R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 17, 2003

CONTENT
INTERNET COMPLIANCE INFORMATION SYSTEMS SECURITY INFORMATION SECURITY QUESTION
INTERNET PRIVACY PENETRATION TESTS - WEB SITE AUDITS


FYI - Security spending set to soar - Companies will spend $13.5bn on security products in 2006, up from $7.1bn last year, according to analyst Datamonitor.  http://www.vnunet.com/News/1142897 

FYI - Encryption mandate puts strain on financial IT - A mandate by credit card companies and related funds-transfer networks to upgrade the security of electronic transactions will cost the banking and retail industries billions of dollars in hardware and software and require several years of intensive work to complete.  http://computerworld.com/printthis/2003/0,4814,83685,00.html 

FYI  - A computer hacker gained access to private files at Acxiom Corp., one of the world's largest consumer database companies, and was able to download sensitive information about some customers of the company's clients, the company said Thursday.  http://www.washingtonpost.com/ac2/wp-dyn/A31921-2003Aug7?language=printer 

FYI - Companies' poor security policies hamper police investigations into computer crime - Police forces are having to abandon investigations into computer crimes committed by employees at work because employers are failing to enforce their security policies, a senior detective revealed last week.  http://www.computerweekly.com/articles/article.asp?liArticleID=123928 

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships


Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1)  dissatisfied purchasers of third-party products or services;

2)  patent or trademark holders for infringement by the third party; and

3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.9 For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION -
Shared Secret Systems (Part 2 of 2)

Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.

! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.

Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.

! An additional attack method targets a specific account and submits passwords until the correct password is discovered.

Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.

! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.

Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.

! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

! Some attacks depend on patience, waiting until the logged - in workstation is unattended.

Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.

! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized userís identity merely by using a workstation.

Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.

! Userís inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the userís machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

Controls include a policy that forbids the same or similar password on particular network devices.


Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

6. Determine whether appropriate segregation exists between the responsibility for networks and the responsibility for computer operations.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

4)  Does the institution provide initial notice after establishing a customer relationship only if:

a.  the customer relationship is not established at the customer's election; [ß4(e)(1)(i)] or

b.  to do otherwise would substantially delay the customer's transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [ß4 (e)(1)(ii)]

Return to the top of the newsletter

INTERNET AUDITING SERVICES - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.  We have clients in 38 states and more than 40 years banking and bank examining experience.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated