R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 7, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Voice Over Internet Protocol - Summary: The FDIC is providing guidance to financial institutions on the security risks associated with voice over Internet protocol. VoIP refers to the delivery of traditional telephone voice communications over the Internet. www.fdic.gov/news/news/financial/2005/fil6905.html 

FYI - Write down your passwords, increase security - Security buffs have urged employees to write down their passwords in hopes that people will not use the same weak phrase repeatedly, thereby increasing security. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=703d56de-2e70-4e5f-9186-c5ca73830c1e&newsType=Latest%20News&s=n

FYI - $91,000 stolen in Japanese spyware heist - Nearly 10 million Yen ($91,000) has been robbed from Japanese bank accounts due to a 'Spyware bug'. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=121dfb3d-39c6-4341-84e3-91275baf2805&newsType=Latest%20News&s=n

FYI - Hackers target flaws in backup software - Flawed backup software has emerged as the latest target for hackers looking for corporate secrets, according to a survey released Monday. http://money.cnn.com/2005/07/25/technology/hackers.reut/

FYI - GAO: Critical infrastructure needs more cybersecurity protections - The Homeland Security Department is failing to adequately protect the nation's critical infrastructure and the information technology that supports it, the Government Accountability Office told the Senate today. http://www.fcw.com/article89620-07-19-05-Web

FYI - Break-in costs ChoicePoint millions - Data broker ChoicePoint took a $6 million charge in its second quarter to cover costs related to the leak of information on about 145,000 Americans. http://news.com.com/2102-7350_3-5797213.html?tag=st.util.print

FYI - Government Uses Color Laser Printer Technology to Track Documents - Practice embeds hidden, traceable data in every page printed. Next time you make a printout from your color laser printer, shine an LED flashlight beam on it and examine it closely with a magnifying glass. You might be able to see the small, scattered yellow dots printed there that could be used to trace the document back to you. http://www.pcworld.com/news/article/0,aid,118664,00.asp

FYI - GAO - Financial Market Organizations Have Taken Steps to Protect against Electronic Attacks, but Could Take Additional Actions. http://www.gao.gov/cgi-bin/getrpt?GAO-05-679R

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYThis concludes the series from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.  Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks dated May 15, 2000.

V. Security Flaws and Bugs 

Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued. 

Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org.  Many other resources are freely available on the Internet. 

Active Content Languages 

Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus. 

Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology. 

VI. Viruses 

Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.
Return to the top of the newsletter

IT SECURITY QUESTION:  Core application user access controls: (Part 2 of 2)

h. Is the user locked out after three unsuccessful attempts to enter the correct password?
i. How long is the user locked out after entering an incorrect password?
j. Automatic timeout if left unattended? If so, how long?
k. Automatic lockout by time of day and day of week?
l. Is user access restricted by workstation?

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the shortform notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]
VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated