Internet Banking News

September 27, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - This week, I am attending the Information Security and Risk Management Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas. I look forward to meeting any of you that will also be in attendance.

FYI - DuPont sues Chinese scientist for trade-secret theft - Hong Meng accused of stealing data on thin-screen tech to help rivals - For the second time in less than three years, a research scientist at DuPont has been accused of misappropriating trade secrets from the company and attempting to use them to build competing products in China. http://www.computerworld.com/s/article/9137780/DuPont_sues_Chinese_scientist_for_trade_secret_theft?source=rss_security

FYI - ISPs asked to cut off malware-infected PCs - Voluntary code of conduct puts onus on service providers. The Internet Industry Association (IIA) has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases disconnect, customers that have malware-infected computers. http://www.securecomputing.net.au/News/155673,isps-asked-to-cut-off-malwareinfected-pcs.aspx

FYI - Bill to bolster California breach law awaits governor - A new Senate bill in California, which seeks to complement the state's trailblazing SB-1386 data breach disclosure bill, is ready for Gov. Arnold Schwarzenegger's signature. http://www.scmagazineus.com/Bill-to-bolster-California-breach-law-awaits-governor/article/148734/

FYI - 911 center official guilty of official misconduct - The former director of a 911 emergency dispatch center in Kane County has pleaded guilty to charges that he used a criminal background search database illegally.
http://www.suntimes.com/news/24-7/1764493,illegal-background-checks-sentence-091109.article
http://www.chicagotribune.com/news/chi-ap-il-911misconduct,0,320856.story

FYI - TJX ringleader pleads guilty - One of the leaders of an international ring of credit card thieves on Friday pleaded guilty to multiple federal charges, including conspiracy, computer fraud, access device fraud and identity theft. http://www.scmagazineus.com/TJX-ringleader-pleads-guilty/article/148891/?DCMP=EMC-SCUS_Newswire

FYI - SANS finds pros overlooking dangers of client, web apps - Most organizations are stuck in the past, applying a disproportionate amount of focus on patching operating systems than on systems posing the greatest risk, according to a report released by the SANS Institute. http://www.scmagazineus.com/SANS-finds-pros-overlooking-dangers-of-client-web-apps/article/148998/?DCMP=EMC-SCUS_Newswire

FYI - New York Times inadvertently sold ad space to hackers - Attackers appearing to be advertising for an internet phone company switched their tactics over the weekend and began offering rogue anti-virus programs to readers of the The New York Times website, the newspaper revealed. http://www.scmagazineus.com/New-York-Times-inadvertently-sold-ad-space-to-hackers/article/148990/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Intelligence Analyst Charged With Hacking Top Secret, Anti-Terror Program - An analyst at a Defense Department spy satellite agency faces federal hacking charges after allegedly poking around in a top-secret system used in a classified terrorism investigation involving the FBI and the U.S. Army. http://www.wired.com/threatlevel/2009/09/montgomery/

FYI - EmailPrintText SizeHackers breach Warrick Co. bank accounts - Cyber thieves have recently hacked their way into dozens of online bank accounts in Warrick County.
http://www.14wfie.com/Global/story.asp?S=11116573
http://tristatehomepage.com/content/fulltext/?cid=94971

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 5: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.

Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization. Failure to maintain the data integrity of transactions, records and information can expose banks to financial losses as well as to substantial legal and reputational risk.

The inherent nature of straight-through processes for e-banking may make programming errors or fraudulent activities more difficult to detect at an early stage. Therefore, it is important that banks implement straight-through processing in a manner that ensures safety and soundness and data integrity.

As e-banking is transacted over public networks, transactions are exposed to the added threat of data corruption, fraud and the tampering of records. Accordingly, banks should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-banking transactions, records and information that is either transmitted over Internet, resident on internal bank databases, or transmitted/stored by third-party service providers on behalf of the bank. Common practices used to maintain data integrity within an e-banking environment include the following:

1) E-banking transactions should be conducted in a manner that makes them highly resistant to tampering throughout the entire process.

2) E-banking records should be stored, accessed and modified in a manner that makes them highly resistant to tampering.

3) E-banking transaction and record-keeping processes should be designed in a manner as to make it virtually impossible to circumvent detection of unauthorized changes.

4) Adequate change control policies, including monitoring and testing procedures, should be in place to protect against any e-banking system changes that may erroneously or unintentionally compromise controls or data reliability.

5) Any tampering with e-banking transactions or records should be detected by transaction processing, monitoring and record keeping functions.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING

Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.

In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.

A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

IT SECURITY QUESTION: ENCRYPTION

3. Determine if cryptographic key controls are adequate.

! Identify where cryptographic keys are stored.
! Review security where keys are stored and when they are used (e.g., in a hardware module).
! Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion.
! Verify that two persons are required for a cryptographic key to be used, where appropriate.
! Review audit and security reports that review the adequacy of cryptographic key controls.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]

b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]