Internet Banking News

May 3, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - One of our readers sent us this useful link regarding the recent pandemic outbreaks. http://www.sans.edu/resources/leadershiplab/pandemic_watch2009.php

FYI - Texas PI Licensing Amendment - Yesterday on the GCFAmailing list, Rob Lee forwarded a message about a Texas House Bill that would amend the language in the Private Investigator Licensing statute that will affect computer forensic examiners. Some discussion ensued on the list as the language of the statute is not completely clear to mere mortals more comfortable converting hex values in master boot records than they are reading the law. http://sansforensics.wordpress.com/2009/04/14/texas-pi-licensing-amendment/

FYI - Obama appoints federal CTO, industry applauds choice - Aneesh Chopra, Virginia's secretary of technology, will serve as the CTO, Obama announced Saturday morning at his weekly address, according to a White House news release. http://www.scmagazineus.com/Obama-appoints-federal-CTO-industry-applauds-choice/article/130917/?DCMP=EMC-SCUS_Newswire

FYI - HHS releases guidance on securing electronic health data - To expand the use of electronic health records (EHRs), the Health and Human Services Department (HHS) has issued guidance on technologies and methods to protect personal electronic health care data. http://fcw.com/Articles/2009/04/20/HHS-releases-guidance-on-securing-electronic-health-data.aspx

FYI - NSA oversteps relaxed wiretapping laws - A recent investigation into the National Security Agency's electronic eavesdropping activities has found that the federal agency exceeded its authority to wiretap Americans, the New York Times reported this week. http://www.securityfocus.com/brief/949

FYI - 2009 National Collegiate Cyber Defense Competition Champion Crowned - Top three finalists Baker College, Northeastern University, and Texas A&M University - Baker College of Flint, Michigan successfully defended their title as National Collegiate Cyber Defense Champions by winning the 4th National Collegiate Cyber Defense Competition (NCCDC) held April 17-19 at the Hilton San Antonio Airport Hotel in San Antonio, TX. http://sev.prnewswire.com/high-tech-security/20090420/DC0144520042009-1.html

FYI - How the recession is affecting IT spending - Despite the financial crisis, companies are still putting forth money for IT security efforts while overall IT spending is less of a priority, according to a new survey conducted by strategy and business advisory firm MetroSITE Group, and Pacific Crest Securities, a technology investment bank. http://www.scmagazineus.com/How-the-recession-is-affecting-IT-spending/article/130950/?DCMP=EMC-SCUS_Newswire

FYI - Intel finds stolen laptops can be costly - A laptop's value is more than meets the eye. Intel says stolen laptops cost corporate owners more than $100,000 in some cases, in a study announced Wednesday. http://news.cnet.com/8301-13924_3-10225626-64.html

FYI - Device identification in online banking is privacy threat, expert says - A widely used technology to authenticate users when they log in for online banking may help reduce fraud, but it does so at the expense of consumer privacy, a civil liberties attorney said during a panel at the RSA security conference. http://msn-cnet.com.com/8301-1009_3-10226742-83.html?tag=mncol

FYI - Forget Computers, Phone Crime Is Worrying Banks - Computer fraud may be a big problem for banks today, but the telephone is becoming a critical tool for fraudsters, bank executives say. http://www.pcworld.com/article/163741/article.html?tk=nl_dnxnws

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Organized crime focuses on the big score - Information-services provider Verizon Business released its annual data breach report on Wednesday, documenting at least 90 confirmed data breaches compromising 285 million records. http://www.securityfocus.com/brief/947

FYI - Chinese National Arrested For Source Code Theft - The information was taken from a New Jersey company that develops, implements, and supports software for environmental applications. A Chinese citizen on a work visa in the United States was arrested by the FBI last week for allegedly revealing proprietary software code owned by his unidentified U.S. employer to a Chinese government agency. http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=216500695&subS

FYI - ICO rules against British Council - Disc loss doh! - The Information Commissioner's Office (ICO) has found the British Council in breach of the Data Protection Act after the loss of an unencrypted computer disc. http://www.theregister.co.uk/2009/04/20/british_council_data_loss/

FYI - MySpace insider data breach - While the usual cause of a data breach at a social-networking site is down to an outsider hacking into the database, last week's breach at MySpace was attributed to an employee who gathered the names, social security numbers and other personal information on a number of his co-workers. http://www.siliconrepublic.com/news/article/12780/digital-life/myspace-insider-data-breach-leads-to-hq-shutdown

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST AND USER EQUIPMENT ACQUISITION AND MAINTENANCE

System Patches

Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software. Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.

Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:

! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure computing environment.

Return to the top of the newsletter

IT SECURITY QUESTION: APPLICATION SECURITY

5. Determine whether re-establishment of any session after interruption requires normal user identification, authentication, and authorization.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

5) When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]