R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 25, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

PC viruses spawn $55 billion loss in 2003 - Trend Micro, the world's third-largest antivirus software maker, said that computer virus attacks cost global businesses an estimated $55 billion in damages in 2003, a sum that is expected to increase this year.  http://news.com.com/2102-7349_3-5142144.html?tag=st_util_print

FYI  - The National Institute of Standards and Technology (NIST) announced the completion of NIST Special Publication (SP) 800-61, Computer Security Incident Handling Guide.  This publication seeks to help both established and newly formed incident response teams respond effectively and efficiently to a variety of incidents.  You will find the publication at http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf.

FYI  - Farming out security - Many companies outsource some or all IT security responsibilities to a service provider. But IT managers who have been down this road say it's important to know what to outsource, what the conditions should be and how to set up the contract for a successful outcome.  http://www.computerworld.com/printthis/2004/0,4814,89100,00.html  10 Questions to Ask a Managed Security Service Provider:  http://www.computerworld.com/securitytopics/security/story/0,10801,89101,00.html

FYI  - Security Begins at Home - Like it or not, your corporate network will soon be everywhere -- maybe even in some employees' kitchens or guest bedrooms.  It might also reach into airports, hotels and McDonald's.  Accompanying all this extended access, though, are heightened security risks.  http://www.computerworld.com/printthis/2004/0,4814,89121,00.html 
Test Your Knowledge: How Prepared Are You to Secure Remote Workers?  http://www.computerworld.com/printthis/2004/0,4814,89085,00.html

FDIC And FBI Investigating Fraudulent Emails - At approximately 12:00 p.m. (EST) on January 23, 2004, FDIC Consumer Call Centers in Kansas City, Missouri, and Washington, D.C., began receiving a large number of complaints by consumers who received an email that has the appearance of being sent from the FDIC. The email informs the recipient that Department of Homeland Security Director Tom Ridge has advised the FDIC to suspend all deposit insurance on the recipient’s bank account due to suspected violations of the USA PATRIOT Act. www.fdic.gov/news/news/press/2004/pr0604.html

FYI - Fictitious e-mails to financial institution customers, fraudulently claiming to be from the OCC and FDIC in an attempt to obtain sensitive personal and bank account information.  http://www.occ.treas.gov/ftp/alert/2004-2.txt

FYI - Computer Theft Forces Visa Card Reissues - The Hapo Credit Union in Washington State has been forced to reissue Visa credit cards to several hundred people after a computer was stolen from a Visa USA contractor. 

FTC: ID theft on the rise - Identity theft and fraud cost Americans at least $437 million last year, as scam artists made themselves at home on the Internet, according to federal statistics released on Thursday.  

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 


Planning Weblinking Relationships


If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1)  dissatisfied purchasers of third-party products or services;

2)  patent or trademark holders for infringement by the third party; and

3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


Application - Level Firewalls

Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.

The primary disadvantages of application - level firewalls are:

! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.

! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter



9. Determine whether logs are sufficient to affix accountability for host activities and to support intrusion forensics and IDS and are appropriately secured for a sufficient time period.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]

b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated