Internet Banking News

July 16, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Stolen VA laptop recovered; data appears untouched - Taken last month, it contained data on millions of military personnel and vets - A missing laptop and hard disk containing personal data on over 26.5 million veterans has been recovered, Department of Veterans Affairs Secretary Jim Nicholson announced. http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=hardware&articleId=9001518&taxonomyId=12

FYI - U.S. vulnerable to 'cyber Katrina' - Shortfalls could spell major Internet disruption - The United States is poorly prepared for a "cyber Katrina," with no coordinated plan for restoring and recovering the Internet after a major disruption, according to a new Business Roundtable report, released yesterday. http://www.gcn.com/online/vol1_no1/41172-1.html

FYI - GAO pulls archived personal data from Web - The Government Accountability Office has pulled from its Web site personal information on certain government employees after discovering that the archived data had been inadvertently posted online. http://www.gcn.com/online/vol1_no1/41171-1.html

FYI - Credit card company to pay $11 million to settle probe - A Georgia-based credit card company has agreed to pay $11 million in restitution to New Yorkers to settle a New York state investigation into its practices. http://famulus.msnbc.com/famulusgen/ap07-02-144035.asp?t=apcom&vts=7220061607

FYI - Nebraska child support network hacked - A hacker hijacked a server on the Nebraska's child support payment computer system, gaining access to the personal information of more than 300,000 individuals and employers who pay and receive child support, state Treasurer Ron Ross said. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060705/567253/

FYI - Hacker Invades FBI Computers - Gains Access To Passwords Of 38,000 Employees, Including Director - A U.S. government consultant used software programs found on the Internet to break into the FBI's computer system, where he gained access to the passwords of 38,000 employees, including that of FBI Director Robert Mueller, the Washington Post reports. http://www.cbsnews.com/stories/2006/07/06/national/main1779905.shtml?source=RSS&attr=SciTech_1779905

FYI - Western University of Illinois Hacked - A security breach in the University of Illinois networks has put more than 180.000 persons at risk. The hackers had access to Social Security numbers, credit card accounts numbers and other sensitive and confidential information that were hosted on the student service servers. http://news.softpedia.com/news/Western-University-of-Illinois-Hacked-28847.shtml

FYI - Standard Bank accounts hacked - "Some money" was taken from Standard Bank clients when fraudsters hacked the bank's accounts, group spokesman Ross Linstrom said. http://www.citizen.co.za/index/article.aspx?pDesc=19487,1,22

FYI - Security Breaches Afflict Most Enterprises, Governments - In the past year, 84 percent of enterprises, as well as state and local governments, reported some type of security breaches, according to a new survey released by Computer Associates International. The survey also found that security breaches have increased 17 percent in the last three years. http://www.eweek.com/article2/0%2C1895%2C1986066%2C00.asp

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment. (Part 8 of 13)

Authentication Techniques, Processes, and Methodologies

Material provided in the following sections is for informational purposes only. The selection and use of any technique should be based upon the assessed risk associated with a particular electronic banking product or service.

Shared Secrets

Shared secrets (something a person knows) are information elements that are known or shared by both the customer and the authenticating entity. Passwords and PINs are the best known shared secret techniques but some new and different types are now being used as well. Some additional examples are:

• Questions or queries that require specific customer knowledge to answer, e.g., the exact amount of the customer's monthly mortgage payment.
• Customer-selected images that must be identified or selected from a pool of images.

The customer's selection of a shared secret normally occurs during the initial enrollment process or via an offline ancillary process. Passwords or PIN values can be chosen, questions can be chosen and responses provided, and images may be uploaded or selected.
The security of shared secret processes can be enhanced with the requirement for periodic change. Shared secrets that never change are described as "static" and the risk of compromise increases over time. The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate.

Shared secrets can also be used to authenticate the institution's Web site to the customer.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 1 of 2)

Financial institutions must control access to system software within the various network clients and servers as well as stand-alone systems. System software includes the operating system and system utilities. The computer operating system manages all of the other applications running on the computer. Common operating systems include IBM OS/400 and AIX, LINUX, various versions of Microsoft Windows, and Sun Solaris. Security administrators and IT auditors need to understand the common vulnerabilities and appropriate mitigation strategies for their operating systems. Application programs and data files interface through the operating system. System utilities are programs that perform repetitive functions such as creating, deleting, changing, or copying files. System utilities also could include numerous types of system management software that can supplement operating system functionality by supporting common system tasks such as security, system monitoring, or transaction processing.

System software can provide high-level access to data and data processing. Unauthorized access could result in significant financial and operational losses. Financial institutions must restrict privileged access to sensitive operating systems. While many operating systems have integrated access control software, third - party security software is available for most operating systems. In the case of many mainframe systems, these programs are essential to ensure effective access control and can often integrate the security management of both the operating system and the applications. Network security software can allow institutions to improve the effectiveness of the administration and security policy compliance for a large number of servers often spanning multiple operating system environments. The critical aspects for access control software, whether included in the operating system or additional security software, are that management has the capability to:

! Restrict access to sensitive or critical system resources or processes and have the capability, depending on the sensitivity to extend protection at the program, file, record, or field level;
! Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters; and
! Filter logs for potential security events and provide adequate reporting and alerting capabilities.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

14. Determine whether adequate policies and procedure govern the destruction of sensitive data on machines that are taken out of service.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.