Internet Banking News

August 2, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Houston Computer Administrator Sentenced to Two Years in Prison for Hacking Former Employer's Computer Network - The former director of information technology for a non-profit organ and tissue donation center was sentenced today to two years in prison for hacking into her former employer's computer network. http://houston.fbi.gov/dojpressrel/pressrel09/ho071509.htm

FYI - High spam response powers junk mail economy - Lunkhead junk mail buyers come clean - Almost a third of consumers admit responding to messages that might be spam emails. Some acted out of curiosity or by mistake but a puzzling 96 from a sample of 800 (12 per cent) said they clicked because they interested in the product or service advertised in junk mail messages. http://www.theregister.co.uk/2009/07/16/spam_response_survey/

FYI - Cops swoop on e-crime gangs after banks pool intelligence - Early success for new task force - Two London-based cybercrime gangs have been busted, following an agreement by banks and credit card companies to share intelligence on network attacks and malware. http://www.theregister.co.uk/2009/07/08/williams_acpo/

FYI - Companies offer to pay breach fines - Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach. http://www.scmagazineus.com/Companies-offer-to-pay-breach-fines/article/140350/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Intellectual property belonging to Twitter exposed in hack - Twitter on Thursday revealed that a hacker who figured out the personal email password of a company employee was able to steal a number of sensitive internal documents. http://www.scmagazineus.com/Intellectual-property-belonging-to-Twitter-exposed-in-hack/article/140157/

FYI - Irish ISP downed by DDoS - Eircom drop blamed on hack - Ireland's largest internet service provider Eircom is blaming hackers for its second bout of recent downtime. http://www.theregister.co.uk/2009/07/14/eirocm_downtime_again/

FYI - Irish ISP Eircom hit by multiple attacks that restrict service for users - The Irish ISP is experiencing an unprecedented volume of traffic that officials believe is multiple DNS poisoning attacks. http://www.scmagazineuk.com/Irish-ISP-Eircom-hit-by-multiple-attacks-that-restrict-service-for-users/article/140243/

FYI - Webcams, printers, gizmos - the untold net threats - Ghost in the machine - Forget mis-configured Apache servers and vulnerability-laden Adobe applications. The biggest security threats to business and home networks may be the avalanche of webcams, printers, and other devices that ship with embedded web interfaces that can easily be turned against their masters. http://www.theregister.co.uk/2009/07/16/buggy_web_interface_peril/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 2 of 2)

Finally, the Board and senior management should ensure that its risk management processes for its e-banking activities are integrated into the bank's overall risk management approach. The bank's existing risk management policies and processes should be evaluated to ensure that they are robust enough to cover the new risks posed by current or planned e-banking activities. Additional risk management oversight steps that the Board and senior management should consider taking include:

1) Clearly establishing the banking organization's risk appetite in relation to e-banking.

2) Establishing key delegations and reporting mechanisms, including the necessary escalation procedures for incidents that impact the bank's safety, soundness or reputation (e.g. networks penetration, employee security infractions and any serious misuse of computer facilities).

3) Addressing any unique risk factors associated with ensuring the security, integrity and availability of e-banking products and services, and requiring that third parties to whom the banks has outsourced key systems or applications take similar measures.

4) Ensuring that appropriate due diligence and risk analysis are performed before the bank conducts cross-border e-banking activities.

The Internet greatly facilitates a bank's ability to distribute products and services over virtually unlimited geographic territory, including across national borders. Such cross-border e-banking activity, particularly if conducted without any existing licensed physical presence in the "host country," potentially subjects banks to increased legal, regulatory and country risk due to the substantial differences that may exist between jurisdictions with respect to bank licensing, supervision and customer protection requirements. Because of the need to avoid inadvertent non-compliance with a foreign country's laws or regulations, as well as to manage relevant country risk factors, banks contemplating cross-border e-banking operations need to fully explore these risks before undertaking such operations and effectively manage them.

Depending on the scope and complexity of e-banking activities, the scope and structure of risk management programs will vary across banking organizations. Resources required to oversee e-banking services should be commensurate with the transactional functionality and criticality of systems, the vulnerability of networks and the sensitivity of information being transmitted.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 4 of 4)

Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.

Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.

The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.

Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

8. Determine whether an incident response team:

! Contains appropriate membership,
! Is available at all times,
! Has appropriate training to investigate and report findings,
! Has access to back-up data and systems, an inventory of all approved hardware and software, and monitored access to systems (as appropriate), and
! Has appropriate authority and timely access to decision makers for actions that require higher approvals.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as:

a. a toll-free telephone number that the consumer may call to request the notice; [§6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery? [§6(d)(4)(ii)]