Internet Banking News

March 31, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Four simple steps to protect the US from hackers - Companies are spending more than ever on new security tools to protect themselves. In fact according to Gartner, spending is set to increase by over 8% in 2013. http://www.usatoday.com/story/tech/2013/03/25/cybersecurity-simple-steps/2016243/

FYI - Consumers and Mobile Financial Services - Matthew B. Gross, Alexandra M. Rock, and Maximilian D. Schmeiser - This report presents findings from the Federal Reserve Board's second survey on consumers' use of mobile financial services, conducted in November 2012. www.federalreserve.gov/econresdata/consumers-and-mobile-financial-services-report-201303.pdf

FYI - The Federal Financial Institutions Examination Council member agencies today announced the addition of a new feature to the Information Technology Examination Handbook InfoBase. This feature provides bankers, agency personnel, and other interested parties with the ability to register and receive notifications of additions, changes, and deletions to the InfoBase. www.ffiec.gov/press/pr032213.htm

FYI - Increase in required electronic loan data fields - Federal and state bank supervisors today announced an increase in the number of required loan data fields in the Interagency Loan Data Request.
Press Release: www.federalreserve.gov/newsevents/press/bcreg/20130322a.htm
Press Release: www.fdic.gov/news/news/press/2013/pr13022.html
Press Release: www.occ.gov/news-issuances/news-releases/2013/nr-ia-2013-52.html

FYI - U.S. cyber plan calls for private-sector scans of Net - The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country's private, civilian-run infrastructure. http://www.reuters.com/article/2013/03/21/net-us-cybersecurity-sharing-idUSBRE92K11620130321

FYI - Police arrest London man in connection with Tilon bank Trojan - MiTB campaign hit UK last summer - London police have arrested a man in connection with attacks carried out by the state-of-the-art Tilon banking Trojan, it has been announced. http://news.techworld.com/security/3435936/police-arrest-london-man-in-connection-with-tilon-bank-trojan/

FYI - Cisco inadvertently weakens password encryption in its IOS operating system - The password encryption scheme used in newer Cisco IOS versions is weak, researchers find - The password encryption algorithm used in some recent versions of the Cisco IOS operating system is weaker than the algorithm it was designed to replace, Cisco revealed earlier this week. http://www.computerworld.com/s/article/9237752/Cisco_inadvertently_weakens_password_encryption_in_its_IOS_operating_system?taxonomyId=17

FYI - Oversight Committee Passes IT Reform Act, Giving CIOs Budget Authority - The House Oversight and Government Reform Committee unanimously passed legislation on Wednesday that would mark the most significant reform in more than a decade to the way the government purchases information technology. http://www.nextgov.com/cio-briefing/2013/03/oversight-committee-passes-it-reform-act/61984/?oref=ng-HPtopstory

FYI - Luring Young Web Warriors Is Priority. It’s Also a Game. In the eighth grade, he figured out how to write a simple script that could switch his keyboard’s Caps Lock key on and off 6,000 times a minute. http://www.nytimes.com/2013/03/25/technology/united-states-wants-to-attract-hackers-to-public-sector.html?pagewanted=al&_r=0

FYI - Former student accused of stealing identities pleads guilty - A former student of Cal State University in San Marcos, Calif., pleaded guilty to wire fraud, access device fraud and unauthorized use of a computer after being accused of stealing the identities and passwords of 745 students to rig campus elections. http://www.scmagazine.com/former-student-accused-of-stealing-identities-pleads-guilty/article/285701/

FYI - NASA Tightens Security In Response To Insider Threat - NASA has closed down its technical reports database and imposed tighter restrictions on remote access to its computer systems following the arrest of a Chinese contractor on suspicion of intellectual property theft. http://www.informationweek.com/security/government/nasa-tightens-security-in-response-to-in/240151412

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - South Korean corporations hit by widespread attack that wiped data and shut down systems - Researchers discovered that attackers used data-wiping malware to cripple critical businesses throughout South Korea, where several banks and news organizations began reporting widespread cyber attacks. http://www.scmagazine.com/south-korean-corporations-hit-by-widespread-attack-that-wiped-data-and-shut-down-systems/article/285315/

FYI - Cyberattack on Florida election raises questions - It's a fear that keeps cybersecurity experts up at night: an attack on an online election system. Apparently, it's now come to pass. http://www.cnn.com/2013/03/18/tech/web/florida-election-cyberattack/index.html

FYI - Laptop containing patient data goes missing from Mississippi hospital - Patients of a Jackson, Miss.-based hospital may have had their data compromised after a laptop went missing. http://www.scmagazine.com/laptop-containing-patient-data-goes-missing-from-mississippi-hospital/article/285959/?DCMP=EMC-SCUS_Newswire

FYI - South Korea data-wipe malware spread by patching system - Long dark teatime in Seoul saga continues to unfold - South Korea's data wiping malware that knocked out PCs at TV stations and banks earlier this week may have been introduced through compromised corporate patching systems. http://www.theregister.co.uk/2013/03/25/sk_data_wiping_malware_latest/

FYI - Wells Fargo site hit by denial-of-service attack - The bank's Web site was the victim of a cyberattack yesterday, though the company says its physical branches and ATMs weren't affected. http://news.cnet.com/8301-1009_3-57576523-83/wells-fargo-site-hit-by-denial-of-service-attack/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - Breach exposes data of 1k county workers, officials give no word on cause - The sensitive information of current and former county employees in Ohio was accessible to cyber intruders. http://www.scmagazine.com/breach-exposes-data-of-1k-county-workers-officials-give-no-word-on-cause/article/286530/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Technical and Industry Expertise

• Assess the service provider’s experience and ability to provide the necessary services and supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or partners that would be used to support the outsourced operations.
• Evaluate the experience of the service provider in providing services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and work are necessary.
• Evaluate the service provider’s ability to respond to service disruptions.
• Contact references and user groups to learn about the service provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned to support the institution.
• Perform on-site visits, where necessary, to better understand how the service provider operates and supports its services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions.

Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following:

1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.

2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.

3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.