R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 23, 2003

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Internet Auditing Services


FYI  - Report: Net attacks increasing - Internet attacks are getting more numerous and menacing, network protection company Internet Security Systems concluded in a report released Tuesday.  http://news.com.com/2100-7349_3-5108921.html 

FYI - MIT Just Says No To E-Mailed Executables - Citing security concerns, e-mail administrators at the Massachusetts Institute of Technology (MIT) have reconfigured their mail system to reject e-mail messages that contain executable attachments.  
Article:  http://informationweek.securitypipeline.com/news/showArticle.jhtml?articleId=16100513 
MIT's announcement:  http://mit.edu/services/mail/attachments.html 

FYI - Blackmail latest scam for hackers - As more homes connect to faster delivery systems, their computers are becoming vulnerable to hackers and virus writers who can turn them into "zombie" machines, ready to carry out any malevolent command.  http://www.cnn.com/2003/TECH/internet/11/13/organized.hacking.reut/index.html 

FYI  - Bridging the Digital Divide in Security - A technology gap exists in businesses today between the "haves"--deep-pocket enterprises--and the "have nots"--businesses on a budget. In network security, the digital divide proves especially troublesome as small and medium sized businesses (SMBs) share the same security needs of the larger enterprise, without the same resources.  http://www.infosecnews.com/opinion/2003/11/19_02.htm 

FYI  - Embracing Mobility: Three Steps to an Effective Mobile Security Policy  http://www.infosecnews.com/opinion/2003/11/19_03.htm 

FYI - British Employers Cracking Down On Personal Internet Usage - Research just published claims to show that employers are increasingly cracking down on the staff usage of email and the Internet at work.  http://www.infosecnews.com/sgold/news/2003/11/17_05.htm 


FYI - Wireless hacking bust in Michigan - In a rare wireless hacking prosecution, federal officials this week accused two Michigan men of repeatedly cracking the Lowe's chain of home improvement stores' nationwide network from a 1995 Pontiac Grand Prix parked outside a suburban Detroit store.  http://www.securityfocus.com/news/7438 

Return to the top of the newsletter

INTERNET COMPLIANCEDisclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 1 of 3)

Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.

The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming from a trusted host.


Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

19. Evaluate the appropriateness of techniques that prevent the spread of malicious code across the network.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to 6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [6(d)(3)])

Return to the top of the newsletter

INTERNET AUDITING SERVICESR. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated