R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 1, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI - More than 150 banks affected by Heartland data breach thus far - List compiled by BankInfoSecurity.com includes banks in 40 states, Canada, Bermuda and Guam - The number of financial institutions that have said they were affected by the data breach disclosed last month by Heartland Payment Systems Inc. is growing longer by the day and now includes banks in 40 states as well as Canada, Bermuda and Guam, according to the BankInfoSecurity.com news portal.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127822&source=rss_topic17
http://www.theregister.co.uk/2009/02/12/heartland_data_breach_latest/

FYI - Officials look to contain FAA information security breach - FAA is working to stem concerns regarding the agency's disclosure on Monday that a hacker was able to access Social Security numbers and other personal information of 45,000 agency employees and retirees, a senior agency official told lawmakers. http://www.nextgov.com/nextgov/ng_20090212_2113.php

FYI - Medical data leakage rampant on P2P networks - The risk of patient information disclosures on peer-to-peer (P2P) networks is much higher than if a health care worker loses a laptop or removable storage device, according to new Dartmouth College research. http://www.scmagazineus.com/Medical-data-leakage-rampant-on-P2P-networks/article/127216/

FYI - Florida Arrests 3 in Heartland Breach - The first arrests in connection with the recently disclosed breach at Heartland Payment Systems have been made. http://www.pcworld.com/article/159573/article.html?tk=nl_dnxnws
http://www.bankinfosecurity.com/articles.php?art_id=1210

FYI - Government computers under attackRecords show that cyberattacks on federal computer networks increased 40 percent last year, and that figure is likely low as it reflects only the reported attacks. http://www.scmagazineus.com/Government-computers-under-attack/article/127464/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Los Alamos computers go missing - Sixty-nine computers are missing or were stolen from the Los Alamos National Laboratory, a national security research institution in New Mexico, according to an internal memo released by a government watchdog. http://www.scmagazineus.com/Los-Alamos-computers-go-missing/article/127281/?DCMP=EMC-SCUS_Newswire

FYI - UA says probe continues of '08 hacking - Someone illegally gained access to 17 computer servers at the University of Alabama in November 2008, a UA official said. http://www.tuscaloosanews.com/article/20090214/NEWS/902130209/1007?Title=UA_says_probe_continues_of__08_hacking

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

EXAMPLES OF ENCRYPTION USES

Asymmetric encryption is the basis of PKI, or public key infrastructure. In theory, PKI allows two parties who do not know each other to authenticate each other and maintain the confidentiality, integrity, and accountability for their messages. PKI rests on both communicating parties having a public and a private key, and keeping their public keys registered with a third party they both trust, called the certificate authority, or CA. The use of and trust in the third party is a key element in the authentication that takes place. For example, assume individual A wants to communicate with individual B. A first hashes the message, and encrypts the hash with A's private key. Then A obtains B's public key from the CA, and encrypts the message and the hash with B's public key. Obtaining B's public key from the trusted CA provides A assurance that the public key really belongs to B and not someone else. Using B's public key ensures that the message will only be able to be read by B. When B receives the message, the process is reversed. B decrypts the message and hash with B's private key, obtains A's public key from the trusted CA, and decrypts the hash again using A's public key. At that point, B has the plain text of the message and the hash performed by A. To determine whether the message was changed in transit, B must re - perform the hashing of the message and compare  the newly computed hash to the one sent by A. If the new hash is the same as the one sent by A, B knows that the message was not changed since the original hash was created (integrity). Since B obtained A's public key from the trusted CA and that key produced a matching hash, B is assured that the message came from A and not someone else (authentication).

Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS, the successor to SSL) uses asymmetric encryption for authentication, and symmetric encryption to protect the remainder of the communications session. TLS can be used to secure electronic banking and other transmissions between the institution and the customer. TLS may also be used to secure e - mail, telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security.

Virtual Private Networks (VPNs) are used to provide employees, contractors, and customers remote access over the Internet to institution systems. VPN security is provided by authentication and authorization for the connection and the user, as well as encryption of the traffic between the institution and the user. While VPNs can exist between client systems, and between servers, the typical installation terminates the VPN connection at the institution firewall. VPNs can use many different protocols for their communications. Among the popular protocols are PPTP (point - to - point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use different authentication methods, and different components on the host systems. Implementations between vendors, and between products, may differ. Currently, the problems with VPN implementations generally involve interfacing a VPN with different aspects of the host systems, and reliance on passwords for authentication.

IPSec is a complex aggregation of protocols that together provide authentication and confidentiality services to individual IP packets. It can be used to create a VPN over the Internet or other untrusted network, or between any two computers on a trusted network. Since IPSec has many configuration options, and can provide authentication and encryption using different protocols, implementations between vendors and products may differ. Secure Shell is frequently used for remote server administration. SSH establishes an encrypted tunnel between a SSH client and a server, as well as authentication services.

Disk encryption is typically used to protect data in storage.

Return to the top of the newsletter

IT SECURITY QUESTION:

 F. PERSONNEL SECURITY

 2. Determine if the institution includes in its terms and conditions of employment the employee's responsibilities for information security.

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1)); 

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§§6, 13).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§4(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)), and accessibility of or ability to retain the notice (§9(e)).

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated