Internet Banking News

January 30, 2011

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices. For more information visit http://www.yennik.com/it-review/.

FYI - Work E-Mail Not Protected by Attorney-Client Privilege, Court Says - E-mails between a client and attorney are no longer considered privileged and confidential if the client writes the messages from a work e-mail account, a California court of appeals has ruled. http://www.wired.com/threatlevel/2011/01/email-attorney-client-privilege/

FYI - Protecting the network from inside the firewall - 5 common vulnerabilities that can compromise your network - Today's security appliances do a great job patrolling the network perimeter, but what do you do when the threat is coming from inside the building? http://www.scmagazineus.com/protecting-the-network-from-inside-the-firewall/article/194493/?DCMP=EMC-SCUS_Newswire

FYI - Cybercrime migrating to mobile and Apple, Cisco report - The tide in cybercrime is shifting away from attacks on Windows machines and migrating to the mobile marketplace, according to a just released yearly report from Cisco. http://www.scmagazineus.com/cybercrime-migrating-to-mobile-and-apple-cisco-report/article/194734/

FYI - Carberp banking malware upgrades itself - A piece of banking malware that researchers have been keeping an eye on is adding more sophisticated capabilities to stay hidden on victims' PCs. http://www.computerworld.com/s/article/9206025/Carberp_banking_malware_upgrades_itself?taxonomyId=17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UK doctor loses unencrypted laptop containing patient data - Sticks and stones may break my bones but data loss really riles me - A UK doctor faces a disciplinary inquiry after an unencrypted laptop containing confidential patient data was stolen from his home. http://www.theregister.co.uk/2011/01/19/hull_hospital_data_breach_flap/

FYI - Experi-Metal vs. Comerica Case Heads to Trial - A lawsuit headed to court this week over the 2009 cyber theft of more than a half-million dollars from a small metals shop in Michigan could help draw brighter lines on how far banks need to go to protect their business customers from account takeovers and fraud. http://krebsonsecurity.com/2011/01/experi-metal-vs-comerica-case-heads-to-trial/

FYI - Hackers steal $150,000 with malicious job application - Small businesses have a new scam to worry about: criminal job applicants who want to hack into online bank accounts. The U.S. Federal Bureau of Investigation issued a warning about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. http://www.computerworld.com/s/article/9205562/Hackers_steal_150_000_with_malicious_job_application

FYI - Carbon trading registry suspends ops following hack attack - Smokey and the bandits - A carbon emissions trading registry in Austria has suspended operations until at least 21 January following a hacking attack earlier this month. http://www.theregister.co.uk/2011/01/19/carbon_trading_site_shuts_after_hack_attack/

FYI - Two charged in AT&T-iPad data breach - Two men were charged with computer crimes today for allegedly hacking into AT&T servers and stealing e-mail addresses and other information of about 120,000 iPad users last summer. http://news.cnet.com/8301-27080_3-20028799-245.html

FYI - Speedy Drivers Can Hide From Cops, But Not Hackers - Millions of people who use smartphone software to avoid police speed traps may have fallen into a trap set by hackers instead. Trapster, a GPS-based app that lets iPhone, Android and BlackBerry owners report and view police speed traps on a map, alerted users this week that their passwords may have been stolen in a massive security breach. http://www.wired.com/threatlevel/2011/01/speedy-drivers-can-hide-from-cops-but-not-hackers/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY STRATEGY (2 of 2)

Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.

Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:

1) Implementing through ordinary means, such as system administration procedures and acceptable - use policies;

2) Enforcing policy through security tools and sanctions;

3) Delineating the areas of responsibility for users, administrators, and managers;

4) Communicating in a clear, understandable manner to all concerned;

5) Obtaining employee certification that they have read and understood the policy;

6) Providing flexibility to address changes in the environment; and

7) Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [§7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [§7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [§7(a)(2)(i)(B)]

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.
Purchase now for the special inaugural price.