Internet Banking News

July 12, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The brochure for the Information Security and Risk Management Conference being held 28-30 September 2009 in Las Vegas, Nevada came out this week. This is a great conference that I highly recommend. For more information and to register, please go to http://www.isaca.org/isrmc.

FYI - Pentagon signs off on Cyber Command - The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation's central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations. http://www.securityfocus.com/brief/978

FYI - UK cyber security strategy launched - The UK is to create a central Office of Cyber Security (OCS) to deal with the rising level of online attacks. The new office will run within the Cabinet Office, and will liaise with industry as well as providing strategic oversight. http://www.scmagazineuk.com/UK-cyber-security-strategy-launched/article/139033/

FYI - PCI Security Council seeks industry comments on current standards Feedback will be considered for next version of PCI executive says - The group that administers the Payment Card Industry Data Security Standard (PCI DSS) wants feedback about how the current version of the standard, released last October, is working. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9134859

FYI - TJX settles over breach with 41 states for $9.75 million - In a move to close the door on the largest reported retail data breach in history, TJX announced Tuesday that it has settled with 41 states who were probing the discount merchant's data security practices. http://www.scmagazineus.com/TJX-settles-over-breach-with-41-states-for-975-million/article/138930/

FYI - GAO - Federal Information Security Issues. http://www.gao.gov/new.items/d09817r.pdf

FYI - ATM vendor gets security talk pulled from conferences - Last year it was smartcards and this year it's ATMs. It's almost security conference season in Las Vegas and with one month to go, a presentation has been pulled from Black Hat and Defcon. http://news.cnet.com/8301-1009_3-10277284-83.html

FYI - Final settlement reached in CVS HIPAA violation suit - CVS Caremark must implement an information security program and obtain assessments of its effectiveness every other year for 20 years to settle federal charges that its employees threw out personal information about patients into garbage bins.http://www.scmagazineus.com/Final-settlement-reached-in-CVS-HIPAA-violation-suit/article/139077/?DCMP=EMC-SCUS_Newswire

FYI - Titsup airport express lane biz may pawn flyer data - If the feds Clear it - Defunct American airport security lane service Clear said on Friday it may sell its sensitive customer data to a similar provider if it's authorized to do so by the US government. http://www.theregister.co.uk/2009/06/27/clear_may_sell_data_to_similar_provider/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Defense-contract discs sold in African market for $40 - Northrop Grumman and Pentagon data dumped - Dumped hard drives with US defense data have turned up for open sale in a West African market. A team of Canadian journalism students bought a hard drive containing information on multi-million dollar contracts between military contractor Northrop Grumman and the Pentagon for just $40 in a market near Accra, Ghana. http://www.theregister.co.uk/2009/06/25/e-waste/

FYI - Abrupt closure of airport fast-lane program sparks concern over customer data - Financial woes push Verified Identity Pass to cease Clear program - A company that collected detailed personal information including biometric data on 260,000 individuals as part of a registered air traveler program it operated has abruptly gone out of business, leaving many customers wondering about the safety and privacy of their personal data. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9134739&taxonomyId=17&intsrc=kc_top

FYI - Valuable computer swiped from Cornell - Machine has personal data of 45,000 people - Ithaca police are investigating the theft of a Cornell University computer which the university said contained a large amount of personal data - including files with names and Social Security numbers of about 45,000 staff members, former staff members, students and dependents. http://www.theithacajournal.com/article/20090624/NEWS01/906240359/1126/Valuable+computer+swiped+from+Cornell

FYI - FTP login credentials at major corporations breached - A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee. http://www.scmagazineus.com/FTP-login-credentials-at-major-corporations-breached/article/139178/?DCMP=EMC-SCUS_Newswire

FYI - Web Filtering Company Reports Cyber Attack To FBI - The U.S.-based company that claims its programming code was unlawfully included in China's Green Dam software reports being targeted by a cyber attack. Solid Oak Software, the Santa Barbara, Calif.-based maker of Web filtering software called CYBERsitter, on Friday contacted the FBI to investigate a cyber attack on the company that appears to have come from China. http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=218101882

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk Management Principles for Electronic Banking

The e-banking risk management principles identified in this Report fall into three broad, and often overlapping, categories of issues. However, these principles are not weighted by order of preference or importance. If only because such weighting might change over time, it is preferable to remain neutral and avoid such prioritization.

A. Board and Management Oversight (Principles 1 to 3):

1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies.

B. Security Controls (Principles 4 to 10):

4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking transactions.
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems, databases and applications.
8. Data integrity of e-banking transactions, records, and information.
9. Establishment of clear audit trails for e-banking transactions.
10. Confidentiality of key bank information.

C. Legal and Reputational Risk Management (Principles 11 to 14):

11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems and services.
14. Incident response planning.

Each of the above principles will be cover over the next few weeks, as they relate to e-banking and the underlying risk management principles that should be considered by banks to address these issues.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 1 of 4)

Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.

A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.

Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.

Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

2. Determine if the IDSs identified as necessary in the risk assessment process are properly installed and configured.

3. Determine whether an appropriate firewall ruleset and routing controls are in place and updated as needs warrant.

! Identify personnel responsible for defining and setting firewall rulesets and routing controls.
! Review procedures for updating and changing rulesets and routing controls.
! Determine that appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network entry and exit.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [§6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy? [§6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)