Internet Banking News

October 8, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - State CIO, CISO Speak About National Survey - The National Association of State Chief Information Officers (NASCIO) has released the findings of summer survey of State Chief Information Security Officers (CISO). According to NASCIO, results of the survey -- A Current View of State CISO: A national Survey Assessment -- "indicate that the state CISO position has become highly prevalent and is evolving into a state IT security policy and strategy leader." http://www.govtech.net/news/news.php?id=101109

FYI - New Jersey Lawyers File Identity Theft Class Action Against Bank of America - The New Jersey law firms of Pellettieri, Rabstein & Altman and Lynch Keefe Bartels filed a complaint against Bank of America today in New Jersey Superior Court, Law Division, Mercer County, on behalf of Trenton resident Cindy Jones. The attorneys announced their intention to seek class action status to represent other identity theft victims as well against financial services giant Bank of America for damages resulting from the theft of tens of thousands of customer information files. http://www.pralaw.com/ourfirm/news.asp?article=55

FYI - ATM Maker Readies Anti-Hack Patch - The maker of a popular line of automated teller machines is planning a software upgrade that forces operators to change a default administrative pass code, after a surveillance tape showed a high-tech thief successfully hacking one of its ATMs in a Virginia gas station. While 60 percent of companies monitor and secure email, nine out of ten organizations lack any security structure for IM, according to researchers from Symantec. http://www.wired.com/news/technology/0,71832-0.html?tw=wn_technology_9

FYI - Keep an eye on employee IM use - Safe instant messenger (IM) use in the workplace is dependent on enforcement of company regulations and monitoring new threats, researched major security firm recommended this week. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060925/594105/

FYI - Survey shows 40 percent of organizations experienced a breach last year - A survey conducted today at Interop New York 2006 found that 40 percent of those polled worked for organizations that experienced at least one security breach within the past 12 months. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060925/593727/

FYI - Banks rated for ID theft - Bank of America, JP Morgan Chase and Washington Mutual rate highest for consumer ID theft protection. Looking for a bank that protects well against identity theft? Bank of America, JP Morgan Chase and Washington Mutual are your best bets, according to a new report. http://news.com.com/Banks+rated+for+ID+theft/2100-1029-6119424.html?part=dht&tag=nl.e703

FYI - Erlanger employees' names, identification lost - Thousands of Erlanger hospital employees' names and personal identifying information stored electronically disappeared from a locked office on Sept. 15, and employees are hearing about the loss in letters sent to their homes this weekend, hospital officials said. According to the letters, sent Friday afternoon to about 4,150 current and former employees thought to be affected and about 2,050 current employees who were not, the names and accompanying personal information were stored on a USB storage device, also known as a "jump drive." http://www.tfponline.com/absolutenm/templates/breaking.aspx?articleid=5100&zoneid=41

FYI - Many U.S. Workers Favor E-Mail Monitoring, Research Shows - Despite the implied submission of personal privacy, most workers at U.S.-based companies believe that their employers should be allowed to monitor electronic communications to help protect against misuse of sensitive data. http://www.eweek.com/article2/0,1759,2018143,00.asp

STOLEN COMPUTERS

FYI - Personal Information Stolen From DePaul Hospital - Your NewsChannel 3 has learned that someone has stolen two computers from the Radiation Therapy department at DePaul Medical Center in Norfolk. This affects a little more that 100 patients of the Radiation Therapy department. http://www.wtkr.com/global/story.asp?S=5423927&nav=ZolHbyvj

FYI - Commerce reports loss of more than 1,100 laptops over 5 years - An agencywide review at the Commerce Department turned up more than a thousand missing or stolen laptops over the last five years, with hundreds containing the personal information of American citizens. In response to a congressional request and public inquiries, Commerce found that of 30,000-plus laptops inventoried across the department's 15 organizations since 2001, 1,137 had been lost or stolen. Of these, 249 contained personally identifiable information, with varying levels of security ranging from simple passwords to full encryption. http://www.govexec.com/story_page.cfm?articleid=35081&printerfriendlyVers=1&

FYI - Thousands of GE Employees Could be at Risk of ID Theft - There is news that thousands of current and former GE employees could be at risk for identity theft. A company employee's laptop computer was recently stolen from his locked hotel room while he was traveling on business. http://www.wten.com/Global/story.asp?S=5452721&nav=6uyN

FYI - Computers with patient data stolen from Nagasaki hospital - Six notebook computers with data on about 9,000 patients have been stolen from Nagasaki University Hospital of Medicine and Dentistry in Nagasaki, a university official said. The data contained names, gender, dates of birth, and diagnoses of people who visited the hospital's hematology division since the early 1990s, the official said. http://www.yomiuri.co.jp/dy/national/20060924TDY02007.htm

FYI - KRA computers stolen - Burglars entered the heavily guarded Kenya Revenue Authority (KRA) offices at Times Tower and stole computers containing crucial information. The computers were taken from the 14th floor, which houses the income tax section. http://www.eastandard.net/print/news.php?articleid=1143958667

FYI - Missing Computers At CU-Boulder Contained I.D. Information, Investigation Is Underway - The Leeds School of Business at the University of Colorado at Boulder has issued letters to a number of students whose names and other information were stored on two computers that were found to be missing during the school's move to temporary quarters last May. http://www.colorado.edu/news/releases/2006/308.html

FYI - Purdue Notifies Students of Potential Security Breach - Purdue University is notifying more than 2,400 people that were students in 2000 that a computer containing their personal information may have been accessed remotely by unauthorized people. http://www.insideindianabusiness.com/newsitem.asp?ID=19775&print=1

FYI - Berry taking measures to protect students after consultant misplaces data - Berry College President Dr. Stephen R. Briggs informed the campus community of a potential security breach this morning. http://news.mywebpal.com/partners/680/public/news748399.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 7 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1) dissatisfied purchasers of third-party products or services;

2) patent or trademark holders for infringement by the third party; and

3) persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations. For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

ENCRYPTION TYPES

Three types of encryption exist: the cryptographic hash, symmetric encryption, and asymmetric encryption.

A cryptographic hash reduces a variable - length input to a fixed-length output. The fixedlength output is a unique cryptographic representation of the input. Hashes are used to verify file and message integrity. For instance, if hashes are obtained from key operating system binaries when the system is first installed, the hashes can be compared to subsequently obtained hashes to determine if any binaries were changed. Hashes are also used to protect passwords from disclosure. A hash, by definition, is a one - way encryption. An attacker who obtains the password cannot run the hash through an algorithm to decrypt the password. However, the attacker can perform a dictionary attack, feeding all possible password combinations through the algorithm and look for matching hashes, thereby deducing the password. To protect against that attack, "salt," or additional bits, are added to the password before encryption. The addition of the bits means the attacker must increase the dictionary to include all possible additional bits, thereby increasing the difficulty of the attack.

Symmetric encryption is the use of the same key and algorithm by the creator and reader of a file or message. The creator uses the key and algorithm to encrypt, and the reader uses both to decrypt. Symmetric encryption relies on the secrecy of the key. If the key is captured by an attacker either when it is exchanged between the communicating parties, or while one of the parties uses or stores the key, the attacker can use the key and the algorithm to decrypt messages, or to masquerade as a message creator.

Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When one key is used to encrypt, only the other key can decrypt. Therefore, only one key (the private key) must be kept secret. The key that is exchanged (the public key) poses no risk if it becomes known. For instance, if individual A has a private key and publishes the public key, individual B can obtain the public key, encrypt a message to individual A, and send it. As long as individual A keeps his private key secure from discovery, only individual A will be able to decrypt the message.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

1. Determine if the institution performs appropriate background checks on its personnel, during the hiring process and thereafter, according to the employee's authority over the institution's systems and information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose; [�6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [�6(e)(2)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.