Internet Banking News

July 29, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

Community Bank Technology Conference - If you have nothing on your plate, plan to attend the Independent Community Bankers of America’s Community Bank Technology Conference, September 12-14, 2012 in Las Vegas. I will be speaking Thursday on auditing community banks. For more information please visit http://www.icba.org/events/eventdetail.cfm?EventID=199421.

FYI - California Starts Up a Privacy Enforcement Unit - Watch out, Silicon Valley, there’s a new startup in town and its gunning for you. California Attorney General Kamala Harris announced Thursday she’s created a unit intended to actually enforce federal and state privacy laws. http://www.wired.com/threatlevel/2012/07/california-privacy-unit/

FYI - Justice Department Sues Telecom for Challenging National Security Letter - Last year, when a telecommunications company received an ultra-secret demand letter from the FBI seeking information about a customer or customers, the telecom took an extraordinary step — it challenged the underlying authority of the FBI’s National Security Letter, as well as the legitimacy of the gag order that came with it. http://www.wired.com/threatlevel/2012/07/doj-sues-telecom-over-nsl/

FYI - Government reach for secure electric grid exceeds its grasp - Government efforts to ensure the cybersecurity of the nation’s increasingly networked electric grid are hampered by a cumbersome regulatory process and a lack of enforcement, government and industry witnesses told a Senate panel. http://gcn.com/articles/2012/07/17/goverment-hampered-making-electric-grid-secure.aspx

FYI - Russian Parliament's upper house approves Internet 'censorship' bill - Russia's government will gain the power to blacklist websites without a court's consent - The upper house of the Russian Parliament passed a bill on Wednesday that the nation's IT industry believes has high potential to lead to Internet censorship. http://www.computerworld.com/s/article/9229359/Russian_Parliament_39_s_upper_house_approves_Internet_39_censorship_39_bill?taxonomyId=17

FYI - GCHQ ‘3 times more likely’ to lose cyber security skills than private sector - The UK's communications spying centre can't compete with high salaries offered by industry - GCHQ's difficulty in retaining the IT skills needed to respond to the cyber security threat is a real and growing concern, according to a report from the UK's Intelligence and Security Committee (ISC), a group of senior parliamentarians appointed by the Prime Minister. http://www.cso.com.au/article/430984/gchq_3_times_more_likely_lose_cyber_security_skills_than_private_sector/#closeme

FYI - GAO - Information Technology: DHS Needs to Further Define and Implement Its New Governance Process. http://www.gao.gov/products/GAO-12-818

FYI - Security pros must evolve their defensive strategy - Security professionals must update and address their defensive strategies to be proactive against cyber threats, a researcher said Wednesday. http://www.scmagazine.com/black-hat-security-pros-must-evolve-their-defensive-strategy/article/251914/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Fear of drone GPS hacking raised by Congress as FAA deadline looms - After pushing FAA to allow UAVs, Congress now has second thoughts on safety. In a House Homeland Security oversight subcommittee hearing late this week, members of Congress raised concerns over the potential security risks posed by jamming and electronic hijacking of unmanned aerial systems, and the potential use of drones by terrorists. http://arstechnica.com/tech-policy/2012/07/fear-of-drone-gps-hacking-raised-by-congress-as-faa-deadline-looms/

FYI - Hackers loot German gaming site Gamigo of 8m passwords - More than eight million passwords have been stolen from German gaming website Gamigo and published online more than four months after hackers broke into the network. http://www.scmagazine.com/hackers-loot-german-gaming-site-gamigo-of-8m-passwords/article/251497/?DCMP=EMC-SCUS_Newswire

FYI - Laptop containing health data stolen from Boston hospital - Beth Israel Deaconess Medical Center (BIDMC) in Boston is warning thousands of patients that their personal health information was contained on a laptop that was stolen. http://www.scmagazine.com/laptop-containing-health-data-stolen-from-boston-hospital/article/251463/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 10: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.

The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:

1) Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.

2) E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.

3) Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING

Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.

In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.

A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]

b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]