|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
July 23, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - Phishers try to
best banks' authentication - Some 35 Web sites have been set up to
use a new attack that gets around token-based authentication systems
- Over the past few weeks, approximately 35 phishing Web sites have
been set up that use the new attack. They attempt to trick users
into divulging the temporary passwords created by the security token
devices used by banks such as Citigroup Inc., said Rich Miller, an
analyst with Internet research company Netcraft Ltd.
http://www.infoworld.com/article/06/07/14/HNbankphishers_1.html
FYI - VA info security
chief says he had impossible task - The chief information security
officer for the Veterans Affairs Department, who resigned Thursday
and was subsequently placed on paid administrative leave for his
final two weeks of employment, said Friday that he had been
prevented from fixing the department's information security
weaknesses.
http://www.govexec.com/story_page.cfm?articleid=34461&printerfriendlyVers=1&
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=41230
FYI - Hackers steal
thousands from internet bank accounts - Hackers have penetrated
internet banking facilities and gained access to the accounts of
clients of three major banks, the Cape Times reported.
http://www.mg.co.za/articlePage.aspx?articleid=276144&area=/breaking_news/breaking_news__national/
FYI - Identity Thieves
Hit NIH Credit Union - Scheme Is Latest in Spate of Breaches
Affecting Millions - The National Institutes of Health's federal
credit union has notified some customers that their personal
information has been compromised by an identity theft scheme,
officials said.
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/28/AR2006062801936_pf.html
FYI - Customer data
abuse rife among UK companies - Nearly half of UK companies could be
breaching the Data Protection Act (DPA) through the misuse of
customer data, according to research published on Monday. The study
involved 100 UK IT directors, and found 44 per cent use genuine
customer data when developing and testing applications. This is a
breach of the second principle of the DPA, which states data should
not be used for purposes other than that for which it was collected.
http://management.silicon.com/government/0,39024852,39160080,00.htm
FYI - Visa, MasterCard
to unveil new security rules - The updated PCI standard will cover
Web apps, third-party controls - Visa U.S.A. Inc. and MasterCard
International Inc. will release new security rules in the next 30 to
60 days for all organizations that handle credit card data, a Visa
official said this week.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001637
FYI - Consultant pleads
guilty to FBI curiosity hacks - A technology consultant agreed to
plead guilty to four charges of exceeding authorized access after he
used common hacking tools to breach the security of FBI systems
during his stint upgrading the agency's computers.
http://www.securityfocus.com/brief/244
FYI - Personal data
exposed on Navy Web site - The Naval Safety Center (NSC) said July 7
it had discovered that personal information on more than 100,000
Navy and Marine Corps aviators and aircrew was accessible on its
public Web site and has since removed the information from the site.
http://www.fcw.com/article95202-07-08-06-Web
FYI - Open source phone system open to DoS attack - Hackers could
launch DoS attacks against telephone systems, new research has
revealed.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060719/570049/
FYI - FBI: Cybercrime losses down last year - The financial losses
related to cybercrime are going down, and the number of businesses
willing to report these crimes is going up, according to a new
survey co-sponsored by the FBI.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060717/569885/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 9 of
13)
Tokens
Tokens are physical devices (something the person has) and may be
part of a multifactor authentication scheme. Three types of tokens
are discussed here: the USB token device, the smart card, and the
password-generating token.
USB Token Device
The USB token device is typically the size of a house key. It plugs
directly into a computer's USB port and therefore does not require
the installation of any special hardware on the user's computer.
Once the USB token is recognized, the customer is prompted to enter
his or her password (the second authenticating factor) in order to
gain access to the computer system.
USB tokens are one-piece, injection-molded devices. USB tokens are
hard to duplicate and are tamper resistant; thus, they are a
relatively secure vehicle for storing sensitive data and
credentials. The device has the ability to store digital
certificates that can be used in a public key infrastructure (PKI)
environment.
The USB token is generally considered to be user-friendly. Its small
size makes it easy for the user to carry and, as noted above, it
plugs into an existing USB port; thus the need for additional
hardware is eliminated.
Smart Card
A smart card is the size of a credit card and contains a
microprocessor that enables it to store and process data. Inclusion
of the microprocessor enables software developers to use more robust
authentication schemes. To be used, a smart card must be inserted
into a compatible reader attached to the customer's computer. If the
smart card is recognized as valid (first factor), the customer is
prompted to enter his or her password (second factor) to complete
the authentication process.
Smart cards are hard to duplicate and are tamper resistant; thus,
they are a relatively secure vehicle for storing sensitive data and
credentials. Smart cards are easy to carry and easy to use. Their
primary disadvantage as a consumer authentication device is that
they require the installation of a hardware reader and associated
software drivers on the consumer's home computer.
Password-Generating Token
A password-generating token produces a unique pass-code, also known
as a one-time password each time it is used. The token ensures that
the same OTP is not used consecutively. The OTP is displayed on a
small screen on the token. The customer first enters his or her user
name and regular password (first factor), followed by the OTP
generated by the token (second factor). The customer is
authenticated if (1) the regular password matches and (2) the OTP
generated by the token matches the password on the authentication
server. A new OTP is typically generated every 60 seconds-in some
systems, every 30 seconds. This very brief period is the life span
of that password. OTP tokens generally last 4 to 5 years before they
need to be replaced.
Password-generating tokens are secure because of the time-sensitive,
synchronized nature of the authentication. The randomness,
unpredictability, and uniqueness of the OTPs substantially increase
the difficulty of a cyber thief capturing and using OTPs gained from
keyboard logging.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS
(Part 2 of 2)
Additional operating system access controls include the following
actions:
! Ensure system administrators and security professionals have
adequate expertise to securely configure and manage the operating
system.
! Ensure effective authentication methods are used to restrict
system access to both users and applications.
! Activate and utilize operating system security and logging
capabilities and supplement with additional security software where
supported by the risk assessment process.
! Restrict operating system access to specific terminals in
physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals
residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with
data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions,
where feasible, and at a minimum require strong authentication and
encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating
systems and grant only the minimum level of access required to
perform routine responsibilities.
! Segregate operating system access, where possible, to limit full
or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time
of access.
! Update operating systems with security patches and using
appropriate change control mechanisms.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
1. Determine whether new workstations are
prepared according to documented procedures for secure configuration
or replication and that vulnerability testing takes place prior to
deployment.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
8) Do the initial, annual, and revised privacy notices include
each of the following, as applicable: (Part 1 of 2)
a) the categories of nonpublic personal information that the
institution collects; [§6(a)(1)]
b) the categories of nonpublic personal information that the
institution discloses; [§6(a)(2)]
c) the categories of affiliates and nonaffiliated third
parties to whom the institution discloses nonpublic personal
information, other than parties to whom information is disclosed
under an exception in §14 or §15; [§6(a)(3)]
d) the categories of nonpublic personal information disclosed
about former customers, and the categories of affiliates and
nonaffiliated third parties to whom the institution discloses that
information, other than those parties to whom the institution
discloses information under an exception in §14 or §15; [§6(a)(4)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|