Internet Banking News

March 4, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - NCUA Letter to Credit Unions 07-CU-03 - Reminds credit unions of the upcoming change in the schedule for Daylight Saving. Time www.ncua.gov/letters/2007/CU/07-CU-03.pdf

FYI - Daylight Savings Time Change: Risk Management Guidance - Banks may be exposed to a variety of risks from the upcoming change in the schedule for Daylight Savings Time.
OCC - www.occ.treas.gov/ftp/bulletin/2007-9.html
FDIC - http://www.fdic.gov/news/news/financial/2007/fil07017.html

FYI - Bank Customers Worldwide - An attack this week that targeted online customers of at least 50 financial institutions in the U.S., Europe and Asia-Pacific has been shut down, a security expert said Thursday. The attack was notable for the extra effort put into it by the hackers, who constructed a separate look-alike Web site for each financial institution they targeted. http://www.pcworld.com/article/129270-1/article.html?tk=nl_dnxnws

FYI - U.K. company fined over laptop theft - Financial institution failed to operate effective security measures to protect customers from data theft, government watchdog agency says. Nationwide Building Society, a U.K. financial services provider, has been fined $1.9 million after a laptop containing sensitive customer data was stolen from an employee.
http://news.com.com/U.K.+company+fined+over+laptop+theft/2100-1029_3-6159349.html?tag=cd.top
http://software.silicon.com/security/0,39024888,39165800,00.htm

FYI - GAO - Federal Deposit Insurance Corporation: Human Capital and Risk Assessment Programs Appear Sound, but Evaluations of Their Effectiveness Should Be Improved.
http://www.gao.gov/cgi-bin/getrpt?GAO-07-255
Highlights - http://www.gao.gov/highlights/d07255high.pdf

FYI - UK firms ignoring disaster recovery - A third of mid-sized companies have no plans at all, research claims - One in three mid-sized companies in the UK does not have a disaster recovery plan in place for their website, according to recent research. http://www.vnunet.com/vnunet/news/2183550/uk-firms-under-fire-ignoring

FYI - Cyber crime strikes Irish businesses - The first research into cyber crime in Ireland shows the problem is widespread and can have economic repercussions for companies. Like nature, the IT industry hates a vacuum. In the absence of hard facts on cyber crime in Ireland we've had a mix of responsible awareness raising, best-guess estimates from international data and all manner of hype or conjecture. http://www.siliconrepublic.com/news/news.nv?storyid=single7798

FYI - NIST releases info security documents - The National Institute of Standards and Technology has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs. http://www.gcn.com/online/vol1_no1/43141-1.html?topic=security&CMP=OTC-RSS

MISSING COMPUTERS/DATA

FYI - Credit Card Hacking Hits Citibank Korea - Some 20 Citibank Korea customers have had their credit card information stolen, and it was used illegally on online shopping malls to purchase products worth some 50 million won, the bank said Thursday. http://times.hankooki.com/lpage/biz/200702/kt2007021520235611910.htm

FYI - Laptop Stolen With 22,000 Kaiser Patients' Data - In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente is in the process of notifying as many as 22,000 patients of a possible breach of their private medical information. http://cbs5.com/consumer/local_story_045212622.html

FYI - Spyware-aided hackers arrested in Turkey for online bank robbery - Turkish police have arrested 17 people who allegedly hacked into internet banking accounts and stole $300,000. The men are accused of collaborating with three Russian cybercriminals, who are believed to have provided them with usernames and passwords stolen from computers they infected with spyware, Turkish authorities said. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070216/633686/

FYI - Ex-student faces felony charge in Clay case - Personal, other data downloaded to iPod - A former Clay High School student was charged yesterday with a felony after police said he hacked into school personnel and student files, downloading sensitive information onto his iPod. http://toledoblade.com/apps/pbcs.dll/article?AID=/20070214/NEWS03/702140355

FYI - GED Records Notification - The Iowa Department of Education is currently investigating an unauthorized access to no more than 600 GED (General Educational Development) records that were contained in a protected department web application. http://www.iowa.gov/educate/content/view/897/1051/

FYI - I-Team Investigation: DMV Security Risk - Anyone who wants a driver's license must hand over their personal information as a requirement at the Department of Motor Vehicles. And when you hand over your personal information to the DMV, you expect it to be safe and secure. But an audit conducted by the state shows that DMV computer systems have serious flaws that could jeopardize your privacy. The I-Team has been looking into the problem and found many of these problems are not new, some go back as far as 2002. http://www.klas-tv.com/global/story.asp?s=6090641&ClientType=Printable

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (5 of 12)

Notification Procedures

An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.

Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements. Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.

Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 2 of 4)

"Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.

Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).

Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.

Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

4. Determine whether logs of security-related events are sufficient to assign accountability for intrusion detection system activities, as well as support intrusion forensics and IDS.

5. Determine if logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.

6. Determine if an appropriate process exists to authorize employee access to intrusion detection systems and that authentication and authorization controls limit access to and control the access of authorized individuals.

Return to the top of the newsletter

INTERNET PRIVACY We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

43. Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)