R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 11, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI  - Hoaxes befall banks in England, Singapore - The Bank of England said Tuesday that it had intercepted more than 100,000 fraudulent e-mails masquerading as computer security software issued by the central bank.  http://news.com.com/2102-7349_3-5134038.html?tag=st_util_print 

FYI -
Mississippi man denies Best Buy blackmail - A Mississippi man pleaded not guilty on Tuesday to charges that he threatened to reveal security weaknesses in the Web site of electronics seller Best Buy unless the company paid him $2.5 million.  http://news.com.com/2100-7355-5136932.html?tag=cd_top 

FYI  - Treasury breaks word on e-mail anonymity - The U.S. Treasury Department plans to publish nearly 10,000 e-mail addresses on the Web, violating its privacy promise to Americans who used e-mail to comment on a government proceeding.  http://news.com.com/2100-1028-5137488.html?tag=cd_top 

FYI  - To reflect the broad nature of complaints it's handling, the Internet Fraud Complaint Centre has changed its name to the Internet Crime Complaint Centre, or IC3 for short.  http://www.infosecnews.com/sgold/news/2004/01/05_06.htm 

FYI - Dead VeriSign certificates cause glitches - VeriSign moved to allay confusion on Thursday, after the expiration of some of its certificates that verified it as a certificate-issuing authority.  http://news.com.com/2100-1029_3-5138356.html?tag=nefd_top 

FYI - Amendments to Regulation B - The FDIC has issued the attached summary of Federal Reserve Board amendments to Regulation B and the Official Staff Interpretations of the regulation. Compliance becomes mandatory on April 15, 2004.  www.fdic.gov/news/news/financial/2004/FIL0504.html

FYI - Guidance on Customer Identification Programs - The federal banking, thrift, and credit union regulatory agencies, the Financial Crimes Enforcement Network and the Department of Treasury have jointly issued interpretive guidance on the application of the "Customer Identification Programs for Banks, Savings Associations, and Credit Unions" regulation.  www.fdic.gov/news/news/financial/2004/FIL0404.html

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Packet Filter Firewalls

Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.

Weaknesses associated with packet filtering firewalls include the following:

! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.

! Logging functionality is limited to the same information used to make access control decisions.

! Most do not support advanced user authentication schemes.

! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.

! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.

Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.

Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.


Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

7. Determine whether access to utilities on the host are appropriately restricted and monitored.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [7(d)(1)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated