Internet Banking News

December 21, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Private Investigator License for Computer Data Collection and Assessment? - Red Light Traffic Camera Records Challenged in Civil Lawsuit - Do the collection and evaluation of electronic records for use in court require a professional license? In litigation a mistake on this question can surprisingly cause a party to lose a lawsuit. http://legal-beagle.typepad.com/wrights_legal_beagle/2008/12/e-discovery-forensics-private-investigator-license-for-computer-data-collection-and-assessment.html

FYI - The union of business and security - Compliance requirements are increasing in number and complexity. As companies find themselves obligated to comply with multiple industry regulations and government mandates, investments in security and compliance-related initiatives are taking an increased share of limited IT resources. http://www.scmagazineus.com/The-union-of-business-and-security/article/122003/?DCMP=EMC-SCUS_Newswire

FYI - Commission calls for cybersecurity czar - A group of technology and government experts called for the next U.S. administration to create a National Office for Cyberspace and focus more heavily on securing corporate and federal networks, or face continuing economic losses due to online espionage.
http://www.securityfocus.com/news/11540
http://www.scmagazineus.com/SC-World-Congress-High-hopes-for-new-cybersecurity-proposals/article/122685/?DCMP=EMC-SCUS_Newswire

FYI - How to improve cybersecurity: Ask hackers - A team of experts is working on a sweeping new set of cybersecurity standards and hopes eventually to submit its recommendations to the Office of Management and Budget. The plan, proposed earlier this month, would shift the government into a more offensive approach to cybersecurity. http://www.federaltimes.com/index.php?S=3849692

FYI - In incident response, seek out authorities - For IT security professionals across the globe, building a relationship with law enforcement is pivotal when responding to a cyberincident, according to a panel Tuesday at the inaugural SC World Congress in New York. "Pick up the phone and call an FBI agent," John Iannarelli, supervisory special agent with the FBI said. "Build a relationship before you need them. Find out who your local representative is." http://www.scmagazineus.com/SC-World-Congress-In-incident-response-seek-out-authorities/article/122654/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Army waited to tell of possible security breach - 6,000 beneficiaries receive letters detailing loss of info on laptop - U.S. Army medical officials in southeast Germany waited nearly two months before notifying more than 6,000 beneficiaries of a possible security breach regarding their personal information stored on a lost laptop computer. http://www.stripes.com/article.asp?section=104&article=59159

FYI - Brute force SSH attack confounds defenders - Who are those guys? - Security researchers are struggling to combat a sophisticated brute-force attack against SSH servers. Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. http://www.theregister.co.uk/2008/12/08/brute_force_ssh_attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft. (Part 6 of 6)

President's Identity Theft Task Force

On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.

Conclusion

Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)

Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:

! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

3. Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A) For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1) Disclosing the information to the affiliates of the financial institution from which it received the information;

     2) Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and

     3) Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors).

B) For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1) Disclosing the information to the affiliates of the financial institution from which it received the information;

     2) Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3) Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.