Internet Banking News

February 18, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Infrastructure security on GAO's high-risk list - Programs designed to safeguard the nation's critical infrastructures including federal computer systems, remain a "continuing concern," the Government Accountability Office reported today. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=43029

FYI - TJX Stored Customer Data, Violated Visa Payment Rules - The company, whose assets include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods locations, was storing customer cardholder information in violation of Visa and MasterCard's Payment Card Industry Data Security Standard, according to a number of documents sent during the past few weeks by Visa to financial institutions that issue cards and manage credit and debit card transactions. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=197001447

FYI - Former Ark. governor hit with ethics complaint over destroyed hard drives - Huckabee ordered that drives from 87 state computers be destroyed - Former Gov. Mike Huckabee, who ordered the destruction of a number of computer hard drives before leaving office last month, is now the subject of an ethics complaint because of his actions. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=government&articleId=9010162&taxonomyId=13&intsrc=kc_top

MISSING COMPUTERS/DATA

FYI - Bank Sends Stephanie 75,000 Other Accounts - A Bank has launched an investigation after a customer was sent confidential details for 75,000 other accounts. Stephanie McLaughlan received five packages by post containing the names, sort codes, account numbers and details of transactions of Halifax Bank of Scotland customers after requesting her own statement. http://www.thisisnorthscotland.co.uk/displayNode.jsp?nodeId=149664&command=displayContent&sourceNode=149490&contentPK=16523463&folderPk=85696&pNodeId=149221

FYI - I Am a Victim - How Notre Dame put my SSN on the Internet. Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. "We have no evidence to date that this information was used inappropriately," the school wrote, but I might want to take "prudent ... precautions" by periodically checking my credit report with the three major bureaus. http://www.technologyreview.com/printer_friendly_blogPost.aspx?id=17512

FYI - Customers upset by online breach - Stacy Cardinal says it's unsettling that computer hackers might have had access to her bank account and Social Security numbers. But she's confident her credit union will protect her from any resulting threat. http://www.burlingtonfreepress.com/apps/pbcs.dll/article?AID=/20070201/BUSINESS/702010324/1003&theme=

FYI - More VA data lost... Laptop encryption anyone? - A Portable hard drive with potentially 48,000 veterans information is missing from a VA medical facility in Birmingham Alabama. In an interesting development, Rep Spencer Bachus, R-Ala. said that over half of the information was not encrypted. This implies that just under half were... I wonder what solution they are using.
http://isc.sans.org/diary.html?storyid=2169
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9010302&source=rss_topic17

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (3of 12)

Elements of an Incident Response Program

Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.

Minimum Requirements

The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements. Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.

Develop reaction procedures for:

1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that have been accessed or misused; and
3)containing and controlling the security incident.

Establish notification procedures for:

1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
3) affected customers.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

A maxim of security is "prevention is ideal, but detection is a must." Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.

INTRUSION DETECTION

Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.

Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

1. Identify controls used to detect and respond to unauthorized activities.

! Review the schematic of the information technology systems for common intrusion detection systems.
! Review security procedures for daily and periodic report monitoring to identify unauthorized or unusual activities.
! Identify IT architectural design and intrusion detection systems that increase management's confidence that security is maintained (e.g., through the use of routers, host-based security, data segregation and information flows).

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c. it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d. the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])