Internet Banking News

September 3, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Beware Of WiFi Bandits Known As 'Evil Twins' - You can't walk by a coffee shop these days without seeing a crowd of people inside surfing the net on their laptops. Public WiFi connections have made it a breeze to jump online from almost anywhere, but that convenience doesn't come without risk. The problem is the WiFi connection you choose could be a fraud, known as an evil twin. "An evil twin is someone pretending to be an official looking WiFi hotspot in order to steal your information," said Jonathan Singer, a computer security expert with the Yankee Group. http://cbs4boston.com/specialreports/local_story_227155439.html

FYI - Small drives cause big problems - Small USB drives with large capacities are causing security worries for both companies and consumers. That is one of the conclusions of a survey released. Universal Serial Bus (USB) drives, sometimes called thumb drives or flash drives, are major security concerns as more are lost or stolen, says security firm Vontu, which sponsored the survey. http://www.usatoday.com/tech/news/computersecurity/2006-08-15-thumbdrives-stolen_x.htm

FYI - Authentication in an Internet Banking Environment - The Federal Financial Institutions Examination Council has published the attached frequently asked questions to assist financial institutions and their technology service providers in conforming with the FFIEC guidance entitled Authentication in an Internet Banking Environment. www.fdic.gov/news/news/financial/2006/fil06077.html

FYI - BoI customers fall victim to phishing scam - Bank of Ireland customers have been hit by a new phishing scam, which has already cost some of its customers more than of €110,000. http://www.theregister.co.uk/2006/08/17/boi_phishing_attack/print.html

FYI - Data theft may hurt workers - Chevron may have pocketed record profits of $4.35 billion in the most recent quarter, but that wasn't enough to protect the names and Social Security numbers of potentially tens of thousands of employees. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/16/BUG1EKJ14T1.DTL

FYI - Laptops' data costly to protect - Thieves after hardware inflicting a pricey penalty. After Matrix Capital Bank had portable computers stolen, it spent over $50,000 to monitor security and reassure customers. http://www.denverpost.com/business/ci_4187189

FYI - 78% Merchants don't know.. and institutions don't care about PCI DSS. 22% of the major retailers (approximately 290 in the United States) are PCI DSS compliant, and 78% on track to being compliant. This figure, as appropriately highlighted and restated several times on other news sties, is ignorant of the mid-tier merchants and the service providers. http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/

FYI - FBI Investigating Theft of 10 Hospital Computers - In the latest episode of stolen computers and compromised personal records, Hospital Corporation of America reported on Aug. 18 that 10 computers had been stolen from one of the health care provider's regional offices. The computers "held thousands of files listing unpaid bills from Medicare and Medicaid patients" who had treatment at hospitals managed by the company in eight states, HCA said in a statement on its Web site. http://www.eweek.com/article2/0%2C1895%2C2006225%2C00.asp

FYI - Federal student aid site exposes borrowers' data - The U.S. Department of Education has disabled the online payment feature for its Federal Student Aid site, following a security breach that could affect up to 21,000 borrowers. http://news.com.com/2102-1029_3-6109405.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 2 of 10)

A. RISK DISCUSSION

Introduction

Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)

Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.

Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.

An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.

Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

7. Determine whether systems are protected against malicious software such as Trojan horses, viruses, and worms.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum:

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.