Internet Banking News

May 18, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Travel group warns: Corporate data at risk from laptop searches at border - The Association of Corporate Travel Executives (ACTE) is warning its members to limit the amount of proprietary business information they carry on laptops and other electronic devices because of fears that government agents can seize that data at U.S. border crossings. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9081358&source=rss_topic17

FYI - HSBC calls in police over alleged £70m fraud attempt - Police are investigating an alleged €90m (£70m) attempted fraud by a London-based member of staff at HSBC, Britain's biggest bank. A man has been charged over the alleged scam, which was discovered last week at HSBC's securities services division, which settles trades for clients. http://www.independent.co.uk/news/business/news/hsbc-calls-in-police-over-alleged-16370m-fraud-attempt-819796.html

FYI - Rogue trader Kerviel gets new job - Jérôme Kerviel, the French rogue trader accused of causing €4.9bn (£3.8bn) losses at the bank Société Générale, has got a new job as a computer expert. http://www.guardian.co.uk/business/2008/apr/25/kerviel.job?gusrc=rss&feed=networkfront

FYI - A virtual war on terror - The bad guys are at it again and with increasing ferocity, attacking anything and everything. So far, Chinese hackers have been constantly waging an all-out warfare against the government and defence networks of western countries, the US in particular. http://www.financialexpress.com/news/A-virtual-war-on-terror/305242/

FYI - Virginia Tries to Ensure Students' Safety in Cyberspace - State-Mandated Classes on Internet Take Shape - Alan Portillo didn't think much, if at all, about his online vulnerability. Then the 15-year-old heard technology teacher Wendy Maitland list three pieces of information an online predator would need to find him. http://www.washingtonpost.com/wp-dyn/content/article/2008/05/02/AR2008050203831_pf.html

FYI - CERIAS ranked as nation's top information security program - A private company that measures faculty productivity has ranked Purdue's Center for Education and Research in Information Assurance and Technology the top program in information security among universities in the nation. http://news.uns.purdue.edu/x/2008a/080502SpaffordRanking.html

FYI - Massive hacker server discovered - Security researchers recently found a server being used to harvest private information consisting of stolen data from 40 international businesses, as well as health-related information on patients worldwide. http://www.scmagazineus.com/Massive-hacker-server-discovered/article/109847/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Tax staff disciplined for snooping - 600 staff disciplined for accessing personal or sensitive data - Treasury Minister Jane Kennedy has revealed that more than 600 staff at HM Revenue and Customs (HMRC) have been disciplined for accessing personal or sensitive data. http://www.financialdirector.co.uk/accountancyage/news/2215656/tax-staff-disciplined-snooping

FYI - Cyber crime: PGI head's email hacked - After Panjab University's former vice-chancellor K N Pathak became a victim of email hacking, PGI director and Padmashree K K Talwar has been similarly targeted by cyber criminals. http://timesofindia.indiatimes.com/India/Cyber_crime_PGI_heads_email_hacked/rssarticleshow/3006104.cms

FYI - Hospitals in Hong Kong lose data on 3,000 patients in thefts - Data on more than 3,000 patients in Hong Kong public hospitals has been lost through the theft of computer memory sticks, officials said. http://www.monstersandcritics.com/news/health/news/article_1403455.php/Hospitals_in_Hong_Kong_lose_data_on_3000_patients_in_thefts

FYI - 6,000 UCSF patients' data got put online - Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/05/01/MNKE10DRGN.DTL&tsp=1

FYI - Hundreds of Laptops Missing at State Department, Audit Finds - Hundreds of employee laptops are unaccounted for at the U.S. Department of State, which conducts delicate, often secret, diplomatic relations with foreign countries, an internal audit has found. As many as 400 of the unaccounted for laptops belong to the department's Anti-Terrorism Assistance Program, according to officials familiar with the findings. http://www.cqpolitics.com/wmspage.cfm?docID=hsnews-000002716318&cpage=1

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (5 of 12)

Notification Procedures

An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.

Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements. Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.

Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Shared Secret Systems (Part 1 of 2)

Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.

A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.

Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.

Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.

Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

5. Determine whether external servers are appropriately isolated through placement in DMZs, with supporting servers on DMZs separate from external networks, public servers, and internal networks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

32. When a customer relationship ends, does the institution continue to apply the customer's opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)]