R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

June 5, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - MCI says laptop, employee data was stolen - A laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI was stolen last month. http://news.com.com/2102-1029_3-5716534.html?tag=st.util.print

FYI - E-mail retention a must after Morgan Stanley case - The $1.45 billion judgment against Morgan Stanley for deceiving billionaire Ronald Perelman over a business deal has a lesson all companies should learn--keeping e-mails is now a must, experts say. http://news.com.com/2102-1036_3-5715554.html?tag=st.util.print

FYI - Banks Notify Customers of Data Theft - More than 100,000 customers of Wachovia Corp. and Bank of America Corp. have been notified that their financial records may have been stolen by bank employees and sold to collection agencies.
http://sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/05/23/financial/f102607D66.DTL&type=business
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,101903,00.html

FYI - More arrests promised in bank data theft - At least two more bank employees will probably be arrested in the coming weeks over a scheme to steal data about customers at four major U.S. banks, a New Jersey police detective said on Monday. http://news.com.com/2102-7348_3-5716710.html?tag=st.util.print

FYI - Hacker and sidekick Sidekick hack trick exposed - Social engineering rather than technical wizardry was responsible for the leak of Paris Hilton's address book onto the internet. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=1f137662-ca40-4bfe-bb0b-21462e50ac98&newsType=Latest%20News&s=n

FYI - GAO - Internet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage Security Risks.
Highlights - http://www.gao.gov/highlights/d05471high.pdf
GAO report -  http://www.gao.gov/cgi-bin/getrpt?GAO-05-471

FYI - Insider revenge often behind cyberattacks - Former employees still had access to systems after leaving - Companies hoping to mitigate their exposure to insider attacks need to ensure they have good password, account and configuration management practices, as well as the right processes in place for disabling network access when employees are terminated. http://www.computerworld.com/securitytopics/security/story/0,10801,101900,00.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYWe continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Symmetric and Asymmetric Key Systems 

There are two types of cryptographic key systems, symmetric and asymmetric.  With a  symmetric key system (also known as secret key or private key systems), all parties have the same key.  The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised.  For the parties to get the same key, there has to be a way to securely distribute the key to each party.  While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet.  Asymmetric key systems can solve this problem. 

In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key."  The other key is made widely available to anyone who wants it, and is referred to as the "public key."  The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key.  Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system.  Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key.  Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is.  The keys can be stored either on a computer or on a physically separate medium such as a smart card.

Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s).  In addition, the key itself must be strong enough for the intended application.  The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data.  Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods.  Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.
Return to the top of the newsletter

IT SECURITY QUESTION:  Disaster recovery planning:

a. Is there a written disaster recover plan?
b. Has the disaster recovery plan been tested within the past year?
c. Does the bank have a backup site?
d. Is a current copy the disaster recovery plan kept off-site with the backup tapes?
e. Do appropriate personnel have a current copy of the disaster recovery plan at their residence?

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

(Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])
VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated