R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 31, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

ISACA NETWORK SECURITY CONFERENCE - I hope you have registered for the conference in Las Vegas on September 8-10.  If not, go to www.isaca.org/nsc for more information.  I look forward to see you there.

 FYI - Thousands of web servers hit by SQL attack - Internet security firm Secure Computing has issued a warning of an SQL injection attack that appears to have infected several thousand web servers, including government and financial services sites. http://www.scmagazineus.com/Thousands-of-web-servers-hit-by-SQL-attack/article/115386/?DCMP=EMC-SCUS_Newswire

FYI - Clipboards hijacked by furtive code - Security firms are warning about a web link that is surreptitiously stored in a user's clipboard. It has been found in Adobe Flash-based advertisements on otherwise legitimate websites and has attacked clipboards on both Windows and Macs. http://www.scmagazineus.com/Clipboards-hijacked-by-furtive-code/article/115503/?DCMP=EMC-SCUS_Newswire

FYI - Details in upcoming PCI DSS released - New changes in the Payment Card Industry Data Security Standard (PCI DSS) version 1.2 have been disclosed prior to its release in October. According to a summary of the changes released by the PCI Security Standards Council (PCI), the modifications include clarifications and explanations of requirements to adhere to the guidelines of the council. http://www.scmagazineus.com/Details-in-upcoming-PCI-DSS-released/article/115590/?DCMP=EMC-SCUS_Newswire

FYI - New laws require data encryption - Iowa has passed a data breach law that requires companies to encrypt customer details. It joins more than 40 other states that require encryption and notification of customers should information be compromised. http://www.scmagazineus.com/New-laws-require-data-encryption/article/115552/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Colchester Hospital sacks manager over lost laptop - Colchester University Hospital has sacked one of its managers over the theft of his work laptop, which contained unencrypted patient records. http://www.theregister.co.uk/2008/08/12/hospital_manager_lost_laptop_dismissal/print.html

FYI - Ireland investigating fake credit card reader scam - If you've used a credit card reader in Ireland recently you may want to call your credit card company and monitor your account. http://news.cnet.com/8301-1009_3-10020313-83.html?tag=nefd.top

FYI - Feds seek to nab credit card thieves in La., Miss. - A ring of cyberthieves has stolen tens of thousands of credit card numbers from Louisiana and Mississippi restaurants this year, leading to over $1 million in losses for the banks that issued them. http://www.forbes.com/feeds/ap/2008/08/18/ap5334017.html

FYI - Wuesthoff Web site security breached - Hackers penetrated Wuesthoff Health System's pre-registration Web site earlier this week, gaining access to personal information on 500 patients, including names, addresses and Social Security numbers. http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20080815/BUSINESS/808150326/1006/NEWS01

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)

Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:

!  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
!  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
!  Increasing suspicious activity monitoring and employing additional identity verification controls;
!  Offering customers assistance when fraud is detected in connection with customer accounts;
!  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
!  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.

Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:

!  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
!  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
!  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
!  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
!  Monitoring for fraudulent Web sites using variations of the financial institution's name;
!  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
!  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Conclusion

E-mail and Internet-related fraudulent schemes present a substantial risk to financial institutions and their customers. Financial institutions should consider developing programs to educate customers about e-mail and Internet-related fraudulent schemes and how to avoid them, consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes, and implement appropriate information security controls to help mitigate the risks associated with e-mail and Internet-related fraudulent schemes.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
Protocols and Ports (Part 2 of 3)

Other common protocols in a TCP/IP network include the following types.

! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.

! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.

! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.

! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.

! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.

! Post office protocol (POP) - Commonly used to receive e-mail.

! Hypertext transport protocol (HTTP) - Used for Web browsing.

! Secure shell (SSH)  - Encrypts communications sessions, typically used for remote administration of servers.

! Secure sockets layer (SSL)  - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

1. Determine whether hosts are hardened through the removal of unnecessary software and services, consistent with the needs identified in the risk assessment, and that configuration takes advantage of available object, device, and file access controls.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b.  the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated