Internet Banking News

May 11, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Soaraway security spending keeps breaches in check - The average spending by companies on information security defences has tripled over the last six years, resulting in the overall cost to UK business of reported security breaches dropping by a third. http://www.theregister.co.uk/2008/04/22/infosec_security_survey/print.html

FYI - Hack into Obama campaign site exploited a coding flaw - A simple flaw in the coding of Senator Barack Obama's website led to a hacking switcheroo of presidential proportions just days before the important Pennsylvania primary. http://www.cbc.ca/cp/technology/080424/z042415A.html

FYI - Vendors must take some responsibility - Apps new target for attacks - While companies may go to great lengths to ensure their IT environments are secure, technology vendors need to do more to make sure their hardware and software is up to scratch, according to security experts. http://software.silicon.com/security/0,39024888,39201852,00.htm?r=1

FYI - Should the pen test be done internally or by a third party? If you're subject to the Payment Card Industry Data Security Standard (PCI DSS), then the costs associated with third-party pen tests could easily become a hard pill to swallow since the PCI DSS requires pen tests to be conducted annually. http://www.darkreading.com/document.asp?doc_id=152115&WT.svl=news1_1

FYI - Securing Wi-Fi must be priority - As the use of Wi-Fi by businesses becomes more pervasive, IT departments must rethink their security strategy, a panel at the Interop conference in Las Vegas. http://www.scmagazineus.com/From-Interop-Securing-Wi-Fi-must-be-priority/article/109558/?DCMP=EMC-SCUS_Newswire

FYI - Access by health care personnel is main security concern - User access is the number one IT security concern among healthcare workers, according to a study. http://www.scmagazineus.com/Access-by-health-care-personnel-is-main-security-concern/article/109539/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers Breach System At Umass - Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records. http://www.cbs3springfield.com/news/local/18021744.html

FYI - UConn bookstore sells drive holding personal data - Used 500GB Seagate drive from serviced PC mistakenly sold as new for $200 - University of Connecticut police are investigating how a hard drive containing personal documents and photos from about 10 students, faculty and nonuniversity individuals was accidentally sold last week by the school's bookstore to a student on campus. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080162

FYI - 30,000 bank customers affected by data theft - The number of Bank of Ireland customers affected by the theft of laptops last year has risen to over 30,000. http://www.rte.ie/news/2008/0428/boi.html

FYI - After Web defacement, university warns of data breach - Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080380&source=rss_topic17

FYI - SHA Personal Information Exposed Accidentally - Sensitive personal information concerning 1,800 State Highway Administration employees, including names and Social Security numbers, was compromised last week. http://www.wbaltv.com/news/15998781/detail.html

FYI - Police Investigate Identity Theft At Canton WiseBuys - Canton police are investigating the theft of thousands of dollars from local bank accounts in what is being described as a major identity theft ring. The trouble all started when someone apparently hacked into the Canton WiseBuys store computer system during a changeover.
http://www.wwnytv.net/index.php/2008/04/24/feedback-police-investigate-identity-theft-of-canton-wisebuys-customers/
http://www.watertowndailytimes.com/article/20080425/NEWS05/133127784

FYI - Another college exposure, now in Colorado - The University of Colorado at Boulder said that a computer belonging to the Division of Continuing Education and Professional Studies was compromised, leaving people open to potential identity theft. The computer had personal data, including names, Social Security numbers, addresses and grades of as many as 9,500 people. http://www.scmagazineus.com/Another-college-exposure-now-in-Colorado/article/109502/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (4 of 12)

Reaction Procedures

Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.

Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION

Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1) Selecting authentication mechanisms based on the risk associated with the particular application or services;
2) Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3) Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.

Return to the top of the newsletter

IT SECURITY QUESTION: B. NETWORK SECURITY

3. Evaluate controls over the management of remote equipment.

4. Determine if effective procedures and practices are in place to secure network services, utilities, and diagnostic ports, consistent with the overall risk assessment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]