|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
October 22, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - Data attack
targets Commerce Department - A Commerce Department bureau was the
target of an attempt to gain access to employees' user accounts on
its computer network, according to media reports. The attack, which
was discovered in July and came to public attention this week,
specifically focused on the Department's Bureau of Industry and
Security (BIS), which is responsible for such areas as export
control and treaty compliance.
http://news.com.com/2102-7349_3-6123601.html?tag=st.util.print
FYI - No End in Sight:
Data Breach Tally Approaches 100 Million - The total number of
records containing sensitive personal information involved in
security breaches over the past two years now stands at 93,754,333,
according to the Privacy Rights Clearinghouse. The updated tally
includes thousands of instances of data exposure in the past month
alone.
http://www.technewsworld.com/story/53222.html
FYI - DHS laptops still
vulnerable, IG finds - Laptop computers used by the Homeland
Security Department's Office of the Inspector General (OIG) are
still susceptible to cyberattacks despite several recent steps taken
to harden security, a report has found.
http://www.fcw.com/article96332-10-04-06-Web
FYI - CMS' IT controls
need strengthening - A review of the effectiveness of information
security controls used by the Center for Medicare and Medicaid
Services found 47 weaknesses in its communication networks -
electronic access and other system controls - according to the
Government Accountability Office.
http://www.gcn.com/online/vol1_no1/42213-1.html?topic=security
FYI - USB memory sticks
pose new dangers - Some new drives can be used to automatically run
malware - The ability to use tiny USB memory sticks to download and
walk away with relatively large amounts of data has already made the
ubiquitous devices a potent security threat in corporate
environments. Now, the emergence of USB flash drives that can store
and automatically run applications straight off the device could
soon make the drives even more of a security headache.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003592
STOLEN COMPUTERS
FYI - Washington Airport
Reports Worker Information Missing - The Port of Seattle announced
today that six computer disks, containing personal information for
6,939 people who work for employers at Seattle-Tacoma International
Airport, are missing. "We have no reason to believe that the
information has been misused by anyone," said Mark Reis, managing
director at Sea-Tac. "However, we do not know at this time whether
the disks were misplaced, or were removed from Port property."
http://www.govtech.net/magazine/channel_story.php/101387
FYI - U.S. Marine base
probes missing laptop - A laptop computer loaded with personal
information on 2,400 residents of the Camp Pendleton Marine Corps
base has been lost. The computer was reported missing Tuesday by
Lincoln B.P. Management Inc., which helps manage base housing.
http://news.yahoo.com/s/ap/20061007/ap_on_hi_te/missing_laptop
FYI - FAA data in
Oberlin computer lost - Drives had names, Social Security numbers -
The names and Social Security numbers of at least 400 air traffic
controllers are missing from a computer at the Cleveland Air Route
Traffic Control Center in Oberlin, a union official says.
http://www.cleveland.com/news/plaindealer/index.ssf?/base/lorain/1160124449197870.xml&coll=2&thispage=1
FYI -
OTS Appoints Wayne Leiss As Chief Information Officer
- Office of Thrift Supervision Director John M. Reich announced the
selection of Wayne G. Leiss as the agency's Chief Information
Officer.
www.ots.treas.gov/docs/7/776048.html
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We
continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 9 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
Customer Service Complaints
Financial institutions should have plans to respond to customer
complaints, including those regarding the appropriateness or quality
of content, services, or products provided or the privacy and
security policies of the third-party site. The plan also should
address how the financial institution will address complaints
regarding any failures of linked third parties to provide agreed
upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the
activities of linked third parties as a part of its risk management
strategy. Monitoring policies and procedures should include periodic
content review and testing to ensure that links function properly,
and to verify that the levels of services provided by third parties
are in accordance with contracts and agreements. Website
content is dynamic, and third parties may change the presentation or
content of a website in a way that results in risk to the financial
institution's reputation. Periodic review and testing will reduce
this risk exposure. The frequency of review should be commensurate
with the degree of risk presented by the linked site.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
MALICIOUS CODE
Malicious code is any program that acts in unexpected and
potentially damaging ways. Common types of malicious code are
viruses, worms, and Trojan horses. The functions of each were once
mutually exclusive; however, developers combined functions to create
more powerful malicious code. Currently malicious code can replicate
itself within a computer and transmit itself between computers.
Malicious code also can change, delete, or insert data, transmit
data outside the institution, and insert backdoors into institution
systems. Malicious code can attack institutions at either the server
or the client level. It can also attack routers, switches, and other
parts of the institution infrastructure. Malicious code can also
monitor users in many ways, such as logging keystrokes, and
transmitting screenshots to the attacker.
Typically malicious code is mobile, using e - mail, Instant
Messenger, and other peer-to-peer (P2P) applications, or active
content attached to Web pages as transmission mechanisms. The code
also can be hidden in programs that are downloaded from the Internet
or brought into the institution on diskette. At times, the malicious
code can be created on the institution's systems either by intruders
or by authorized users. The code can also be introduced to a Web
server in numerous ways, such as entering the code in a response
form on a Web page.
Malicious code does not have to be targeted at the institution to
damage the institution's systems or steal the institution's data.
Most malicious code is general in application, potentially affecting
all Internet users with whatever operating system or application the
code needs to function.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
F. PERSONNEL SECURITY
3. Determine if the institution requires personnel with
authority to access customer information and confidential
institution information to sign and abide by confidentiality
agreements.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
20. Does the opt out notice
state:
a. that the institution discloses or reserves the right to disclose
nonpublic personal information about the consumer to a nonaffiliated
third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)]
and
c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|