Internet Banking News

October 19, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - ISACA EUROPEAN NETWORK SECURITY CONFERENCE - I hope you have registered for the conference in Amsterdam, The Netherlands on November 10-12. If not, go to www.isaca.org/nsc for more information.

FYI - Identity theft victim wins right to sue county clerk over posting of personal data - Ohio appeals court reverses dismissal of lawsuit claiming that posting of speeding-ticket image violated privacy laws - An Ohio woman whose identity was allegedly stolen after an image of a speeding ticket containing her personal information was posted on a county government Web site can sue the county official responsible for putting such records online, a state appeals court in Cincinnati ruled last week. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115900&source=rss_topic17

FYI - MI6 camera for auction on Ebay - A 28-year old deliveryman living in Hertfordshire, UK, bought a used Nikon Coolpix camera on Ebay for about $31 because he was about to go on vacation. http://blogs.computerworld.com/mi6_camera_for_auction_on_ebay

FYI - Hotel network security lacking - Most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from internet security problems, claims a study published by Cornell University. http://www.scmagazineus.com/Study-Hotel-network-security-lacking/article/118819/?DCMP=EMC-SCUS_Newswire

FYI - Security strategies require diversity - Since organizations face unique security risks, an efficient and effective information security program cannot be achieved through a one-size fits all approach, concludes a follow-up report from the Verizon Business Risk Team. http://www.scmagazineus.com/Study-Security-strategies-require-diversity/article/118680/?DCMP=EMC-SCUS_Newswire

FYI - Grand jury indicts two Europeans over denial-of-service attacks in 2003 - DDOS indictments come four years after two U.S. residents were charged in same attacks - A federal grand jury in Los Angeles has indicted two European men for allegedly orchestrating distributed denial-of-service (DDOS) attacks against a pair of U.S.-based Web sites in 2003. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116204&source=rss_topic17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Louisiana Blue Cross confirms data breach - Blue Cross & Blue Shield of Louisiana compromised the personal data of about 1,700 brokers via an e-mail last week, exposing information such as Social Security numbers, phone numbers and addresses, according to a Blue Cross spokesman. http://www.businessinsurance.com/cgi-bin/news.pl?id=14084

FYI - T-Mobile lost control of data on 17M customers in '06 incident - It was silent about the data loss for more than two years - This story has been changed since it was originally posted. After receiving further information from T-Mobile, it clarifies that the company did not lose a disk, although a disk containing company data was found. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116338&source=rss_topic17

FYI - Irish HSE hit by laptop theft - A laptop containing the details of thousands of HSE staff has been stolen in Dublin. The theft took place on September 17th at the Carnegie Centre in Dublin's Lord Edward Street, however staff were not informed until 13 days after the incident. http://www.scmagazineuk.com/Irish-HSE-hit-by-laptop-theft/article/118714/

FYI - Data breach at Virgin prompts encryption order - 3,000 details lost on CD - Virgin Media has been ordered to encrypt all portable media that is used to move data after it lost the details of 3,000 would-be customers. http://www.silicon.com/research/specialreports/fulldisclosure/0,3800014102,39296160,00.htm?r=1

FYI - Stolen McCain party laptop had minimal data safeguards - A laptop containing GOP "strategic information" that was stolen from a regional party headquarters in Kansas City last week lacked any security safeguards beyond basic password protection, a party spokeswoman said Monday. http://www.scmagazineus.com/Stolen-McCain-party-laptop-had-minimal-data-safeguards/article/119080/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 7 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1) dissatisfied purchasers of third-party products or services;

2) patent or trademark holders for infringement by the third party; and

3) persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations. For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Stateful Inspection Firewalls

Stateful inspection firewalls are packet filters that monitor the state of the TCP connection. Each TCP session starts with an initial handshake communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall.

Proxy Server Firewalls

Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. Essentially, they rewrite packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Due to that limited capability, proxy servers are commonly employed behind other firewall devices. The primary firewall receives all traffic, determines which application is being targeted, and hands off the traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and responses, providing potential performance benefits. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

8. Determine whether the host-based IDSs identified as necessary in the risk assessment are properly installed and configured, that alerts go to appropriate individuals using an out-of-band communications mechanism, and that alerts are followed up.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.