|
FYI - ID theft ring hits
50 banks, security firm says - A major identity theft ring has been
discovered that affects up to 50 banks, according to Sunbelt
Software, the security company that says it uncovered the operation.
http://news.com.com/2102-7349_3-5823591.html?tag=st.util.print
FYI - Precious Cargo -
As recent lapses have shown, sending critical backup data to a
storage facility isn't as simple as placing a package on a truck.
Here are four points to consider when you're securing the chain of
custody for your backup data.
http://www.csoonline.com/read/080105/cargo.html
FYI - DNS servers - an
Internet Achilles' heel - Hundreds of thousands of Internet servers
are at risk of an attack that would redirect unknowing Web surfers
from legitimate sites to malicious ones.
http://news.com.com/2102-7349_3-5816061.html?tag=st.util.print
FYI - Security Breach
Possibly Exposes Students' IDs - The University of North Texas
server storing the electronic university housing records of about
34,000 current, former and prospective students was accessed by a
computer hacker.
https://www.securityid.unt.edu/
FYI - CU seeking help to
evaluate hacked system - The University of Colorado will hire a
computer-security company to audit its technology safeguards after
hackers broke into the system three times in two weeks.
http://www.denverpost.com/portlet/article/html/fragments/print_article.jsp?article=2909173
FYI - German bank
launches new system to combat phishing - Postbank customers will be
given code numbers, in addition to PINs, that are required for each
specific transaction.
http://www.infoworld.com/article/05/08/08/HNgermanbank_1.html
FYI - The rise of the
digital thugs - Early last year, the corporate stalker made his
move. He sent more than a dozen menacing e-mail messages to Daniel
I. Videtto, the president of MicroPatent, a patent and trademarking
firm, threatening to derail its operations unless he was paid $17
million.
http://news.com.com/2102-1029_3-5822417.html?tag=st.util.print
FYI - New York law
requires notification after data breaches - New York Governor George
Pataki signed a bill that requires businesses and state government
agencies to notify consumers if sensitive data is nabbed in a
security breach.
http://news.com.com/2102-7348_3-5827712.html?tag=st.util.print
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents
(Part 1 of 5)
BACKGROUND
Web-site spoofing is a method of creating fraudulent Web sites that
look similar, if not identical, to an actual site, such as that of a
bank. Customers are typically directed to these spoofed Web sites
through phishing schemes or pharming techniques. Once at the
spoofed Web site, the customers are enticed to enter information
such as their Internet banking username and password, credit card
information, or other information that could enable a criminal to
use the customers' accounts to commit fraud or steal the customers'
identities. Spoofing exposes a bank to strategic, operational, and
reputational risks; jeopardizes the privacy of bank customers; and
exposes banks and their customers to the risk of financial fraud.
PROCEDURES TO ADDRESS SPOOFING
Banks can mitigate the risks of Web-site spoofing by implementing
the identification and response procedures discussed in this
bulletin. A bank also can help minimize the impact of a spoofing
incident by assigning certain bank employees responsibility for
responding to such incidents and training them in the steps
necessary to respond effectively. If a bank's Internet activities
are outsourced, the bank can address spoofing risks by ensuring that
its contracts with its technology service providers stipulate
appropriate procedures for detecting and reporting spoofing
incidents, and that the service provider's process for responding to
such incidents is integrated with the bank's own internal
procedures.
Banks can improve the effectiveness of their response procedures by
establishing contacts with the Federal Bureau of Investigation (FBI)
and local law enforcement authorities in advance of any spoofing
incident. These contacts should involve the appropriate departments
and officials responsible for investigating computer security
incidents. Effective procedures should also include appropriate
time frames to seek law enforcement involvement, taking note of the
nature and type of information and resources that may be available
to the bank, as well as the ability of law enforcement authorities
to act rapidly to protect the bank and its customers.
Additionally, banks can use customer education programs to mitigate
some of the risks associated with spoofing attacks. Education
efforts can include statement stuffers and Web-site alerts
explaining various Internet-related scams, including the use of
fraudulent e-mails and Web-sites in phishing attacks. In addition,
because the attacks can exploit vulnerabilities in Web browsers
and/or operating systems, banks should consider reminding their
customers of the importance of safe computing practices.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet. This booklet is required reading for anyone
involved in information systems security, such as the Network Administrator,
Information Security Officer, members of the IS Steering Committee,
and most important your outsourced network security consultants.
Your outsourced network security consultants can receive the
"Internet Banking News" by completing the subscription for
at https://yennik.com/newletter_page.htm.
There is no charge for the e-newsletter.
SECURITY PROCESS
Action Summary - Financial institutions should implement an ongoing
security process, and assign clear and appropriate roles and
responsibilities to the board of directors, management, and
employees.
OVERVIEW
The security process is the method an organization uses to implement
and achieve its security objectives. The process is designed to
identify, measure, manage and control the risks to system and data
availability, integrity, and confidentiality, and ensure
accountability for system actions. The process includes five areas
that serve as the framework for this booklet:
1) Information
Security Risk Assessment - A process to identify threats,
vulnerabilities, attacks, probabilities of occurrence, and outcomes.
2) Information Security
Strategy - A plan to mitigate risk that integrates technology,
policies, procedures and training. The plan should be reviewed and
approved by the board of directors.
3) Security Controls
Implementation - The acquisition and operation of technology, the
specific assignment of duties and responsibilities to managers and
staff, the deployment of risk - appropriate controls, and assurance
that management and staff understand their responsibilities and have
the knowledge, skills, and motivation necessary to fulfill their
duties.
4) Security Testing -
The use of various methodologies to gain assurance that risks are
appropriately assessed and mitigated. These testing methodologies
should verify that significant controls are effective and performing
as intended.
5) Monitoring and
Updating - The process of continuously gathering and analyzing
information regarding new threats and vulnerabilities, actual
attacks on the institution or others combined with the effectiveness
of the existing security controls. This information is used to
update the risk assessment, strategy, and controls. Monitoring and
updating makes the process continuous instead of a one - time event.
Security risk variables include threats, vulnerabilities, attack
techniques, the expected frequency of attacks, financial institution
operations and technology, and the financial institution's
defensive posture. All of these variables change constantly.
Therefore, an institution's management of the risks requires an
ongoing process.
Return to
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
2. Determine if the
user registration and enrollment process
• Uniquely identifies the user,
• Verifies the need to use the system according to appropriate
policy,
• Enforces a unique user ID,
• Assigns and records the proper security attributes (e.g.,
authorization),
• Enforces the assignment or selection of an authenticator that
agrees with the security policy,
• Securely distributes any initial shared secret authenticator or
token, and
• Obtains acknowledgement from the user of acceptance of the terms
of use.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
37. For annual notices only, if the institution does not
employ one of the methods described in question 36, does the
institution employ one of the following reasonable means of
delivering the notice such as:
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
or
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer
request? [§9(c)(2)]
VISTA - Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
