R. Kinney Williams
April 9, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
Banks Hit With New Spoofing Attacks - Attackers made changes to
legitimate Web sites, making the scams much harder to detect. -
Three Florida banks have had their Web sites compromised by hackers
in an attack that security experts are calling the first of its
Controlling the Assault of Non-Solicited Pornography
and Marketing Act of 2003 - This bulletin transmits Examination
Procedures, including a Worksheet, to test financial institutions
for compliance with regulations implementing the CAN-SPAM Act of
The Federal Reserve Board on Monday launched a new kids web
page designed to educate middle school students about the Board of
Governors of the Federal Reserve System. The new web page is
designed in a user-friendly, question-and-answer format to ensure
easy navigation and the ability to learn basic information about the
(R. Kinney - you may wish to link this site
off your web site.)
Energy Department lost computer equipment - At least 18 pieces of
"computer processing equipment," including at least one laptop, are
missing from the Energy Department's Office of Intelligence (IN),
and department officials do not know whether any of it was used for
or contained classified information, according to a new report from DOE's inspector general.
N.Y. attorney general sues Gratis, alleges privacy breach - The info
sale may be the largest-ever deliberate violation of confidentiality
agreements - New York State Attorney General Eliot Spitzer is suing
Web site operator Gratis Internet Inc. for allegedly violating
consumer confidentiality agreements by selling the personal
information of millions of people to e-mail marketers, according to
a statement issued by Spitzer's office.
Trojan horses steal bank details, passwords - Two Trojan horses with
distinctive traits have been flagged by security researchers: one
that hijacks one-time-use passwords, and another that hides behind a
Offshore outsourcing cited in Florida data leak - State employees
are being warned that their personal data may have been compromised
- Florida state employees are being warned that their personal
information may have been compromised after work on the state's
People First payroll and human resources system was improperly
subcontracted to a company in India.
VSC laptop theft creates security concerns - Thousands of Vermont
State Colleges students, faculty and staff learned this week that a
VSC laptop computer stolen from a car parked in Montreal on Feb. 28
could have given thieves access to their personal financial
information, including Social Security numbers and payroll data.
U.K. firms suffer from the enemy within - Staff misuse of the
internet is the second largest cause of reported security incidents
for large U.K. companies. According to the latest preliminary
results published today from the 2006 Department of Trade and
Industry's biennial Information Security Breaches Survey, 90 percent
of all British companies said protecting their reputation was one of
the most important drivers for information security.
Payment processor fears credit card crooks - A major online payment
provider said Monday that its processing service had been used in an
attempt to charge money to stolen credit and debit cards.
FYI - Consumer data security bill passes out of House committee
House committee this week unanimously approved a data security law
that would establish federal standards for protecting personal
information and would supersede state laws.
Return to the top
of the newsletter
WEB SITE COMPLIANCE
We continue our series on the FFIEC "Authentication in an Internet
Monitoring systems can determine if unauthorized access to computer
systems and customer accounts has occurred. A sound authentication
system should include audit features that can assist in the
detection of fraud, money laundering, compromised passwords, or
other unauthorized activities. The activation and maintenance of
audit logs can help institutions to identify unauthorized
activities, detect intrusions, reconstruct events, and promote
employee and user accountability. In addition, financial
institutions should report suspicious activities to appropriate
regulatory and law enforcement agencies as required by the Bank
Financial institutions should rely on multiple layers of control to
prevent fraud and safeguard customer information. Much of this
control is not based directly upon authentication. For example, a
financial institution can analyze the activities of its customers to
identify suspicious patterns. Financial institutions also can rely
on other control methods, such as establishing transaction dollar
limits that require manual intervention to exceed a preset limit.
Adequate reporting mechanisms are needed to promptly inform security
administrators when users are no longer authorized to access a
particular system and to permit the timely removal or suspension of
user account access. Furthermore, if critical systems or processes
are outsourced to third parties, management should ensure that the
appropriate logging and monitoring procedures are in place and that
suspected unauthorized activities are communicated to the
institution in a timely manner. An independent party (e.g., internal
or external auditor) should review activity reports documenting the
security administrators' actions to provide the necessary checks and
balances for managing system security.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 1 of 3)
Network communications rely on software protocols to ensure the
proper flow of information. A protocol is a set of rules that allows
communication between two points in a telecommunications connection.
Different types of networks use different protocols. The Internet
and most intranets and extranets, however, are based on the TCP/IP
layered model of protocols. That model has four layers, and
different protocols within each layer. The layers, from bottom to
top, are the network access layer, the Internet layer, the
host-to-host layer, and the application layer. Vulnerabilities and
corresponding attack strategies exist at each layer. This becomes an
important consideration in evaluating the necessary controls.
Hardware and software can use the protocols to restrict network
access. Likewise, attackers can use weaknesses in the protocols to
The primary TCP/IP protocols are the Internet protocol (IP) and the
transmission control protocol (TCP). IP is used to route messages
between devices on a network, and operates at the Internet layer.
TCP operates at the host-to-host layer, and provides a
connection-oriented, full - duplex, virtual circuit between hosts.
Different protocols support different services for the network. The
different services often introduce additional vulnerabilities. For
example, a third protocol, the user datagram protocol (UDP) is also
used at the host-to-host layer. Unlike TCP, UDP is not connection -
oriented, which makes it faster and a better protocol for supporting
broadcast and streaming services. Since UDP is not
connection-oriented, however, firewalls often do not effectively
filter it. To provide additional safeguards, it is often blocked
entirely from inbound traffic or additional controls are added to
verify and authenticate inbound UDP packets as coming from a trusted
Return to the top of the
Evaluate the appropriateness of techniques that prevent the spread
of malicious code across the network.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 2 of 3)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial, annual and
revised notices, as well as any short-form notices that the
institution may use for consumers who are not customers. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1),
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes
practices disclosed in the notices that exceed regulatory
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§6). Note that if
the institution shares under Section 13 the notice provisions for
that section shall also apply.
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of
delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice
(§9(c)), and accessibility of or ability to retain the notice (§9(e)).
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.