FYI - Banks should shape up on security - Banks must improve security practices or risk losing some customers, IT services company EDS said. http://news.com.com/2102-1029_3-5875906.html?tag=st.util.print

FYI - Cons, not vandals, now write viruses - Computer hackers seeking financial gain rather than thrills or notoriety are increasingly flooding the Internet with malicious software code, according to a semi-annual report from security company Symantec. http://news.com.com/2102-7349_3-5872501.html?tag=st.util.print

FYI - More spyware used in identity theft - Spyware is increasingly being used by criminals to sniff out user passwords and log keystrokes, according to new research. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=62f3a7eb-1e23-4a6a-8a52-dac269c033cc&newsType=Latest%20News&s=n

FYI - Users play fast and loose with corporate PCs - Users are more likely to engage in risky internet behaviour at work because they reckon their IT department will protect them against viruses, worms, spyware, spam, phishing, and other security threats. That's according to a recent online survey of 1,200 corporate end users in the US, Germany, and Japan conducted by net security firm Trend Micro. http://www.theregister.co.uk/2005/09/13/unsafe_computing_survey/print.html

FYI - Navy: Don't access personal e-mail at work - Navy employees can no longer access personal e-mail accounts, including Yahoo Mail and Microsoft Hotmail, from the service's networks without approval. That is one of six rules in the Navy's new acceptable use of information technology policy issued in July.
Press release: http://www.fcw.com/article90710-09-09-05-Web&RSS=yes
Policy: http://www.fcw.com/fcwdownload/pdf/effectiveuse.pdf

FYI - Symantec Internet Security Threat Report Identifies Shift Toward Focused Attacks on Desktops - Symantec Corp. released its eighth volume of the Internet Security Threat Report, one of the most comprehensive sources of Internet threat data in the world. The semiannual report, covering the six-month period from January 1 to June 30, 2005, identified new methods of using malicious code for financial gain with increasing frequency to target desktops rather than enterprise perimeters. http://smallbiz.symantec.com/press/2005/n050919a.html

FYI - Key clicks betray passwords, typed text - Eavesdroppers armed with a shotgun microphone or a small recording device could make off with a computer user's sensitive documents and data, three university researchers said in a paper released this week. http://www.securityfocus.com/news/11318

FYI - Credit bureaus to adopt data protection standard - The top three U.S. credit reporting companies said on Thursday they would adopt a single, shared encryption standard to better protect the huge amounts of sensitive electronic data they receive every day from banks, retailers and credit-card companies. http://news.com.com/2102-1029_3-5877870.html?tag=st.util.print

FYI - Beyond Vulnerability Scans - Security Considerations for Auditors - Poorly conducted penetration tests and ethical attacks may not fully identify security vulnerabilities in IT systems, leaving organizations exposed to external threats. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5651

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)

Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.

In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.

Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:

!  A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
!  A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
!  Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

To explain the red flags and risks of phishing and identity theft, financial institutions can refer customers to or use resources distributed by the Federal Trade Commission (FTC), including the following FTC brochures:

!  "How Not to Get Hooked by the ‘Phishing' Scam," published in July 2003, which is available at: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
!  "ID Theft: When Bad Things Happen to Your Good Name," published in September 2002, which is available at: http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (1 of 2)

The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.

System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.

A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.

Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could  result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.

An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

3. Evaluate the effectiveness of password and shared secret administration for employees and customers considering the complexity of the processing environment and type of information accessed.  Consider:

• Confidentiality of passwords and shared secrets (whether only known to the employee/customer);

• Maintenance of confidentiality through reset procedures;

• The frequency of required changes (for applications, the user should make any changes from the initial password issued on enrollment without any other user's intervention);

• Password composition in terms of length and type of characters (new or changed passwords should result in a password whose strength and reuse agrees with the security policy);

• The strength of shared secret authentication mechanisms;

• Restrictions on duplicate shared secrets among users (No restrictions should exist); and

• The extent of authorized access (e.g., privileged access, single sign-on systems).

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

43.  Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)
VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.