R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 20, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Shareholders sue ChoicePoint - Shareholders are suing ChoicePoint Inc. and its top executives after the company's share price fell sharply following news that identity thieves had gained access to personal information about some U.S. residents that was held by the personal data vendor. The suit alleges that the defendants knew that ChoicePoint's measures to protect its data were inadequate. http://www.computerworld.com/printthis/2005/0,4814,100239,00.html

FYI - Canadian military, U.S. agencies launch BlackBerry security project - The Canadian military and U.S. security agencies have launched a joint effort to make BlackBerry portable communications devices more secure, hoping to one day use them to exchange top secret information. http://www.canada.com/technology/story.html?id=cbea0d6b-d96c-4db6-8fde-619b933d3423

FYI - A final version of security guidelines designed to protect federal computer systems and the information they hold was released Monday by the National Institute of Standards and Technology.
Article: http://news.zdnet.com/2102-1009_22-5593256.html?tag=printthis
Guidelines: http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53

FYI - Information Security Dominates Federal IT Agenda for 2005, Reveals Survey - CDW Government released the findings of its Federal IT Executive Survey fielded at IPIC 2005, a federal IT conference. Forty-three percent of the federal survey respondents list information security as their No. 1 priority for 2005, with more than 67 percent rating information security as a top-three concern. http://www.public-cio.com/newsStory.php?id=2005.03.03-93251

FYI - Internet banking under scrutiny after hacker accesses accounts - Police, a consumer-watchdog and two major banks are warning people to be extra cautious in using the internet for banking. http://www.nzherald.co.nz/index.cfm?c_id=5&ObjectID=10113938

FYI - Hacker helps applicants breach security at top business schools - Among the institutions affected were Harvard, Duke and Stanford - A computer hacker helped applicants to some of the nation's best business colleges and universities gain access to internal admissions records on the schools' Web sites. http://www.computerworld.com/printthis/2005/0,4814,100206,00.html

FYI - ATMs pick up Web site tricks - Those ubiquitous ATMs are about to get considerably smarter. Wells Fargo, the Bank of America and other financial institutions are giving their painfully low-tech ATMs a dose of Internet technology aimed at speeding transactions, reducing paperwork and exposing customers to a much wider range of transactions. http://news.com.com/2102-1032_3-5602216.html?tag=st.util.print 

FYI - Hackers break into U.S. citizen database - Hackers have gained access to personal information of about 32,000 U.S. citizens on databases owned by publisher Reed Elsevier, the second company to reveal a major breach in the past month. http://news.com.com/2102-1029_3-5605736.html?tag=st.util.print

FYI - ChoicePoint data loss may be higher than reported - ChoicePoint could have leaked information on far more than 145,000 U.S. citizens, the data collector's latest filing to the Securities and Exchange Commission suggests. http://news.com.com/2102-1029_3-5609253.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 9 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships


Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Using "Wired Equivalent Privacy" (WEP) by itself to provide wireless network security may lead a financial institution to a false sense of security. Information traveling over the network appears secure because it is encrypted. This appearance of security, however, can be defeated in a relatively short time.

Through these types of attacks, unauthorized personnel could gain access to the financial institution's data and systems. For example, an attacker with a laptop computer and a wireless network card could eavesdrop on the bank's network, obtain private customer information, obtain access to bank systems and initiate unauthorized transactions against customer accounts.

Another risk in implementing wireless networks is the potential disruption of wireless service caused by radio transmissions of other devices. For example, the frequency range used for 802.11b equipment is also shared by microwave ovens, cordless phones and other radio-wave-emitting equipment that can potentially interfere with transmissions and lower network performance. Also, as wireless workstations are added within a relatively small area, they will begin to compete with each other for wireless bandwidth, decreasing the overall performance of the wireless network.

Risk Mitigation Components -- Wireless Internal Networks

A key step in mitigating security risks related to the use of wireless technologies is to create policies, standards and procedures that establish minimum levels of security. Financial institutions should adopt standards that require end-to-end encryption for wireless communications based on proven encryption methods. Also, as wireless technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless network devices.

For wireless internal networks, financial institutions should adopt standards that require strong encryption of the data stream through technologies such as the IP Security Protocol (IPSEC). These methods effectively establish a virtual private network between the wireless workstation and other components of the network. Even though the underlying WEP encryption may be broken, an attacker would be faced with having to defeat an industry-proven security standard.

Financial institutions should also consider the proximity of their wireless networks to publicly available places. A wireless network that does not extend beyond the confines of the financial institution's office space carries with it far less risk than one that extends into neighboring buildings. Before bringing a wireless network online, the financial institution should perform a limited pilot to test the effective range of the wireless network and consider positioning devices in places where they will not broadcast beyond the office space. The institution should also be mindful that each workstation with a wireless card is a transmitter. Confidential customer information may be obtained by listening in on the workstation side of the conversation, even though the listener may be out of range of the access device.

The financial institution should consider having regular independent security testing performed on its wireless network environment. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless security implementation and the identification of rogue wireless devices that do not conform to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

IT SECURITY QUESTION:  Building physical access controls:

a. Is the building locked after hours?
b. Do locks restrict the interior access?
c. Is there a security guard?
d. Is there a 24 hours camera surveillance system?
e. Is there a burglar alarm system to a remote location?
f.  Is there a fire alarm system to a remote location?
g. Does each employee have a different deactivation code for the alarm systems?
h. Are fire extinguishers regularly inspected?


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [6(c)(3)(i)]

b. non-financial companies; [6(c)(3)(ii)] and

c. others? [6(c)(3)(iii)]


VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated