Internet Banking News

October 12, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Second hacker in TJX case pleads guilty - Scott, known as the wireless hacking expert, faces up to 22 years in prison, $1M fine - One of the major players in the massive hacking incidents at TJX Companies Inc., BJ Wholesale Clubs Inc. and other retailers pleaded guilty on Monday to identity theft and other felony charges in federal court in Boston. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115458&source=rss_topic17

FYI - New certification to stress software lifecycle safety - The movement to create secure software received a boost with the launch of a new certification from (ISC)2, a nonprofit leader in educating and certifying information security professionals. The certification, called the Certified Secure Software Lifecycle Professional (CSSLP), is designed to validate secure software development practices and build expertise to address the increasing number of application vulnerabilities. http://www.scmagazineus.com/New-certification-to-stress-software-lifecycle-safety/article/118410/?DCMP=EMC-SCUS_Newswire

FYI - Network at Los Alamos vulnerable to attacks - Unclassified information on a network the Los Alamos National Laboratory operates is susceptible to unauthorized access because of major information security weaknesses, according to a Government Accountability Office report released on Friday.
http://www.nextgov.com/nextgov/ng_20080929_5288.php
http://www.gao.gov/new.items/d081180t.pdf

FYI - California laws will increase penalties for patient data snoopers - California Gov. Arnold Schwarzenegger on Tuesday signed two bills into law that will allow the state to impose harsher penalties on hospital workers who inappropriately access patient data. http://www.scmagazineus.com/California-laws-will-increase-penalties-for-patient-data-snoopers/article/118618/?DCMP=EMC-SCUS_Newswire

FYI - Employees engage in risky computing - Data leaks - good intentions gone bad - Common employee behavior may result in data loss or leakage of a company's intellectual property, according to a study from Cisco. http://www.scmagazineus.com/Study-Employees-engage-in-risky-computing/article/118606/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - NHS trust finds lost CDs holding 18,000 staff details - A London NHS hospital trust has found four discs, containing 18,000 staff details, that had been thought lost. The discs, which contained payroll details, went missing earlier this month. http://news.zdnet.co.uk/security/0,1000000189,39494153,00.htm

FYI - Thieves accessed auction Web site 1.5 million times - Yahoo Japan Corp.'s auction Web site has been illegally accessed about 1.5 million times since May with codes and passwords stolen from members from an Internet protocol address in China. Access information was used without owner knowledge to sell items such as fake luxury-brand goods, and account holders were charged auction fees by the company for transactions they did not initiate. http://www.yomiuri.co.jp/dy/national/20080927TDY02308.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 6 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1) due diligence with respect to third parties to which the financial institution is considering links; and

2) written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Packet Filter Firewalls

Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.

Weaknesses associated with packet filtering firewalls include the following:

! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.

! Logging functionality is limited to the same information used to make access control decisions.

! Most do not support advanced user authentication schemes.

! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.

! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.

Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.

Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

7. Determine whether access to utilities on the host are appropriately restricted and monitored.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1) a consumer provides to a financial institution to obtain a financial product or service from the institution;

2) results from a transaction between the consumer and the institution involving a financial product or service; or

3) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.