Internet Banking News

June 15, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - GAO - FDIC Sustains Progress but Needs to Improve Configuration Management of Key Financial Systems.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-564
Highlights - http://www.gao.gov/highlights/d08564high.pdf

FYI - Lawmakers See Cyber Threats to Electrical Grid - The U.S. electrical grid remains vulnerable to cyber attacks that could cripple the economy, and the organization responsible for regulating electrical suppliers doesn't appear to be serious about fixing the problems, some U.S. lawmakers said. http://www.pcworld.com/businesscenter/article/146153/lawmakers_see_cyber_threats_to_electrical_grid.html

FYI - LendingTree sued over data breach - At least two lawsuits have been filed against LendingTree in response to a data breach that occurred between October 2006 and early 2008. The breach reportedly was caused by former employees who shared passwords with mortgage lenders, providing access to loan and personal information of customers. http://www.scmagazineus.com/LendingTree-sued-over-data-breach/article/110434/?DCMP=EMC-SCUS_Newswire

FYI - Most Retailer Breaches Are Not Disclosed - While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports. http://www.pcworld.com/businesscenter/article/146278/most_retailer_breaches_are_not_disclosed_gartner_says.html

FYI - Bank customers file lawsuit over security breach - Several customers of Peoples United Bank of Bridgeport have filed a lawsuit over the loss of data tapes containing their personal information by the Bank of New York Mellon Corp. http://www.fayobserver.com/article_ap?id=123206

FYI - State officials try to determine scope of bank breach - Connecticut Gov. M. Jodi Rell announced on Friday that she is directing the state consumer protection commissioner to issue another two subpoenas in connection to the lost Bank of New York Mellon backup tape, which contained the unencrypted personal information of an estimated 4.5 million customers. http://www.scmagazineus.com/State-officials-try-to-determine-scope-of-bank-breach/article/110536/?DCMP=EMC-SCUS_Newswire

FYI - TJX staffer sacked after talking about security problems - A TJX employee has been fired for discussing the company's information security issues - A low-level TJX employee has lost his job for speaking in public about information security problems he uncovered while working for the company. http://computerworld.co.nz/news.nsf/scrt/3A2C5453A05F8C31CC257454006CE111

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bank of N.Y. works with Conn. on security breach - Connecticut Attorney General Richard Blumenthal asked the Bank of New York Mellon Wednesday to explain how it lost computer tapes containing the information of more than 4 million customers.
http://www.courant.com/news/local/statewire/hc-22090830.apds.m0506.bc-ct--secumay22,0,7089226.story
http://www.scmagazineus.com/Bank-of-New-York-Mellon-loses-data-on-45-million/article/110469/?DCMP=EMC-SCUS_Newswire. http://www.theday.com/re.aspx?re=1a830cf7-5c18-476e-84b5-0d8b0162ff00

FYI - OKC buyer finds sensitive information on server - The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction recently. http://www.tulsaworld.com/news/article.aspx?articleID=20080521_12_OKLAH32253

FYI - BoI laptops had other banks' details - Four laptops stolen from Bank of Ireland contained details of accounts held by 1,500 customers at other banks, including AIB, Ulster Bank and National Irish Bank. http://www.thepost.ie/ezineSBP/story.asp?storyid=33180

FYI - UF warns patients of security breach - University of Florida officials will be notifying about 1,900 patients of a UF plastic surgeon that their private health information might have been breached after the information was managed and disposed of improperly.
http://www.bizjournals.com/jacksonville/stories/2008/05/19/daily9.html
http://www.theledger.com/article/20080525/NEWS/805250381/0/FRONTPAGE

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (8 of 12)

Containment

During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.

Establish notification escalation procedures.

If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.

Document details, conversations, and actions.

Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Token Systems (2 of 2)

Weaknesses in token systems relate to theft of the token, ease in guessing any password generating algorithm within the token, ease of successfully forging any authentication credential that unlocks the token, and reverse engineering, or cloning, of the token. Each of these weaknesses can be addressed through additional control mechanisms. Token theft generally is protected against by policies that require prompt reporting and cancellation of the token's ability to allow access to the system. Additionally, the impact of token theft is reduced when the token is used in multi - factor authentication; for instance, the password from the token is paired with a password known only by the user and the system. This pairing reduces the risk posed by token loss, while increasing the strength of the authentication mechanism. Forged credentials are protected against by the same methods that protect credentials in non - token systems. Protection against reverse engineering requires physical and logical security in token design. For instance, token designers can increase the difficulty of opening a token without causing irreparable damage, or obtaining information from the token either by passive scanning or active input/output.

Token systems can also incorporate public key infrastructure, and biometrics.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

8. Determine that, where appropriate, authenticated devices are limited in their ability to access system resources and to initiate transactions.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]