|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
November 26, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - Cop's errant click
posts personal infoPosted - There's a new reason to be concerned
about an encounter with local police, whether you're a victim or a
suspect. In Ohio last month, a police department accidentally
published intimate details about every person officers encountered
during a single day, including Social Security Numbers, driver's
license numbers and more.
http://redtape.msnbc.com/2006/11/cops_errant_cli.html
FYI -
November 14, 2006 - Former NCUA Employee Pleads Guilty
to Illegal Access of a Government Computer - National Credit Union
Administration Inspector General William A. DeSarno announced today
that former NCUA employee Raymond Lindeman, Jr., of Coventry, Rhode
Island, pleaded guilty yesterday to a charge of unauthorized access
of a government computer in violation of federal law.
www.ncua.gov/news/press_releases/2006/MR06-1114.htm
FYI - Beware Social
Security e-mail scam - 'Phishers' are trying to get personal
information from e-mail recipients by threatening to suspend their
Social Security accounts. If you get an e-mail announcing the
cost-of-living increases scheduled for 2007 Social Security benefits
and purporting to be from the Social Security Administration, don't
answer it and don't click on any links in the e-mail.
http://money.cnn.com/2006/11/07/pf/Social_Security_email/index.htm?section=money_latest
FYI - Bank account data
swiped in gas-station scam - Devices attached to pay-at-the-pump
stations recorded info from hundreds of cards, police say. Hundreds
of people had their bank account information compromised when they
paid at outside pay pumps at three gas stations in Orange County and
one in Torrance.
http://www.ocregister.com/ocregister/homepage/abox/article_1350521.php
FYI - 49 Million U.S.
Adults Notified Of Data Breaches - An estimated 49 million U.S.
adults have been told over the last three years that their personal
information has been lost, stolen, or improperly disclosed, a
research firm. Most of the notifications came from government
agencies and financial institutions.
http://www.techweb.com/article/printableArticle.jhtml?articleID=193700752&site_section=700029
FYI - Cingular plans
mobile banking service for 2007 - Cingular Wireless, the No. 1 U.S.
cellular operator, said on Wednesday it is talking with banks about
letting its customers manage their money by cell phone as part of a
push to expand phone use beyond talking.
http://www.washingtonpost.com/wp-dyn/content/article/2006/11/15/AR2006111500097.html
MISSING COMPUTERS/DATA
FYI - FBI locates
missing Hertz Computer - Hertz Global Holdings, owners of the
world's largest rental-car company, said the FBI found a computer
containing the names and Social Security numbers of most of Hertz's
U.S. workers at the home of a former employee.
http://www.sltrib.com/business/ci_4642128
FYI - LANL contractor
information could be at risk - As many as 1,000 contract employees
who work in Los Alamos have been warned that a compact disk
containing their personal information could be missing.
http://www.freenewmexican.com/news/51948.html
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Source Code Review and Testing
Application and operating system source code can have numerous
vulnerabilities due to programming errors or misconfiguration. Where
possible, financial institutions should use software that has been
subjected to independent security reviews of the source code
especially for Internet facing systems. Software can contain
erroneous or intentional code that introduces covert channels,
backdoors, and other security risks into systems and applications.
These hidden access points can often provide unauthorized access to
systems or data that circumvents built-in access controls and
logging. The source code reviews should be repeated after the
creation of potentially significant changes.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
G. APPLICATION SECURITY
2. Determine if user input is validated appropriately (e.g.
character set, length, etc).
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
27. If each joint consumer may
opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint
consumers; [§7(d)(3)]
b. the joint consumers to notify the institution in a single
response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself,
and/or for another joint consumer? [§7(d)(5)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|