R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 5, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

CONVENTION
- This week I am attending the ICBA National Convention and Techworld in Las Vegas.  Please stop by my booth #539 to learn more about Internet and network security testing.  I look forward to meeting you.  R. Kinney Williams

FYI - New Trojans plunder bank accounts - Cybercriminals are surfing into online banks with you to steal your money. Password-stealing Trojan horses used to be all the rage. The software would nestle itself on a PC after opening a bad e-mail attachment or visiting a malicious Web site. But in response to the increased adoption of stronger authentication, cybercriminals are changing their tactics, according to Alex Shipp, a senior antivirus technologist at MessageLabs. http://news.com.com/2102-7349_3-6041173.html?tag=st.util.print

FYI - Data negligence suit thrown out of court - Encryption not required by GLB, says judge - A US federal court has thrown out a lawsuit that accused a student-loan provider of negligence in failing to encrypt a customer database that was subsequently stolen. http://software.silicon.com/security/0,39024888,39156463,00.htm

FYI - Fur flies over Google desktop privacy - Google Desktop's new search-across-computers feature could put sensitive data at risk and violate federal data-privacy regulations, say IT administrators at a public university and a large manufacturing company. Both are banning it from their networks. http://www.zdnet.co.uk/print/?TYPE=story&AT=39252738-39020375t-10000007c

FYI - Brazilian police bust hacker gang - AdvertisementBrazilian federal police arrested 41 hackers today accused of using the internet to divert millions of dollars out of other people's bank accounts. http://www.theage.com.au/news/breaking/brazilian-police-bust-hacker-gang/2006/02/15/1139890794432.html#

FYI - Two-thirds of U.K. businesses fail to patch - Nearly two-thirds of U.K. small businesses are failing to install patches as soon as they are released by vendors, according to a new study. The survey of 449 IT managers by secure email service company Inty, found that 59 percent of British SMEs do not deploy new application software patches as soon as they are released by vendors. The main reason was the time required to test patches and roll them out to affected computers. http://www.scmagazine.com/us/news/article/541973/?n=us

FYI - For banks, security compliance goes only MSSP-deep - In the financial industry, third parties often guard the vault. For example, MSSPs (managed security services providers), such as the company I work for, deliver vital resources and expertise to many small to midsize banks. These services include firewalls and intrusion management, secure electronic document delivery, and oversight by trained security professionals. Many banks also rely on MSSPs to comply with regulatory mandates. http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/02/14/75274_08OPrecord_1.html

FYI - Auditor loses McAfee employee data - An external auditor lost a CD with information on thousands of current and former McAfee employees, putting them at risk of identity fraud. The disc was lost on Dec. 15 by Deloitte & Touche USA, McAfee spokeswoman Siobhan MacDermott said. http://news.com.com/2102-1029_3-6042544.html?tag=st.util.print

FYI - Banking Customers Prefer to Bank Online More Than Interacting With Branch Tellers - With transaction times of nearly three times faster than interacting with a branch teller, online banking is the preferred transaction method among banking customers, according to the J.D. Power and Associates. http://www.jdpa.com/news/releases/pressrelease.asp?ID=2006030


Return to the top of the newsletter

WEB SITE COMPLIANCE - This week we will start a new series on the FFIEC "Authentication in an Internet Banking Environment."

Purpose

On August 8, 2001, the FFIEC agencies (agencies) issued guidance entitled Authentication in an Electronic Banking Environment (2001 Guidance). The 2001 Guidance focused on risk management controls necessary to authenticate the identity of retail and commercial customers accessing Internet-based financial services. Since 2001, there have been significant legal and technological changes with respect to the protection of customer information; increasing incidents of fraud, including identity theft; and the introduction of improved authentication technologies. This updated guidance replaces the 2001 Guidance and specifically addresses why financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services.

This guidance applies to both retail and commercial customers and does not endorse any particular technology. Financial institutions should use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a service provider. Although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION -
Single Sign - On

Several single sign - on protocols are in use. Those protocols allow clients to authenticate themselves once to obtain access to a range of services. An advantage of single sign - on systems is that users do not have to remember or possess multiple authentication mechanisms, potentially allowing for more complex authentication methods and fewer user - created weaknesses. Disadvantages include the broad system authorizations potentially tied to any given successful authentication, the centralization of authenticators in the single sign - on server, and potential weaknesses in the single sign - on technologies.

When single sign - on systems allow access for a single login to multiple instances of sensitive data or systems, financial institutions should employ robust authentication techniques, such as multi - factor, PKI, and biometric techniques. Financial institutions should also employ additional controls to protect the authentication server and detect attacks against the server and server communications.


Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network ingress and egress.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Objectives 

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a)  Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice; 
b)  Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out; 
c)  Appropriately honoring consumer opt out directions; 
d)  Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e)  Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated