®
R. Kinney Williams
Yennik, Inc.
|
Internet Banking
News
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
institutions.
|
July 27, 2008
Does
Your Financial Institution need an affordable Internet security
audit?
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
to
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI -
New Texas Law Limits Computer Repair To Licensed Private
Investigators - Institute for Justice Texas Chapter Opens in Austin
with Challenge to Statute - The Institute for Justice - the nation's
leading litigators for entrepreneurs who find their rights violated
by the government - opens its new Texas Chapter today by filing a
lawsuit against the Texas Private Security Board, a state agency, on
behalf of computer repair shops that are being told they need a
private investigator's license to continue solving their customers'
computer problems.
http://www.ij.org/first_amendment/tx_computer_repair/6_26_08pr.html
FYI -
Trio jailed in U. Hospital med records theft, but I.D. data thought
safe - Now that the billing records of 1.5 million University of
Utah Hospital patients have been recovered, police and U. officials
are downplaying the possibility that the information will ever be
used to commit identity fraud.
http://www.sltrib.com/news/ci_9765160
FYI -
Lawyer suspended for e-mail snooping - A Charleston lawyer has been
suspended from the State Bar for two years after he admitted
snooping in another law firm's e-mails because he suspected his wife
was having an affair with her client.
http://sundaygazettemail.com/News/200807020721
FYI -
ICANN downplays site hacks - Hackers compromised a pair of mirror
sites for the Internet Corporation of Assigned Names and Numbers (ICANN)
and redirected users to a page taunting the company and claiming "we
control the domains."
http://www.scmagazineus.com/ICANN-downplays-site-hacks/article/112139/?DCMP=EMC-SCUS_Newswire
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI -
Hackers crack cash machine PIN codes to steal millions - Millions of
bank customers face a new threat to their money after it emerged
yesterday that hackers had cracked PIN codes used in cash machines.
http://business.timesonline.co.uk/tol/business/money/consumer_affairs/article4259009.ece
FYI -
Freedom Credit Union warns customers of data breach - Freedom Credit
Union is warning customers of a security breach whereby debit card
data was electronically captured by individuals who may have used it
in a counterfeit scheme.
http://www.masslive.com/news/index.ssf/2008/07/freedom_credit_union_warns_cus.html?category=Business+category=Chicopee+category=Crime+category=Franklin%20County+category=Northampton+category=Springfield
FYI -
NHS manager is suspended after losing computer - A senior hospital
manager has been suspended after a laptop containing the unencrypted
personal data of more than 20,000 patients was stolen, a health
trust admitted yesterday.
http://www.theherald.co.uk/news/news/display.var.2371758.0.NHS_manager_is_suspended_after_losing_computer.php
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and
Response Guidance for Web Site Spoofing Incidents (Part 2 of
5)
PROCEDURES TO ADDRESS SPOOFING - Detection
Banks can improve their ability to detect spoofing by monitoring
appropriate information available inside the bank and by searching
the Internet for illegal or unauthorized use of bank names and
trademarks. The following is a list of possible indicators of
Web-site spoofing:
* E-mail messages returned to bank mail servers that were not
originally sent by the bank. In some cases, these e-mails may
contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web
addresses indicating that the bank's Web site is being copied or
that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank
personnel, or direct communications from consumer reporting spoofing
activity.
Banks can also detect spoofing by searching the Internet for
identifiers associated with the bank such as the name of a company
or bank. Banks can use available search engines and other tools to
monitor Web sites, bulletin boards, news reports, chat rooms,
newsgroups, and other forums to identify usage of a specific company
or bank name. The searches may uncover recent registrations of
domain names similar to the bank's domain name before they are used
to spoof the bank's Web site. Banks can conduct this monitoring
in-house or can contract with third parties who provide monitoring
services.
Banks can encourage customers and consumers to assist in the
identification process by providing prominent links on their Web
pages or telephone contact numbers through which customers and
consumers can report phishing or other fraudulent activities.
Banks can also train customer-service personnel to identify and
report customer calls that may stem from potential Web-site attacks.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION
-
Single Sign - On
Several single sign - on protocols are in use. Those protocols allow
clients to authenticate themselves once to obtain access to a range
of services. An advantage of single sign - on systems is that
users do not have to remember or possess multiple authentication
mechanisms, potentially allowing for more complex authentication
methods and fewer user - created weaknesses. Disadvantages include
the broad system authorizations potentially tied to any given
successful authentication, the centralization of authenticators in
the single sign - on server, and potential weaknesses in the single
sign - on technologies.
When single sign - on systems allow access for a single login to
multiple instances of sensitive data or systems, financial
institutions should employ robust authentication techniques, such as
multi - factor, PKI, and biometric techniques. Financial
institutions should also employ additional controls to protect the
authentication server and detect attacks against the server and
server communications.
Return to the top of the
newsletter
INFORMATION SECURITY
QUESTION:
B. NETWORK
SECURITY
14. Determine whether appropriate filtering
occurs for spoofed addresses, both within the network and at
external connections, covering network ingress and egress.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
c. it has given the consumer a reasonable opportunity to opt
out before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)]) |
|
PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|