R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 1, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - FTC eyes network operators in spam battle - The Federal Trade Commission and its counterparts in 26 other nations began sending e-mail to tens of thousands of people believed to be responsible for open relays and open proxies that spammers use as broadcast points for massive amounts of junk mail.  
http://news.com.com/2100-7355-5150455.html?tag=cd_top

FYI - Inspector General cuffs IRS security staff for performance woes - IRS system administrators and security specialists continue to fumble and allow system vulnerabilities because accountability for carrying out security tasks and training is insufficient, a new inspector general’s report contends.  
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24661

FYI - Bank group offers guidelines on outsourcing security risks - A consortium of the country's top financial services firms last week published a set of industry guidelines to use in evaluating the security risks of IT outsourcing deals.
http://www.computerworld.com/printthis/2004/0,4814,89381,00.html  
You will find the 125 page report at at http://www.bitsinfo.org/bits2003framework.pdf

FYI - NIST releases telnet, IT security drafts - Draft documents on computer security released by the National Institute of Standards and Technology give an example of how unauthorized telnet users simply identify themselves as a guest to gain access to sensitive government files. 
News article:  http://www.fcw.com/fcw/articles/2004/0119/web-nist-01-23-04.asp
Computer Security: http://csrc.nist.gov/publications/drafts/SP800-27-RevA-Draft.pdf
Risk Management Guide for Information Technology Systems: http://csrc.nist.gov/publications/drafts/SP800-30-RevA-draft.pdf

FYI - Internet Fraud Tops FTC Complaints List - Reports of Internet-related fraud accounted for 55 per cent of consumer complaints filed with the Federal Exchange Commission (FTC) during 2003, the agency has announced.  http://www.infosecnews.com/sgold/news/2004/01/28_03.htm

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Services and Configuration

Firewalls may provide some additional services:

! Network address translation (NAT) - NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.

! Dynamic host configuration protocol (DHCP) - DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.

! Virtual Private Network (VPN) gateways - A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines.  Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.

One common firewall implementation in financial institutions hosting Internet applications is a DMZ, which is a neutral Internet accessible zone typically separated by two firewalls. One firewall is between the institution’s private network and the DMZ and then another firewall is between the DMZ and the outside public network. The DMZ constitutes one logical security domain, the outside public network is another security domain, and the institution’s internal network may be composed of one or more additional logical security domains. An adequate and effectively managed firewall can ensure that an institution’s computer systems are not directly accessible to any on the Internet. 

Financial institutions have a variety of firewall options from which to choose depending on the extent of Internet access and the complexity of their network. Considerations include the ease of firewall administration, degree of firewall monitoring support through automated logging and log analysis, and the capability to provide alerts for abnormal activity.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

10. Determine if vulnerability testing takes place after each configuration change.  

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [§7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [§7(e)] 

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated