|
FYI - A common currency
for online fraud - Fake checks have been the stock in trade of
online fraud artists for years. Now authorities are noting a surge
in schemes involving sophisticated counterfeiting of a different
form of payment: United States postal money orders.
http://news.com.com/A+common+currency+for+online+fraud/2100-1030_3-5684147.html?tag=nefd.top
FYI - Insecurities over
Indian outsourcing - A case of bank fraud involving an India-based
outsourcer has rekindled a debate about using overseas contractors
for tasks involving sensitive data.
http://news.com.com/Insecurities+over+Indian+outsourcing/2100-7355_3-5685170.html?tag=cd.lede
FYI - IRS security flaws
expose taxpayer data to snooping, GAO finds - Security flaws in
computer systems used by the Internal Revenue Service expose
millions of taxpayers to potential identity theft or illegal police
snooping, according to a congressional report released today.
http://www.computerworld.com/printthis/2005/0,4814,101166,00.html
FYI - Sovereign blames
retailer in ID theft scam - Sovereign Bank is trying to blame BJ's
Wholesale Club Inc. in an identity theft scheme that victimized
hundreds of the bank's debit cardholders last year.
http://philadelphia.bizjournals.com/philadelphia/stories/2005/02/14/story4.html?t=printable
FYI - Carnegie Mellon
reports computer breach - Carnegie Mellon University is warning more
than 5,000 students, employees and graduates that their Social
Security numbers and other personal information may have been
accessed during a breach of the school's computer network.
http://msnbc.msn.com/id/7590506/
FYI - Ameritrade warns
200,000 clients about potential data breach - A computer backup tape
containing account information of more than 200,000 Ameritrade Inc.
clients was apparently lost or accidentally destroyed while being
shipped, prompting the online investment brokerage to notify the
clients of a potential breach.
http://www.computerworld.com/printthis/2005/0,4814,101217,00.html
FYI - Army of zombies
invades China - China's rapid Internet growth has brought with it a
somewhat disturbing side effect: multiplying zombies up to no good.
Zombies, or Internet-connected computers infected by worms or
viruses and under the control of a hacker, are used to launch
denial-of-service (DoS) attacks, or send spam or phishing e-mails.
An average of 157,000 new zombies are identified each day, and 20%
of these are in China, security company CipherTrust Inc.
http://www.computerworld.com/printthis/2005/0,4814,101231,00.html
FYI - SANS Releases
Analysis of Log Management Industry - In conjunction with Log Logic
and other security log analysis vendors, SANS offers a free analysis
of the rapidly growing Log Analysis industry.
https://www.sans.org/webcasts/20050426_analyst_report.pdf
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisements
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
applications.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Internet."
System Architecture and
Design
The Internet can facilitate
unchecked and/or undesired access to internal systems, unless
systems are appropriately designed and controlled. Unwelcome system
access could be achieved through IP spoofing techniques, where an
intruder may impersonate a local or internal system and be granted
access without a password. If access to the system is based only on
an IP address, any user could gain access by masquerading as a
legitimate, authorized user by "spoofing" the user's
address. Not only could any user of that system gain access to the
targeted system, but so could any system that it trusts.
Improper access can also result from other technically permissible
activities that have not been properly restricted or secured. For
example, application layer protocols are the standard sets of rules
that determine how computers communicate across the Internet.
Numerous application layer protocols, each with different functions
and a wide array of data exchange capabilities, are utilized on the
Internet. The most familiar, Hyper Text Transfer Protocol (HTTP),
facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the
transfer, copying, and deleting of files between computers. Telnet
protocol actually enables one computer to log in to another.
Protocols such as FTP and Telnet exemplify activities which may be
improper for a given system, even though the activities are within
the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system
attacks to be launched against
systems from anywhere in the world. Systems can even be accessed and
then used to launch attacks against other systems. A typical attack
would be a denial of service attack, which is intended to bring down
a server, system, or application. This might be done by overwhelming
a system with so many requests that it shuts down. Or, an attack
could be as simple as accessing and altering a Web site, such as
changing advertised rates on certificates of deposit.
Security Scanning Products
A number of software programs exist which run automated security
scans against Web servers, firewalls, and internal networks. These
programs are generally very effective at identifying weaknesses that
may allow unauthorized system access or other attacks against the
system. Although these products are marketed as security tools to
system administrators and information systems personnel, they are
available to anyone and may be used with malicious intent. In some
cases, the products are freely available on the Internet.
Return to
the top of the newsletter
IT SECURITY QUESTION:
Backup operations: (Part 1 of 2)
a. Is the network backed up? Rotation?
b. Is the core application backed up? Rotation?
c. Are backup tapes stored off premises? Distance?
d. Are backup tapes taken off premises after the backup is finished?
e. Are backup tapes kept in the computer room?
Return to the top of
the newsletter
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in its privacy policies, reserves the
right to disclose nonpublic personal information to nonaffiliated
third parties in the future, does the privacy notice include, as
applicable, the:
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]
VISTA
penetration-vulnerability testing - Does
{custom4} need an affordable internal or external
penetration-vulnerability test? R. Kinney Williams &
Associates provides the independence required by the FFIEC IT
Examination Manual. We are IT auditors and do not sell
hardware or software like many IT testing companies and consultants.
In addition, we have over 30 years experience auditing IT operations
for financial institutions, which includes 21 years examination
experience. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/.
|
