Internet Banking News

December 20, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, visit http://www.internetbankingaudits.com/.

FYI - Many More Government Records Compromised in 2009 than Year Ago, Report Claims - If you're bummed about the data in your department that just got breached, you have some cold comfort. Although the combined number of reported data breaches in the government and the military has dropped in 2009 compared to last year, many more records were compromised in those breaches, according to recent figures compiled by a California nonprofit. http://www.govtech.com/gt/articles/734214

FYI - DHS completes draft of plan on how to respond to a national cyberattack - The Homeland Security Department, working with other federal agencies, has completed a draft of how governments and businesses should respond to a widespread cyberattack, establishing their roles and responsibilities. http://www.nextgov.com/nextgov/ng_20091203_2020.php?oref=topnews

FYI - Man loses fight against firm that suffered data breach - Harm? What harm? A Missouri man has lost his legal battle against an online prescription processor that suffered a security breach that exposed highly sensitive subscriber information. http://www.theregister.co.uk/2009/12/03/data_breach_plaintiff_loses/

FYI - Microsoft To Kill Windows XP SP2 Support - Software maker eyes cutoff date for support for XP, as well as for Windows 2000. Microsoft is reminding customers that the end date for support for Windows XP Service Pack 2, as well as some other versions of the Windows operating system, is already on the horizon. http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=222000858

FYI - GIAC Certifications in High Demand - Incident Handler Credential is Top-Rated Among Employers - When Foote Partners, the Florida-based management consultancy, released its 2009 IT Skills Trends Report Update, three of the top 10 certifications were Global Information Assurance Certification (GIAC) offerings by the SANS Institute, specializing in computer security training and professional certification through GIAC. http://www.govinfosecurity.com/articles.php?art_id=1807&opg=1

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - TSA, HSBC in secret doc redaction oopsie - Your uh, data is showing - The Transport Security Administration (TSA) and the US arm of bank HSBC have both failed to properly redact documents they published online.
http://www.theregister.co.uk/2009/12/07/tsa_redaction_fail/
http://www.computerworld.com/s/article/9141834/HSBC_exposed_sensitive_bankruptcy_data?taxonomyId=17

FYI - La. firm sues Capital One after losing thousands in online bank fraud - An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year. http://voices.washingtonpost.com/securityfix/2009/12/jmtest.html

FYI - NASA sites hacked via SQL injection - Two NASA sites recently were hacked by an individual wanting to demonstrate that the sites are susceptible to SQL injection. http://www.scmagazineus.com/nasa-sites-hacked-via-sql-injection/article/159181/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Audit Trail Practices for E-Banking Systems

1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.

2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.

3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:

a) The bank should ensure that it has access to relevant audit trails maintained by the service provider.

b) Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Using "Wired Equivalent Privacy" (WEP) by itself to provide wireless network security may lead a financial institution to a false sense of security. Information traveling over the network appears secure because it is encrypted. This appearance of security, however, can be defeated in a relatively short time.

Through these types of attacks, unauthorized personnel could gain access to the financial institution's data and systems. For example, an attacker with a laptop computer and a wireless network card could eavesdrop on the bank's network, obtain private customer information, obtain access to bank systems and initiate unauthorized transactions against customer accounts.

Another risk in implementing wireless networks is the potential disruption of wireless service caused by radio transmissions of other devices. For example, the frequency range used for 802.11b equipment is also shared by microwave ovens, cordless phones and other radio-wave-emitting equipment that can potentially interfere with transmissions and lower network performance. Also, as wireless workstations are added within a relatively small area, they will begin to compete with each other for wireless bandwidth, decreasing the overall performance of the wireless network.

Risk Mitigation Components -- Wireless Internal Networks

A key step in mitigating security risks related to the use of wireless technologies is to create policies, standards and procedures that establish minimum levels of security. Financial institutions should adopt standards that require end-to-end encryption for wireless communications based on proven encryption methods. Also, as wireless technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless network devices.

For wireless internal networks, financial institutions should adopt standards that require strong encryption of the data stream through technologies such as the IP Security Protocol (IPSEC). These methods effectively establish a virtual private network between the wireless workstation and other components of the network. Even though the underlying WEP encryption may be broken, an attacker would be faced with having to defeat an industry-proven security standard.

Financial institutions should also consider the proximity of their wireless networks to publicly available places. A wireless network that does not extend beyond the confines of the financial institution's office space carries with it far less risk than one that extends into neighboring buildings. Before bringing a wireless network online, the financial institution should perform a limited pilot to test the effective range of the wireless network and consider positioning devices in places where they will not broadcast beyond the office space. The institution should also be mindful that each workstation with a wireless card is a transmitter. Confidential customer information may be obtained by listening in on the workstation side of the conversation, even though the listener may be out of range of the access device.

The financial institution should consider having regular independent security testing performed on its wireless network environment. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless security implementation and the identification of rogue wireless devices that do not conform to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c. it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d. the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])