Internet Banking News

August 13, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Banks face Web security deadline - Many aren't prepared for guidelines on authenticating online users - For some bank IT managers, last fall's release of federal guidelines for validating the identities of online users helped catalyze ongoing efforts to adopt so-called strong authentication measures. But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline by which they're supposed to comply with the guidelines, several analysts said this week. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002085

FYI - Navy Computers With Personal Data Stolen - Two laptop computers with personal information on about 31,000 Navy recruiters and their prospective recruits were stolen from Navy offices in New Jersey in June and July, the Navy disclosed. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/26/AR2006062601103.html

FYI - Missing laptop with data on 540,000 N.Y. state workers found, The computer had been missing since May 9 - A laptop computer containing personal information on more than half a million New York state workers has been found after it disappeared May 9 from the offices of a third-party data management company. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002031

FYI - Armstrong: Stolen laptop had personal info on 12,000 workers - A laptop stolen from a payroll auditor contains personal information regarding about 12,000 current and former Armstrong World Industries Inc. employees. The laptop was stolen from a locked car belonging to a Deloitte & Touche LLP employee, Armstrong said. http://www.thestate.com/mld/thestate/business/15122637.htm

FYI - CIOs release updated guide to information sharing - The CIO Council has released a third version of its Federal Enterprise Architecture Security and Privacy Profile (FEA SPP), which helps agencies safeguard information they share with others. The 63-page document describes best practices for program executives to use in complying with security and privacy requirements. It also suggests ways to integrate those requirements into major information technology purchases. http://www.fcw.com/article95390-07-25-06-Web

FYI - Public, private sectors still far apart on protecting IT infrastructure - The Homeland Security Department and private industry continue to work separately, rather than closer together, on instituting measures to protect the nation's cyber and telecommunications infrastructure, and part of the disconnect can be attributed to DHS' failure to name an assistant secretary to take the lead on the issue. http://www.gcn.com/online/vol1_no1/41519-1.html?topic=security

FYI - Visa looks to bolster security with PCI classification changes - Visa U.S.A. Inc. has changed the way it classifies merchants under its Payment Card Industry (PCI) data security standards program, which will require about 1,000 merchants to meet more rigorous compliance-validation standards. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002011

FYI - U.S. Army requires trusted computing - The U.S. Army will open its second purchase period this year for small computers, requiring that all systems have specialized hardware designed to add strong data security to the system. Known as the Trusted Computing Platform, the hardware specification uses encryption and specialized memory to secure a computer's data, allowing only the application that created a file to access that data and allowing hard drive data to be locked to a specific computer, for example. http://www.securityfocus.com/brief/265

FYI - FFIEC Information Security Booklet - The Federal Financial Institutions Examination Council updated its Information Security Booklet for examiners and financial institutions to reflect changes in technology and mitigation strategies, as well as recent revisions to related supervisory guidance.
Press Release: www.federalreserve.gov/boarddocs/srletters/2006/sr0612.htm
Press Release: www.federalreserve.gov/boarddocs/SRLETTERS/2006/SR0612.htm
Press Release: www.ots.treas.gov/docs/7/776034.html
Press Release: www.fdic.gov/news/news/financial/2006/fil06071.html/

FYI - Sentry Insurance says customer data stolen - Personal information on 72 worker's compensation claimants was stolen from Sentry Insurance and later sold over the Internet, the company said. The data sold included names and Social Security numbers but not medical records, Sentry said. Data on an additional 112,198 claimants was also stolen but there is no evidence it was sold, the company said. http://www.mercurynews.com/mld/mercurynews/business/technology/15153907.htm

FYI - Security breach raises new doubt son CIS capability - An employee of U.S. Citizenship and Immigration Services distributed the personal and private employment information of thousands of her fellow workers last week, raising concerns that those responsible for granting visas and other immigration benefits could be exposed to outside influence. Top officials at CIS and the Department of Homeland Security, of which CIS is a part, spent last weekend and this week evaluating the extent of the security breach for the 8,700 employees of CIS. http://www.washingtontimes.com/national/20060727-120633-3965r.htm

FYI - Now a VA subcontractor's computer is missing - Three months after a laptop breach put the personal information of millions of active duty service people at risk, another computer containing the personal information of veterans has gone missing. The VA was notified last week that a subcontractor, Unisys Corporation, hired to assist in insurance collections for veterans' medical centers in Philadelphia and Pittsburgh, lost a desktop computer from its offices. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060809/576212/

FYI - 2 Md. Men Arrested In Theft of VA Laptop - Montgomery County police charged two men yesterday with felonies in the May 3 theft of computer equipment from the home of a Department of Veterans Affairs analyst, a case that blossomed into the largest data breach in federal government history. http://www.washingtonpost.com/wp-dyn/content/article/2006/08/06/AR2006080600345_pf.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment. (Part 12 of 13)

Internet Protocol Address (IPA) Location and Geo-Location

One technique to filter an online transaction is to know who is assigned to the requesting Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned either by an Internet Service Provider or as part of the user's network. If all users were issued a unique IPA that was constantly maintained on an official register, authentication by IPA would simply be a matter of collecting IPAs and cross-referencing them to their owners. However, IPAs are not owned, may change frequently, and in some cases can be "spoofed." Additionally, there is no single source for associating an IPA with its current owner, and in some cases matching the two may be impossible.

Some vendors have begun offering software products that identify several data elements, including location, anonymous proxies, domain name, and other identifying attributes referred to as "IP Intelligence." The software analyzes this information in a real-time environment and checks it against multiple data sources and profiles to prevent unauthorized access. If the user's IPA and the profiled characteristics of past sessions match information stored for identification purposes, the user is authenticated. In some instances the software will detect out-of-character details of the access attempt and quickly conclude that the user should not be authenticated.

Geo-location technology is another technique to limit Internet users by determining where they are or, conversely, where they are not. Geo-location software inspects and analyzes the small bits of time required for Internet communications to move through the network. These electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined for a user, they are compared with cyberspace distances for known locations. If the comparison is considered reasonable, the user's location can be authenticated. If the distance is considered unreasonable or for some reason is not calculable, the user will not be authenticated.

IPA verification or geo-location may prove beneficial as one factor in a multifactor authentication strategy. However, since geo-location software currently produces usable results only for land-based or wired communications, it may not be suitable for some wireless networks that can also access the Internet such as cellular/digital telephones.

Mutual Authentication

Mutual authentication is a process whereby customer identity is authenticated and the target Web site is authenticated to the customer. Currently, most financial institutions do not authenticate their Web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed Web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer.

Techniques for authenticating a Web site are varied. The use of digital certificates coupled with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared secrets such as digital images is another. Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defense against phishing and similar attacks.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - REMOTE ACCESS

Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.

Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:

! Disallow remote access by policy and practice unless a compelling business justification exists.
! Disable remote access at the operating system level if a business need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
! Configure modems not to answer inbound calls, if modems are for outbound use only.
! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

4. Determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices. Such plans should encompass the potential loss of customer data and authentication devices.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10) Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a) information from the consumer;

b) information about the consumer's transactions with the institution or its affiliates;

c) information about the consumer's transactions with nonaffiliated third parties; and

d) information from a consumer reporting agency? [�6(c)(2)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.