Internet Banking News

April 9, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Banks Hit With New Spoofing Attacks - Attackers made changes to legitimate Web sites, making the scams much harder to detect. - Three Florida banks have had their Web sites compromised by hackers in an attack that security experts are calling the first of its type. http://www.pcworld.com/news/article/0,aid,125263,tk,dn033006X,00.asp

FYI - Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 - This bulletin transmits Examination Procedures, including a Worksheet, to test financial institutions for compliance with regulations implementing the CAN-SPAM Act of 2003.
Press Release: www.occ.treas.gov/ftp/bulletin/2006-14.txt
Attachment: www.occ.treas.gov/ftp/bulletin/2006-14a.pdf
Attachment: www.occ.treas.gov/ftp/bulletin/2006-14b.pdf

FYI - The Federal Reserve Board on Monday launched a new kids web page designed to educate middle school students about the Board of Governors of the Federal Reserve System. The new web page is designed in a user-friendly, question-and-answer format to ensure easy navigation and the ability to learn basic information about the Fed. www.federalreserve.gov/boarddocs/press/other/2006/20060327/default.htm (R. Kinney - you may wish to link this site off your web site.)

FYI - Energy Department lost computer equipment - At least 18 pieces of "computer processing equipment," including at least one laptop, are missing from the Energy Department's Office of Intelligence (IN), and department officials do not know whether any of it was used for or contained classified information, according to a new report from DOE's inspector general. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40184

FYI - N.Y. attorney general sues Gratis, alleges privacy breach - The info sale may be the largest-ever deliberate violation of confidentiality agreements - New York State Attorney General Eliot Spitzer is suing Web site operator Gratis Internet Inc. for allegedly violating consumer confidentiality agreements by selling the personal information of millions of people to e-mail marketers, according to a statement issued by Spitzer's office. http://www.computerworld.com/printthis/2006/0,4814,109822,00.html

FYI - Trojan horses steal bank details, passwords - Two Trojan horses with distinctive traits have been flagged by security researchers: one that hijacks one-time-use passwords, and another that hides behind a rootkit.
http://news.com.com/2102-7349_3-6053849.html?tag=st.util.print
http://www.computerworld.com/printthis/2006/0,4814,109803,00.html

FYI - Offshore outsourcing cited in Florida data leak - State employees are being warned that their personal data may have been compromised - Florida state employees are being warned that their personal information may have been compromised after work on the state's People First payroll and human resources system was improperly subcontracted to a company in India. http://www.computerworld.com/printthis/2006/0,4814,109938,00.html

FYI - VSC laptop theft creates security concerns - Thousands of Vermont State Colleges students, faculty and staff learned this week that a VSC laptop computer stolen from a car parked in Montreal on Feb. 28 could have given thieves access to their personal financial information, including Social Security numbers and payroll data. http://www.timesargus.com/apps/pbcs.dll/article?AID=/20060324/NEWS/603240363/1002

FYI - U.K. firms suffer from the enemy within - Staff misuse of the internet is the second largest cause of reported security incidents for large U.K. companies. According to the latest preliminary results published today from the 2006 Department of Trade and Industry's biennial Information Security Breaches Survey, 90 percent of all British companies said protecting their reputation was one of the most important drivers for information security. http://www.scmagazine.com/us/news/article/549811/?n=us

FYI - Payment processor fears credit card crooks - A major online payment provider said Monday that its processing service had been used in an attempt to charge money to stolen credit and debit cards. http://news.com.com/2102-7349_3-6057305.html?tag=st.util.print

FYI - Consumer data security bill passes out of House committee - A House committee this week unanimously approved a data security law that would establish federal standards for protecting personal information and would supersede state laws. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40284

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC "Authentication in an Internet Banking Environment."

Monitoring and Reporting

Monitoring systems can determine if unauthorized access to computer systems and customer accounts has occurred. A sound authentication system should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities. The activation and maintenance of audit logs can help institutions to identify unauthorized activities, detect intrusions, reconstruct events, and promote employee and user accountability. In addition, financial institutions should report suspicious activities to appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.

Financial institutions should rely on multiple layers of control to prevent fraud and safeguard customer information. Much of this control is not based directly upon authentication. For example, a financial institution can analyze the activities of its customers to identify suspicious patterns. Financial institutions also can rely on other control methods, such as establishing transaction dollar limits that require manual intervention to exceed a preset limit.

Adequate reporting mechanisms are needed to promptly inform security administrators when users are no longer authorized to access a particular system and to permit the timely removal or suspension of user account access. Furthermore, if critical systems or processes are outsourced to third parties, management should ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the institution in a timely manner. An independent party (e.g., internal or external auditor) should review activity reports documenting the security administrators' actions to provide the necessary checks and balances for managing system security.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 1 of 3)

Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.

The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming from a trusted host.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

19. Evaluate the appropriateness of techniques that prevent the spread of malicious code across the network.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13). (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices

1) Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a. Are clear and conspicuous (��3(b), 4(a), 5(a)(1), 8(a)(1));

b. Accurately reflect the policies and practices used by the institution (��4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information and contain examples as applicable (�6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a. Timeliness of delivery (��4(a), 7(c), 8(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (�9).

c. For customers only, review the timeliness of delivery (��4(d), 4(e), 5(a)), means of delivery of annual notice (�9(c)), and accessibility of or ability to retain the notice (�9(e)).

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.