R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 15, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
-
SEC, FTC investigating Heartland after data theft - The company also faces a class-action suit - Federal agencies, including the U.S. Federal Trade Commission and the U.S. Securities and Exchange Commission, have begun investigating Heartland Payment Systems following a massive data breach at the payment processing company. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128658&source=rss_topic17

FYI -
FCC threatens 600 operators with fines over data protection rules - Operators haven't provided proof that they protect customer data, agency says - The U.S. Federal Communications Commission may fine 600 operators for failing to properly file annual reports proving that they protect customer data. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128663&source=rss_topic17

FYI -
FAA will use software to identify sensitive data - The Federal Aviation Administration (FAA) plans to implement software designed to look for personally identifiable information in computer systems so the agency can have a more thorough inventory of its sensitive data, a FAA senior official has said. http://fcw.com/Articles/2009/02/25/FAA-software.aspx

FYI -
Banking ID theft reaching epidemic proportions - The amount of malware aimed at financial identity theft is bigger than ever, Sean-Paul Correll, a threat researcher at PandaLabs, wrote in a post on the PandaLabs blog of Panda Security. http://www.scmagazineus.com/Banking-ID-theft-reaching-epidemic-proportions/article/128082/?DCMP=EMC-SCUS_Newswire

FYI -
Layoff backlash: Five steps to protect your business from angry ex-employees - Layoffs can spark destructive behavior. Take these steps to protect your company. A senior corporate executive leaves the company, taking with him his framed family photographs, his prized gold pen-and-pencil set -- and the passwords of several hundred employees. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=operating_systems&articleId=333732&taxonomyId=89&intsrc=kc_feat

FYI -
Encryption demands: Ignored by quarter of MoD contractors - Companies working on confidential UK defence information are not complying with government demands to encrypt data. http://www.silicon.com/research/specialreports/protecting-enterprise-data/encryption-demands-ignored-by-quarter-of-mod-contractors-39398413.htm

FYI -
SANS - Twenty Important Controls for Effective Cyber Defense and FISMA Compliance http://www.csis.org/media/csis/pubs/090223_cag_1_0_draft4.1.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
Prime Minister's health records breached in database attack - Personal medical records belonging to Scotland's rich and powerful - including Prime Minister Gordon Brown and Holyrood's First Minister Alex Salmond - have been illegally accessed in a breach of a national database that holds details of 2.5 million people. http://www.theregister.co.uk/2009/03/02/nhs_database_breach/

FYI -
Visa: New payment-processor data breach not so new after all - Company says recent breach alerts involved ongoing probe of earlier system intrusion - Days after Visa Inc. seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems Inc. and RBS WorldPay Inc., the credit card company is now saying that there was no new security incident after all. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128743&source=rss_topic17

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.


Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.


Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

CONTROLS TO PROTECT AGAINST MALICIOUS CODE

Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.

Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.

Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.

Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.

Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.

Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."

Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.

An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.


Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

4. Determine if the institution provides to its employees appropriate security training covering the institution's policies and procedures, on an appropriate frequency, and that institution employees certify periodically as to their understanding and awareness of the policy and procedures.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (11(a)(1)(i) and (ii)).

2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (11(a)(1)(iii)).

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated