Internet Banking News

January 18, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Muslim hackers attack Israeli websites as Gaza strikes continue - Muslim hackers have launched a massive cyberattack, defacing more than 300 Israeli websites since the Jewish state began pounding Hamas targets in the Gaza Strip, a computer forensics expert said. http://www.scmagazineus.com/Muslim-hackers-attack-Israeli-websites-as-Gaza-strikes-continue/article/123467/?DCMP=EMC-SCUS_Newswire

FYI - Hackers find hole to create rogue digital certificates - Researchers on Tuesday demonstrated an attack that allowed them to successfully create a rogue Certification Authority (CA) certificate, which would be trusted by all web browsers and allow an attacker to impersonate any website, including those secured by the HTTPS protocol. http://www.scmagazineus.com/Hackers-find-hole-to-create-rogue-digital-certificates/article/123407/?DCMP=EMC-SCUS_Newswire
http://isc.sans.org/diary.html?storyid=5590&rss

FYI - Tell us your holiday plans, banks insist - Crackdown on use of stolen cards - Credit and debit cardholders are being told by banks to notify them of their holiday destinations and foreign travel plans or face having their accounts frozen in moves to combat fraud. http://www.timesonline.co.uk/tol/news/uk/crime/article5429773.ece

FYI - Israeli websites hit by pro-Hamas hackers - Visitors to the Ynet English and Bank Discount page were directed to a page on Friday that included messages against Israel and the US, along with a propaganda song in Arabic. http://www.scmagazineuk.com/Israeli-websites-hit-by-pro-Hamas-hackers/article/123490/

FYI - Data breaches rose dramatically during 2008 - Data breaches increased dramatically in 2008, according to the nonprofit Identity Theft Resource Center (ITRC). According to the San Diego-based organization's breach report for last year, 656 data-loss incidents occurred by the end of 2008, an increase of 47 percent over 2007's total of 446. http://www.scmagazineus.com/Data-breaches-rose-dramatically-during-2008/article/123606/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Phishing scam hits Twitter - Thousands of Twitter users may have had their accounts hijacked and passwords taken in an ongoing phishing campaign. The first wave of the campaign surfaced this weekend when Twitter users began receiving fake direct messages (DMs) stating, "hey! check out this funny blog about you [URL]," with a link to a phishing site -- a bogus but legitimate-looking Twitter login page that attempts to trick users into handing over their username and password.
http://www.scmagazineus.com/Phishing-scam-hits-Twitter/article/123522/?DCMP=EMC-SCUS_Newswire
http://news.cnet.com/twitter-phishing-scam-may-be-spreading/?part=rss&subj=news&tag=2547-1009_3-0-20

FYI - CheckFree warns 5 million customers after hack - More customers than initially thought may have been affected by the Dec. 2 attack, such as those using CheckFree's bill payment service - CheckFree and some of the banks that use its electronic bill payment service are notifying more than 5 million customers after criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. http://www.infoworld.com/article/09/01/07/CheckFree_warns_5_million_customers_after_hack_1.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)

Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.

Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.

An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.

Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

7. Determine whether systems are protected against malicious software such as Trojan horses, viruses, and worms.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree." Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1) Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2) Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3) Frequency and effectiveness of monitoring procedures;

4) Adequacy and regularity of the institution's training program;

5) Suitability of the compliance audit program for ensuring that:

     a) the procedures address all regulatory provisions as applicable;
     b) the work is accurate and comprehensive with respect to the institution's information sharing practices;
     c) the frequency is appropriate;
     d) conclusions are appropriately reached and presented to responsible parties;
     e) steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6) Knowledge level of management and personnel.