Internet Banking News

April 7, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Victim of $440K wire fraud can't blame bank for loss, judge rules - Choice Escrow failed to take bank's advice for securing wire transfers, court says - A federal court in Missouri has rejected an escrow firm's attempt to blame its bank for a $440,000 cyberheist in March 2010. http://www.computerworld.com/s/article/9237919/Victim_of_440K_wire_fraud_can_t_blame_bank_for_loss_judge_rules?taxonomyId=17

FYI - Alleged fight between anti-spam group and blacklisted company incites massive DDoS - A Netherlands-based web host has been accused of launching distributed-denial-of-service (DDoS) attacks against an anti-spam group that blacklisted it - a reprisal that eventually grew to become the largest attack of its kind, affecting internet users around the world. http://www.scmagazine.com/alleged-fight-between-anti-spam-group-and-blacklisted-company-incites-massive-ddos/article/286348/

FYI - Draft of cyber bill exacerbates flaws of anti-hacking law - Lawmakers are eyeing a draft of a cyber security bill that could impose more severe punishment for cyber crimes under the Computer Fraud and Abuse Act (CFAA). http://www.scmagazine.com/draft-of-cyber-bill-exacerbates-flaws-of-anti-hacking-law/article/286146/

FYI - Beyond BYOD - The ever-increasing use of personal devices has tested enterprise defenses, so plans must be created to meet the challenge. http://www.scmagazine.com/beyond-byod/article/284410/?DCMP=EMC-SCUS_Newswire

FYI - Roughly 20 charged in Eastern Europe with building Carberp banking trojan - Russian authorities have nabbed a gang of about 20 people allegedly behind the Carberp banking trojan, according to a report in the nation's Kommersant paper. http://www.scmagazine.com/roughly-20-charged-in-eastern-europe-with-building-carberp-banking-trojan/article/287553/?DCMP=EMC-SCUS_Newswire

FYI - Deciphering cloud strategy - There are steps security pros can take to achieve greater peace of mind with cloud implementations. http://www.scmagazine.com/deciphering-cloud-strategy/article/284411/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wells Fargo warns of ongoing DDOS attacks - Some customers may experience intermittent access, the bank said - Wells Fargo warned on Tuesday that its website is being targeted again by a distributed denial-of-service (DDOS) attack. http://www.computerworld.com/s/article/9237916/Wells_Fargo_warns_of_ongoing_DDOS_attacks?taxonomyId=17

FYI - Egyptian navy captures divers trying to cut undersea internet cables - Telecom Egypt connections targeted for termination - A spokesman for the Egyptian military has reported that three scuba divers have been arrested in the Mediterranean as they tried to cut a submarine data cable owned by local telco Telecom Egypt. http://www.theregister.co.uk/2013/03/27/egypt_cables_cut_arrest/

FYI - Doctor's stolen laptop found at pawn shop; data of 652 patients exposed - A Washington state psychologist's laptop containing the personal health information of several hundred patients was stolen - and later recovered in a pawn shop. http://www.scmagazine.com/doctors-stolen-laptop-found-at-pawn-shop-data-of-652-patients-exposed/article/286812/?DCMP=EMC-SCUS_Newswire

FYI - Electronic road signs hacked in Illinois - Electronic road signs in St. Charles, Ill. were hacked on Thursday, displaying messages that had nothing to do with a pipeline project taking place nearby, according to a report in St. Charles Patch. http://www.scmagazine.com/electronic-road-signs-hacked-in-illinois/article/287013/?DCMP=EMC-SCUS_Newswire

FYI - “Funded hacktivism” or cyber-terrorists, AmEx attackers have big bankroll - On March 28, American Express' website went offline for at least two hours during a distributed denial of service attack. http://arstechnica.com/security/2013/03/funded-hacktivism-or-cyber-terrorists-amex-attackers-have-big-bankroll/

FYI - Public safety personnel targeted by DoS attacks flooding phone lines - Telephone lines for public safety and emergency communication workers have been inundated with bogus calls, an attack characterized by the U.S. Department of Homeland Security and FBI as telephony denial-of-service (TDoS), which is being used to extort money from victims. http://www.scmagazine.com/public-safety-personnel-targeted-by-dos-attacks-flooding-phone-lines/article/287235/?DCMP=EMC-SCUS_Newswire

FYI - Bank website attacks reach new high: 249 hours offline in past six weeks - Major U.S. bank websites have been offline a total of 249 hours in the past six weeks, perhaps the clearest indication yet that American companies are prime targets in an unrelenting, global cyber conflict. http://redtape.nbcnews.com/_news/2013/04/03/17575854-bank-website-attacks-reach-new-high-249-hours-offline-in-past-six-weeks?lite

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Operations and Controls

• Determine adequacy of the service provider’s standards, policies and procedures relating to internal controls, facilities management (e.g., access requirements, sharing of facilities, etc.), security (e.g., systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks.
• Determine if the service provider provides sufficient security precautions, including, when appropriate, firewalls, encryption, and customer identity authentication, to protect institution resources as well as detect and respond to intrusions.
• Review audit reports of the service provider to determine whether the audit scope, internal controls, and security safeguards are adequate.
• Evaluate whether the institution will have complete and timely access to its information maintained by the provider.
• Evaluate the service provider’s knowledge of regulations that are relevant to the services they are providing. (e.g., Regulation E, privacy and other consumer protection regulations, Bank Secrecy Act, etc.).
• Assess the adequacy of the service provider’s insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of documents in transit.

Financial Condition

• Analyze the service provider’s most recent audited financial statements and annual report as well as other indicators (e.g., publicly traded bond ratings), if available.
• Consider factors such as how long the service provider has been in business and the service provider’s market share for a given service and how it has fluctuated.
• Consider the significance of the institution’s proposed contract on the service provider’s financial condition.
• Evaluate technological expenditures. Is the service provider’s level of investment in technology consistent with supporting the institution’s activities? Does the service provider have the financial resources to invest in and support the required technology?

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review part two of three regarding controls to prevent and detect intrusions.

4) Attack Profile. Frequently systems are installed with more available components and services than are required for the performance of necessary functions. Banks maintaining unused features may unwittingly enable network penetration by increasing the potential vulnerabilities. To reduce the risk of intrusion, institutions should use the minimum number of system components and services to perform the necessary functions.

5) Modem Sweep. While access to a system is typically directed through a firewall, sometimes modems are attached to the system directly, perhaps without the knowledge of personnel responsible for security. Those modems can provide an uncontrolled and unmonitored area for attack. Modems that present such vulnerabilities should be identified and either eliminated, or monitored and controlled.

6) Intrusion Identification. Real-time identification of an attack is essential to minimize damage. Therefore, management should consider the use of real-time intrusion detection software. Generally, this software inspects for patterns or "signatures" that represent known intrusion techniques or unusual system activities. It may not be effective against new attack methods or modified attack patterns. The quality of the software and sophistication of an attack also may reduce the software's effectiveness. To identify intrusions that escape software detection, other practices may be necessary. For example, banks can perform visual examinations and observations of systems and logs for unexpected or unusual activities and behaviors as well as manual examinations of hardware. Since intrusion detection software itself is subject to compromise, banks should take steps to ensure the integrity of the software before it is used.

7) Firewalls. Firewalls are an important component of network security and can be effective in reducing the risk of a successful attack. The effectiveness of a firewall, however, is dependent on its design and implementation. Because misconfigurations, operating flaws, and the means of attack may render firewalls ineffective, management should consider additional security behind the firewall, such as intrusion identification and encryption.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Objectives

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a) Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out;
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.