|
As you can see, I have changed the introduction by adding links to
the subject categories. One of our subscribers email me that
the content was getting large and was there someway to find the
subject categories easier. I want to give a special thanks to
the subscriber for the comments. The links only work if you
are receiving your emails in html format. I hope that the links are
helpful to all subscribers. If you have a suggestion, please
email me your ideas.
Thanks
for
your subscription,
Kinney
FYI - The accused students used a sophisticated computer program
which is able to detect the keystrokes used in typing in a password
and transfer the information to a website, "ispynow.com," so the
information could be accessed from a remote site. http://www.stoughtonnews.com/news.cfm?num=3471
FYI - WLAN Insecurity Remains a Threat - AirDefense Inc., a wireless
LAN security company, set up one of its sensors on the show floor at
last week's Networld+Interop show in Las Vegas, and in just two
hours of monitoring found 230 wireless access points, including 92
that were transmitting their traffic in the clear without
encryption. http://www.eweek.com/article2/0,3959,1072266,00.asp
FYI - First Union Hoax on the Loose - A hoax e-mail purporting to
come from First Union Bank and attempting to dupe recipients to
visit a malicious Web site is making the rounds on the
Internet. http://www.eweek.com/article2/0,3959,1068224,00.asp
FYI
- Bank Web Site Scam Spreads - Bank of America has warned its
customers to be aware of a scam which attempts to get them to log in
to a fake Web site which then captures their personal financial
details. http://www.pcworld.com/news/article/0,aid,110725,tk,dn051403X,00.asp
FYI - 800 Visa cards blocked
Credit union responds to data hacking
- Someone hacked into a merchant's computer system, compromising
information on cards and leaving some bank and credit-union
customers without use of cards with the Visa logo. http://www.timesdispatch.com/business/MGB6S1MMEFD.html
Return to the top of the newsletter
INTERNET
COMPLIANCE - Electronic Fund Transfer Act,
Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary
(OSC) also clarifies that terminal receipts are unnecessary for
transfers initiated on-line. Specifically, OSC regulations provides
that, because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
Return to the top of the newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (2 of 2)
Since specific scenarios can become too numerous for financial
institutions to address individually, various techniques are used to
generalize and extend the scenarios. For instance, one technique
starts with a specific scenario and looks at additional damage that
could occur if the attacker had different knowledge or motivation.
This technique allows the reviewers to see the full extent of risk
that exists from a given vulnerability. Another technique aggregates
scenarios by high-value system components.
Scenarios should consider attacks against the logical security,
physical security, and combinations of logical and physical attacks.
In addition, scenarios could consider social engineering, which
involves manipulation of human trust by an attacker to obtain access
to computer systems. It is often easier for an attacker to obtain
access through manipulation of one or more employees than to perform
a logical or physical intrusion.
The risk from any given scenario is a function of the probability of
the event occurring and the impact on the institution. The
probability and impact are directly influenced by the financial
institution's business profile, the effectiveness of the financial
institution's controls, and the relative strength of controls when
compared to other industry targets.
The probability of an event occurring is reflected in one of two
ways. If reliable and timely probability data is available,
institutions can use it. Since probability data is often limited,
institutions can assign a qualitative probability, such as frequent,
occasional, remote, and improbable.
Frequently, TSPs perform some or all of the institution's
information processing and storage. Reliance on a third party for
hosting systems or processing does not remove the institution's
responsibility for securing the information. It does change how the
financial institution will fulfill its role. Accordingly, risk
assessments should evaluate the sensitivity of information
accessible to or processed by TSPs, the importance of the processing
conducted by TSPs, communications between the TSP's systems and the
institution, contractually required controls, and the testing of
those controls. Additional vendor management guidance is contained
in the FFIEC's statement on "Risk Management of Outsourced
Technology Services," dated November 28, 2000.
Return to the top of the newsletter
INFORMATION SECURITY
QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication
4. Determine if all authenticators (e.g., passwords, shared secrets)
are protected while in storage and during transmission to prevent
disclosure.
• Identify processes and areas where authentication information
may be available in clear text and evaluate the effectiveness of
compensating risk management controls.
• Identify the encryption used and whether one-way hashes are
employed to secure the clear text from anyone, authorized or
unauthorized, who accesses the authenticator storage area.
Return to the top of the newsletter
INTERNET PRIVACY -We continue covering various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
May 2001.
Examination Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses
in the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment
for corrective action.
Return to the top of the newsletter
PENETRATION TESTS - WEB SITE AUDITS - We
offer independent Internet auditing regarding web sites compliance and
penetration-vulnerability testing. Visit http://www.bankwebsiteaudits.com
for more information about web site audits. For information
regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
|
