R. Kinney Williams
March 5, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
CONVENTION - This week I am attending the ICBA National Convention and Techworld
in Las Vegas. Please stop by my booth #539 to learn more about
Internet and network security testing. I look forward to
meeting you. R. Kinney Williams
FYI - New Trojans
plunder bank accounts - Cybercriminals are surfing into online banks
with you to steal your money. Password-stealing Trojan horses used
to be all the rage. The software would nestle itself on a PC after
opening a bad e-mail attachment or visiting a malicious Web site.
But in response to the increased adoption of stronger
authentication, cybercriminals are changing their tactics, according
to Alex Shipp, a senior antivirus technologist at MessageLabs.
FYI - Data negligence
suit thrown out of court - Encryption not required by GLB, says
judge - A US federal court has thrown out a lawsuit that accused a
student-loan provider of negligence in failing to encrypt a customer
database that was subsequently stolen.
FYI - Fur flies over
Google desktop privacy - Google Desktop's new
search-across-computers feature could put sensitive data at risk and
violate federal data-privacy regulations, say IT administrators at a
public university and a large manufacturing company. Both are
banning it from their networks.
FYI - Brazilian police
bust hacker gang - AdvertisementBrazilian federal police arrested 41
hackers today accused of using the internet to divert millions of
dollars out of other people's bank accounts.
FYI - Two-thirds of U.K.
businesses fail to patch - Nearly two-thirds of U.K. small
businesses are failing to install patches as soon as they are
released by vendors, according to a new study. The survey of 449 IT
managers by secure email service company Inty, found that 59 percent
of British SMEs do not deploy new application software patches as
soon as they are released by vendors. The main reason was the time
required to test patches and roll them out to affected computers.
FYI - For banks,
security compliance goes only MSSP-deep - In the financial industry,
third parties often guard the vault. For example, MSSPs (managed
security services providers), such as the company I work for,
deliver vital resources and expertise to many small to midsize
banks. These services include firewalls and intrusion management,
secure electronic document delivery, and oversight by trained
security professionals. Many banks also rely on MSSPs to comply with
FYI - Auditor loses
McAfee employee data - An external auditor lost a CD with
information on thousands of current and former McAfee employees,
putting them at risk of identity fraud. The disc was lost on Dec. 15
by Deloitte & Touche USA, McAfee spokeswoman Siobhan MacDermott
FYI - Banking Customers Prefer
to Bank Online More Than Interacting With Branch Tellers - With
transaction times of nearly three times faster than interacting with
a branch teller, online banking is the preferred transaction method
among banking customers, according to the J.D. Power and Associates.
Return to the top
of the newsletter
WEB SITE COMPLIANCE
- This week we will start a new series on the FFIEC "Authentication
in an Internet Banking Environment."
On August 8, 2001, the FFIEC agencies (agencies) issued guidance
entitled Authentication in an Electronic Banking Environment (2001
Guidance). The 2001 Guidance focused on risk management controls
necessary to authenticate the identity of retail and commercial
customers accessing Internet-based financial services. Since 2001,
there have been significant legal and technological changes with
respect to the protection of customer information; increasing
incidents of fraud, including identity theft; and the introduction
of improved authentication technologies. This updated guidance
replaces the 2001 Guidance and specifically addresses why financial
institutions regulated by the agencies should conduct risk-based
assessments, evaluate customer awareness programs, and develop
security measures to reliably authenticate customers remotely
accessing their Internet-based financial services.
This guidance applies to both retail and commercial customers and
does not endorse any particular technology. Financial institutions
should use this guidance when evaluating and implementing
authentication systems and practices whether they are provided
internally or by a service provider. Although this guidance is
focused on the risks and risk management techniques associated with
the Internet delivery channel, the principles are applicable to all
forms of electronic banking activities.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Single Sign - On
Several single sign - on protocols are in use. Those protocols allow
clients to authenticate themselves once to obtain access to a range
of services. An advantage of single sign - on systems is that
users do not have to remember or possess multiple authentication
mechanisms, potentially allowing for more complex authentication
methods and fewer user - created weaknesses. Disadvantages include
the broad system authorizations potentially tied to any given
successful authentication, the centralization of authenticators in
the single sign - on server, and potential weaknesses in the single
sign - on technologies.
When single sign - on systems allow access for a single login to
multiple instances of sensitive data or systems, financial
institutions should employ robust authentication techniques, such as
multi - factor, PKI, and biometric techniques. Financial
institutions should also employ additional controls to protect the
authentication server and detect attacks against the server and
Return to the top of the
14. Determine whether appropriate filtering
occurs for spoofed addresses, both within the network and at
external connections, covering network ingress and egress.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
1. To assess the quality of a financial institution's compliance
management policies and procedures for implementing the privacy
regulation, specifically ensuring consistency between what the
financial institution tells consumers in its notices about its
policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial
institution's internal controls and procedures for monitoring the
institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the
privacy regulation, specifically in meeting the following
a) Providing to customers notices of its privacy policies and
practices that are timely, accurate, clear and conspicuous, and
delivered so that each customer can reasonably be expected to
receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated
third parties, other than under an exception, after first meeting
the applicable requirements for giving consumers notice and the
right to opt out;
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information
received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in
4. To initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are deficient.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.