FYI - Latest FDIC Findings on Identity Theft Suggest Need for New Safeguards for Internet Banking - "User names" and passwords should be supported in Internet banking transactions with new and better ways of identifying real customers from fraud artists trying to "highjack" bank accounts, according to an update on identity theft from the Federal Deposit Insurance Corporation.  www.fdic.gov/news/news/press/2005/pr5805.html 

FYI - OCC - Threats from Fraudulent Bank Web Sites - "Risk Mitigation and Response Guidance for Web Site Spoofing Incidents" http://www.occ.treas.gov/ftp/bulletin/2005-24.txt

FYI - Insider attack now biggest threat to banks - Insider attacks have become the biggest threat to financial networks, according to a new study. The 2005 Global Security Survey, published by Deloitte Touche Tohmatsu, found that 35 percent of senior security officers from the world's top 100 financial institutions confirmed they had encountered attacks to their organization's infrastructure from within. This figure is up from 14 percent last year. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=f3fc0b1c-7e23-4b7d-8106-57f9437fad65&newsType=Latest%20News&s=n

FYI - Secure those outsourcing relationships - Companies need to take a hard look before they leap into outsourcing agreements, Pershing's IT security director said Thursday. When reviewing a potential business partner, do not just accept a company's word about what they do for their customers - do an in-person site review, Warren Axelrod said in a keynote at the CSO Interchange in Chicago. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=fcde3419-ce43-462e-b712-2ee524533618&newsType=Latest%20News&s=n

FYI - Reducing Risk Associated With Contractors - Contractors and other users with privileged access to federal information pose a range of risks - operational, strategic, and legal - that must be managed effectively. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5625

FYI - Weaknesses in Wireless LAN Session Containment - While reviewing distributed WLAN intrusion detection systems, SANS Institute wireless security researcher Joshua Wright noticed some problems with "how they attempt to contain a client and prevent it from connecting to a rogue or protected wireless network." http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf

FYI - Improving Controls Over Wireless Networks - They increase flexibility and ease network installation, but wireless networks also present significant security challenges - and federal agencies have a lot of room for improvement. 
http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5629

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Data Transmission and Types of Firewalls 

Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration. 

There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.

Implementation 

When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter

IT SECURITY QUESTION:  Workstations: (Part 2 of 2)

f. Are modems used for Internet connection?
g. Will workstation timeout with no activity?
h. Are screen savers used?
i. Are screen savers password protected?
j. Is a current copy of an anti-virus program installed on the workstations?
k. Are workstations turned off after business hours?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]

VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.