware-distribution service has found a new way to infect computers: via a USB stick or other removable device. http://www.scmagazineus.com/Virtumundo-now-a-worm-spreading-via-USB-stick/article/129102/?DCMP=EMC-SCUS_Newswire

FYI - Most Organizations Hit by Cybercrime - A report released by Symantec gauges the far reaching impact of cybercrime and finds most organizations have dealt with a cyber attack of some kind in the last two years. http://www.networkworld.com/news/2009/032309-study-most-organizations-hit-by.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cybercrime server exposed through Google cache - A reported 22,000 card records have been exposed through cached copies of data stored on a defunct cybercrime server. http://www.theregister.co.uk/2009/03/23/cache_exposes_cybercrime_data/

FYI - 'Cyberinvaders' crack into Sen. Bill Nelson's staff PCs -- twice - Cyberinvaders, as a peeved Sen. Bill Nelson, D-Fla. called them today, continue cracking into U.S. government systems with impunity. http://lastwatchdog.com/lawmaker-hacked-cyber-invasions/

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds.

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page. Subsidiary web pages that advertise deposits must contain the official advertising statement. Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Development and Support

Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:

! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the changes,
! Ensuring the application or system owner has authorized changes in advance,
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.

Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.

When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.

Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

1. Determine if operational software storage, program source, object libraries and load modules are appropriately secured against unauthorized access.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

1) Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])