|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
December 10, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - U.S. warns of
possible al-Qaida financial cyberattack- The U.S. government warned
American private financial services on Thursday of an al-Qaida call
for a cyberattack against online stock trading and banking Web sites
beginning on Friday, a source said. The source, a person familiar
with the warning, said the Islamic militant group aimed to penetrate
and destroy the databases of the U.S. financial sites. The
Department of Homeland Security confirmed an alert had been
distributed but said there was no reason to believe the threat was
credible.
http://news.com.com/2102-1028_3-6139878.html?tag=st.util.print
FYI - New Rules Make
Firms Track E-Mails, IMs - U.S. companies will need to keep track of
all the e-mails, instant messages and other electronic documents
generated by their employees thanks to new federal rules that go
into effect Friday, legal experts say. The rules, approved by the
Supreme Court in April, require companies and other entities
involved in federal litigation to produce "electronically stored
information" as part of the discovery process, when evidence is
shared by both sides before a trial.
http://apnews.myway.com/article/20061201/D8LNRQB80.html
FYI - Federal Rules May
Not Fully Secure Online Banking Sites - IT execs say banks and
credit unions need more than strong authentication - Financial
institutions that truly want to bolster their online security need
to look beyond the federal guidelines on end-user authentication
that go into effect Jan. 1, IT managers and analysts said last week.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=274881&taxonomyId=17&intsrc=kc_top
FYI - Banks face growing
threat of identity theft from insiders - Banks are pouring money
into building formidable defenses against computer hackers, but are
only just waking up to what may be a bigger threat--the physical
theft of client information by people in the office.
http://news.com.com/2102-1029_3-6137940.html?tag=st.util.print
FYI - Community America
Says At Least 12 Customers Affected - Several people who went online
Friday to do some banking wound up victims of a scam, officials
said. Community America Credit Union confirmed to KMBC that a hacker
managed to redirect people from the company's Web site to a phony
site.
http://www.thekansascitychannel.com/news/10408223/detail.html
FYI - Phishing attacks
now using phone calls - And consumers thought they were safe by not
clicking on links in unsolicited e-mails. Now comes a new batch of
phishing scams that rely on an old tool - the phone - to trick
people into giving away their personal information. Vishing has
emerged as a new threat with the rise of Voice over Internet
Protocol, technology that allows cheap and anonymous Internet calls.
http://www.usatoday.com/money/industries/technology/2006-11-26-phishing-usat_x.htm?csp=34
FYI - Linkin Park,
national security mash-up - A woman is accused of using a computer
at a national laboratory to hack into a cell phone company's Web
site to get a number for Chester Bennington, lead singer of the rock
group Linkin Park.
http://www.mercurynews.com/mld/mercurynews/entertainment/16098934.htm
MISSING COMPUTERS/DATA
FYI - Met Police in
laptop theft security flap - Three laptops, containing the payroll
and pension details of more than 15,000 Met Police officers, have
been nicked from the offices of LogicaCMG, the outsourcing firm that
handles the payments.
http://www.theregister.co.uk/2006/11/22/met_police_laptop_theft/print.html
FYI - Stolen laptop has
science centre's membership list - Ontario Science Centre officials
are urging its members to remain confident that their personal
information is safe after a laptop was recently stolen from the
popular city attraction.
http://www.towncrieronline.ca/main/main.php?rootcatid=8&direction=printstory&storyid=5847&rootsubcatid=#rootsubcatid
FYI - Women alerted to
ID theft risk - Stolen computers had health data - More than 7,500
Hoosier women are at risk of identity theft after two computers
containing protected health information collected for the state were
stolen earlier this month.
http://www.courierpress.com/news/2006/nov/25/women-alerted-to-id-theft-risk/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisements
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
applications.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue
our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Hardening Systems
Many financial institutions use commercial off-the-shelf (COTS)
software for operating systems and applications. COTS systems
generally provide more functions than are required for the specific
purposes for which it is employed. For example, a default
installation of a server operating system may install mail, Web, and
file-sharing services on a system whose sole function is a DNS
server. Unnecessary software and services represent a potential
security weakness. Their presence increases the potential number of
discovered and undiscovered vulnerabilities present in the system.
Additionally, system administrators may not install patches or
monitor the unused software and services to the same degree as
operational software and services. Protection against those risks
begins when the systems are constructed and software installed
through a process that is referred to as hardening a system.
When deploying off-the-shelf software, management should harden the
resulting system. Hardening includes the following actions:
! Determining the purpose of the system and minimum software and
hardware requirements;
! Documenting the minimum hardware, software and services to be
included on the system;
! Installing the minimum hardware, software, and services necessary
to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of
applications;
! Configuring privilege and access controls by first denying all,
then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed
activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior
to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically
configured systems, making configuration changes on a case-by-case
basis;
! Changing all default passwords; and
! Testing the resulting systems.
After deployment, the COTS systems may need updating with current
security patches. Additionally, the systems should be periodically
audited to ensure that the software present on the systems is
authorized and properly configured.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
G. APPLICATION SECURITY
4. Determine if access to sensitive information and processes
require appropriate authentication and verification of authorized
use before access is granted.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
30. Does the institution allow the
consumer to opt out at any time? [§7(f)]
31. Does the institution continue to honor the consumer's opt out
direction until revoked by the consumer in writing, or, if the
consumer agrees, electronically? [§7(g)(1)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|