Internet Banking News

May 14, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - NCUA General Counsel Opinion 06-0332 - Components of Security Response Program. www.ncua.gov/RegulationsOpinionsLaws/opinion_letters/2006/06-0332.pdf

FYI - Phishers Snare Victims With VoIP - A security firm reported discovering a phishing scheme in which the scammers used Internet telephony to copy a bank's automated voice system in order to steal customers' passwords, account numbers and other personal information. http://news.yahoo.com/s/cmp/20060426/tc_cmp/186701001

FYI - Aetna says laptop with member data stolen - Health insurer Aetna said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. http://news.com.com/2102-1029_3-6066078.html?tag=st.util.print

FYI - Banks should give back to open-source community - Major open-source vendors called for financial companies to contribute more code to the open-source community. http://news.com.com/Banks+should+give+back+to+open-source+community/2100-7344_3-6065381.html?tag=cd.top

FYI - Firms slow to fix security flaws - It can take some firms a week to close loopholes - Hackers are getting a helping hand from firms taking too long to fix software vulnerabilities, research shows. A study carried out for security firm McAfee found that 19% of companies take more than a week to apply software patches to close vulnerabilities. A further 27% said it took two days to apply fixes for software loopholes. http://news.bbc.co.uk/2/hi/technology/4907588.stm

FYI - Junked PCs another source of personal info - PC users hoping to sell or donate their used computers should be forewarned: There is likely personal information remaining on them. http://www.scmagazine.com/us/news/article/554995/?n=us

FYI - Cyber blackmail increasing - Cyber blackmail is on the increase, a new report has found. "The Malware Evolution: January to March 2006" report by anti-virus firm Kaspersky Lab said criminal gangs have moved away from the "stealth use" of infected computers - stealing personal data or using computers as part of zombie networks - to direct blackmailing of victims. http://www.scmagazine.com/us/news/article/555248/?n=us

FYI - Non-Windows attacks on the rise - Attacks against platforms other than Windows, particularly Linux, are growing quickly, according to a Kaspersky Lab report. The number of malware affecting Linux during 2004 and 2005 jumped from 422 to 863, said the report, written by Konstantin Sapronov on the Viruslist.com website. Other Unix-based systems also are experiencing similar rises in attacks, although not to the level of Linux. http://www.scmagazine.com/us/news/article/555255/?n=us

FYI - Aetna says laptop with member data stolen - Health insurer Aetna on Wednesday said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. http://news.zdnet.com/2102-1009_22-6066078.html?tag=printthis

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)

PROCEDURES TO ADDRESS SPOOFING - Information Gathering

After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response. The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation. Below is a list of useful information that a bank can collect. In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.

* The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
* Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
* Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
* Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
* The geographic locations of the IP address (city, state, and country).

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 1 of 2)

Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.

A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination. Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.

A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

4. Determine whether new hosts are prepared according to documented procedures for secure configuration or replication, and that vulnerability testing takes place prior to deployment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1) Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a. Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.

B. Presentation, Content, and Delivery of Privacy Notices

1) Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices:

a. Are clear and conspicuous (��3(b), 4(a), 5(a)(1));

b. Accurately reflect the policies and practices used by the institution (��4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information (�6).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a) Timeliness of delivery (��4(a), 4(d), 4(e), 5(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (�9) and accessibility of or ability to retain the notice (�9(e)).

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.