Internet Banking News

June 10, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - With Plan X, Pentagon seeks to spread U.S. military might to cyberspace - The Pentagon is turning to the private sector, universities and even computer-game companies as part of an ambitious effort to develop technologies to improve its cyberwarfare capabilities, launch effective attacks and withstand the likely retaliation. http://www.washingtonpost.com/world/national-security/with-plan-x-pentagon-seeks-to-spread-us-military-might-to-cyberspace/2012/05/30/gJQAEca71U_story.html

FYI - Cyber Security Expert James R. Woodhill to Testify on Commercial Account Cyber-Theft Before House Committee - Nationally recognized cyber security expert and civic leader in the campaign against cyber theft, James R. Woodhill will testify about the growing epidemic of on-line financial transaction theft from prominent American financial institutions. http://www.marketwatch.com/story/cyber-security-expert-james-r-woodhill-to-testify-on-commercial-account-cyber-theft-before-house-committee-2012-05-31

FYI - Backdoor in chip used by military: Blame software, not China - The recent discovery by British researchers of an intentionally placed backdoor in U.S. chips used in defense and industrial systems set off a brief frenzy of finger-pointing toward China, with claims that Chinese manufacturers were prepping the chips for a series of Stuxnet-type attacks on U.S. systems. http://gcn.com/articles/2012/05/30/china-not-behind-backdoor-in-military-chip.aspx

FYI - No More Dot-Mil Accounts on Dating Sites - The Pentagon this month plans to distribute a new policy on personal social media use that tells troops to hide certain identifying information when interacting online, Defense Department officials tell Nextgov. http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/05/no-more-dot-mil-accounts-dating-sites/55930/?oref=ng-voicestop

FYI - Google to 'warn' users on search in China - Google has fired a new salvo in a censorship battle with Beijing by adding a feature that warns users in China who enter search keywords that might produce blocked results and suggests they try other terms. http://articles.timesofindia.indiatimes.com/2012-06-01/internet/31958571_1_analysys-international-baidu-android

FYI - New Jersey Assembly passes bill requiring deletion of copier data - The New Jersey Assembly has passed a bill that would require the deletion of all data from digital copiers and scanners. http://www.infosecurity-magazine.com/view/26127/new-jersey-assembly-passes-bill-requiring-deletion-of-copier-data

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - A Massive Web of Fake Identities and Websites Controlled Flame Malware - The attackers behind the complex Flame cyberespionage toolkit, believed to be a state-sponsored operation, used an extensive list of fake identities to register at least 86 domains, which they used as part of their command-and-control center, according to researchers at Russia-based antivirus firm Kaspersky Lab. http://www.wired.com/threatlevel/2012/06/flame-command-and-control/

FYI - LinkedIn confirms that posted passwords are of its members - One of the largest social networks on the web has confirmed that passwords of its users have been stolen. http://www.scmagazine.com/linkedin-confirms-that-posted-passwords-are-of-its-members/article/244575/?DCMP=EMC-SCUS_Newswire

FYI - eHarmony may have suffered same fate as LinkedIn - Joining LinkedIn, dating website eHarmony said Wednesday that it is investigating the possible theft of its members' passwords. http://www.scmagazine.com/eharmony-may-have-suffered-same-fate-as-linkedin/article/244612/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 3: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.

Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.

E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.

Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:

1) Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.

2) Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.

3) E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.

4) Segregation should be maintained between those developing and those administrating e-banking systems.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Honeypots

A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.

Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.

Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose; [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]