Internet Banking News

September 21, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - At its annual meeting in August, the American Bar Association spoke strongly to the states on the inadvisability of requiring those who perform computer forensics services to obtain a private investigator's license. http://ridethelightning.senseient.com/2008/08/aba-resoundingl.html

FYI - Watchdog aims to compel data-breach confessions - The National Consumer Council watchdog is calling on lawmakers to force businesses to confess to data breaches. The National Consumer Council (NCC) is petitioning the EU to draft legal powers to compel businesses and banks to inform customers when they lose their personal data. http://news.zdnet.co.uk/security/0,1000000189,39483398,00.htm

FYI - Chinese resarchers use heartbeats against implant hacking - Wireless software updates for medical implants are gradually replacing incisions. Modern implants - from pacemakers to insulin pumps and sensors for bodily functions - have reduced the number of maintenance operations needed. http://www.heise-online.co.uk/security/Chinese-resarchers-use-heartbeats-against-implant-hacking--/news/111463

FYI - Unauthorized web servers connected to IRS network - The Internal Revenue Service (IRS) has identified 1,811 unauthorized web servers connected to the agency's network, according to a recent audit report.
http://www.scmagazineus.com/Unauthorized-web-servers-connected-to-IRS-network/article/116335/?DCMP=EMC-SCUS_Newswire
http://www.ustreas.gov/tigta/auditreports/2008reports/200820159fr.pdf

FYI - Comply with Red Flag rules - By Nov. 1, creditors must comply with Federal Red Flag rules designed to combat identity fraud. Banks and credit issuers will be impacted, as will those unaccustomed to regulations. http://www.scmagazineus.com/Comply-with-Red-Flag-rules/article/115771/?DCMP=EMC-SCUS_Newswire

FYI - Feds finally put teeth into HIPAA enforcement - Three years after the federal law's rules on securing health care data took effect, HHS has issued its first 'corrective action plan.' And more may be on the way. A data security audit that the U.S. Department of Health and Human Services conducted at Piedmont Hospital in Atlanta last year was widely viewed within the health care industry as a harbinger of further actions by the federal government to enforce HIPAA's security and privacy rules. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=325376&taxonomyId=17&pageNumber=1

FYI - Removing admin rights to secure desktops - Improving desktop security is a priority for nearly all hospitals. This is fueled by an increased recognition of the threat unsecured desktops pose as well as a need to meet HIPAA compliance regulations. http://www.scmagazineus.com/Removing-admin-rights-to-secure-desktops/article/116475/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Strike threat by prison officers after data is lost - Prison officers yesterday threatened strike action after it emerged that a computer disc containing the personal details of 5,000 justice staff had been lost by a government contractor. Staff fear their personal security has been put at risk, and unions warned that some employees may have to be relocated. http://www.guardian.co.uk/society/2008/sep/08/prisonsandprobation.justice/print

FYI - GS Caltex Leaked Personal Data of 11 Mln Customers - Two multimedia discs containing the personal information of 11.1 million customers of GS Caltex, one of the nation`s largest oil refineries, was found on the street, police said yesterday. GS Caltex Data Leak Was Inside Job
http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090631088
http://english.donga.com/srv/service.php3?bicode=040000&biid=2008090844298

FYI - Social Security numbers exposed on Iowa land-records Web site - County recorders group restricts access to documents, proposes data redaction effort - In the latest example of a data privacy controversy that has become increasingly familiar nationwide, it came to light this week that a publicly accessible http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114172&source=rss_topic17

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

nature of the third-party product or service;
trade name of the third party; and
website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 1 of 2)

Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.

A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination. Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.

A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

4. Determine whether new hosts are prepared according to documented procedures for secure configuration or replication, and that vulnerability testing takes place prior to deployment.

Return to the top of the newsletter

INTERNET PRIVACY - This concludes our series listing the regulatory-privacy examination questions. Next week, we will begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Other Exceptions to Notice and Opt Out Requirements

50. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:

a. with the consent or at the direction of the consumer; [§15(a)(1)]
b.
1. to protect the confidentiality or security of records; [§15(a)(2)(i)]
2. to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
3. for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
4. to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
5. to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c. to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution's attorneys, accountants, and auditors; [§15(a)(3)]
d. in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h. to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i. to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]

(Note: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution's] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner's insurance to the consumer.")