Internet Banking News

August 19, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Number Of Hackers Attacking Banks Jumps 81% - Hackers no longer need to be technical wizards to set up an operation to steal people's banking information and then rob their accounts. The number of hackers attacking banks worldwide jumped 81% from last year, according to figures released at the BlackHat security conference Thursday. Researchers from SecureWorks also reported that hackers going after the company's credit-union clients increased by 62% from last year. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202629

FYI - GAO recommends changes to FISMA reporting - Published on July 30, 2007 Agency computer systems are vulnerable because many lack basic controls, and one of the best ways to improve information technology security is to improve the metrics for how departments measure how these basic controls are implemented. That was the conclusion of the Government Accountability Office, which on Friday issued a tell-tale report identifying widespread IT security weaknesses across the government. http://www.fcw.com/article103357-07-30-07-Web&printLayout

FYI - VoIP vulnerabilities unveiled at Black Hat - VoIP phone systems, relying on so-called "soft phone" software, may have thousands of potential vulnerabilities, researchers at Sipera Systems said at the annual Black Hat conference this week in Las Vegas. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070806/729707/

FYI - Black Hat attendees pick mobile threats as the next hot security topic - Mobile threats were considered the next major security issue by IT professionals who attended the Black Hat conference in Las Vegas this week, according to a survey released today by Symantec. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070806/729703/

FYI - Viruses, Spyware, Phishing Cost U.S. Consumers $7 Billion Over Two Years - The survey, based on a national sample of 2,000 U.S. households with Internet access, suggests that consumers face a 25% chance of being victimized online. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201203030

MISSING COMPUTERS/DATA

FYI - Russian phishers loot $500K in two-year hacking spree - A pair of Russian hackers looted more than $500,000 from Turkish bank accounts during the course of a Trojan-powered two year hacking spree. http://www.theregister.co.uk/2007/08/02/turkish_trojan/print.html

FYI - VeriSign worker exits after laptop security breach - VeriSign has warned workers of the theft of a laptop that contained their personal information. The laptop was stolen from a car parked in the garage of a California worker sometime on the night of 12 July. http://www.theregister.co.uk/2007/08/06/verisign_laptop_theft/print.html

FYI - Stolen health computer stored 20,000 names - Police and the office of the information and privacy commissioner are investigating a theft of four Capital Health computers - one containing 20,000 patient names, health card numbers, addresses and reason for admittance to hospital. But the risk of a hacker cracking the passwords is very low, said Capital Health spokesman Steve Buick. http://www.edmontonsun.com/News/Alberta/2007/08/03/pf-4390118.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 2 of 10)

A. RISK DISCUSSION

Introduction

Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation Components - Wireless Internet Devices

For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.

As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.

The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

IT SECURITY QUESTION: Physical access to main computers:

a. Are the servers located in a secure location in the building?
b. Is access to the computer room restricted?
c. Is the computer room locked all the time?
d. Is there a 24 hours camera surveillance in computer room?
e. Is the computer room free of clutter?
f. Is there a fire extinguisher?
g. Are fire extinguishers regularly inspected?
h. Is there a smoke or heat detector?
i. Is there a "power down" switch?
j. Is there a "visitors log"?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree." Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1) Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2) Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3) Frequency and effectiveness of monitoring procedures;

4) Adequacy and regularity of the institution's training program;

5) Suitability of the compliance audit program for ensuring that:

     a) the procedures address all regulatory provisions as applicable;
     b) the work is accurate and comprehensive with respect to the institution's information sharing practices;
     c) the frequency is appropriate;
     d) conclusions are appropriately reached and presented to responsible parties;
     e) steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6) Knowledge level of management and personnel.