Internet Banking News

April 15, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - TJX data breach: At 45.6M card numbers, it's the biggest ever - It eclipses the compromise in June 2005 at CardSystems Solutions - After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014782&source=rss_topic17

FYI - How a six-year-old beat the House of Commons computer system - A BBC South Inside Out investigation has revealed how an alarming loophole in security allowed a six-year-old to hack into the highly sensitive computer system at the House of Commons. http://www.bbc.co.uk/pressoffice/pressreleases/stories/2007/03_march/23/keylogger.shtml

FYI - AC failure takes out Florida state computers - The cooling hardware chilled 1,200 servers - Critical air conditioning service has been restored to a state government data center in Florida after crews scrambled to replace a failed chiller with a backup delivered by police escort from Georgia. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=government&articleId=9014704&taxonomyId=13&intsrc=kc_top

FYI - The feds weigh in on Windows security - Will the White House make a difference in computer security? The President's Office of Management and Budget recently sent out a directive to federal chief information officers to secure their Windows PCs. In what some said could have ripple effects well beyond Washington, the White House sent out a memorandum on March 22 that instructed all federal agencies (PDF) to adopt standard security configurations for Windows XP and Windows Vista by February 1. http://news.com.com/2102-7348_3-6172158.html?tag=st.util.print

FYI - Keylogger use up 500 percent in three-plus years - The number of keyloggers has soared by five-fold in three years and is now the greatest threat cybercriminals have to threaten business networks, according to the latest report by Kaspersky Lab. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070402/647265/

FYI - Instant messaging attacks up 200 percent in a year - The growing adoption of instant messaging (IM) platforms in corporate environments has made the technology more attractive to hackers, who have, in turn, attacked IM 200 percent more often than this time last year. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070402/647261/

FYI - RadioShack sued over Texas ID theft law - RadioShack Corp. was sued on Monday by the Texas Attorney General's office, which charged that the electronics retailer exposed consumers to potential identity theft by dumping data such as addresses and credit-card numbers in a trash bin behind one of its stores. http://www.washingtonpost.com/wp-dyn/content/article/2007/04/02/AR2007040201475.html

MISSING COMPUTERS/DATA

FYI - SS numbers accessed - Rosters containing information, including Social Security numbers, of about 380 St. Mary Parish public school employees were accessed March 19 by a Yahoo! Web page search engine crawler. http://www.iberianet.com/articles/2007/03/27/news/news/news15.txt

FYI - UIC worker charged in security breach - A Chicago hospital worker is charged with stealing patient information. An emergency medical technician is accused of using his job to access the sensitive data of at least eight patients at UIC Medical Center for his own use. The EMT has been fired from the hospital. http://abclocal.go.com/wls/story?section=local&id=5164853

FYI - Navy Laptops with Sailor Info Stolen - Three password protected laptop computers have been identified as missing from the Navy College Office located on Naval Station San Diego. While the Navy College Office does not have complete information about what information was on the laptops, Personally Identifiable Information (PII) may be on the computers, including Sailors' names, rates and ratings, social security numbers, and college course information. http://www.military.com/features/0,15240,130657,00.html

FYI - University of Montana Western administrators are notifying students whose information was stolen in a break-in earlier this week on the campus. The incident in the university's Main Hall was discovered Tuesday morning and is under police investigation.
http://www.havredailynews.com/articles/2007/03/30/local_headlines/state.txt
http://www.umwestern.edu/incident/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (11 of 12)

Last week's best practices focused on the more common criteria that have been noted in actual IRPs, but some banks have developed other effective incident response practices. Examples of these additional practices are listed below. Organizations may want to review these practices and determine if any would add value to their IRPs given their operating environments.

Additional IRP Best Practices

1) Test the incident response plan (via walkthrough or tabletop exercises) to assess thoroughness.
2) Implement notices on login screens for customer information systems to establish a basis for disciplinary or legal action.
3) Develop an incident grading system that quantifies the severity of the incident, helps determine if the incident response plan needs to be activated, and specifies the extent of notification escalation.
4) Provide periodic staff awareness training on recognizing potential indicators of unauthorized activity and reporting the incident through proper channels. Some institutions have established phone numbers and e-mail distribution lists for reporting possible incidents.
5) Inform users about the status of any compromised system they may be using.
6) Establish a list of possible consultants, in case the bank does not have the expertise to handle or investigate the specific incident (especially regarding technical compromises).
7) Establish evidence-gathering and handling procedures aimed at preserving evidence of the incident and aiding in prosecution activities.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

INTRUSION RESPONSE (Part 2 of 2)

Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response organization with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of non-technical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that their institution's policies are followed by the service provider and confidentiality of data and systems are maintained.

Institutions can assess best the adequacy of their preparations through testing.

While containment strategies between institutions can vary, they typically contain the following broad elements:

! Isolation of compromised systems, or enhanced monitoring of intruder activities;
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and law enforcement.
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are included in individual agency guidance); and
! Communication with effected parties.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

18. Determine if the information disclosure policy addresses the appropriate regulatory reporting requirements.

19. Determine if the security policy provides for a provable chain of custody for the preservation of potential evidence through such mechanisms as a detailed action and decision log indicating who made each entry.

20. Determine if the policy requires all compromised systems to be restored before reactivation, through either rebuilding with verified good media or verification of software cryptographic checksums.

21. Determine whether all participants in intrusion detection and responses are trained adequately in the intrusion detection and response policies, their roles, and the procedures they should take to implement the policies.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49. If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a. required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or

b. required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]

1. carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§14(b)(2)(i)]
2. administer or service benefits or claims; [§14(b)(2)(ii)]
3. confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [§14(b)(2)(iii)]
4. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
5. underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§14(b)(2)(v)] or
6. in connection with:
      i. the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
      ii. the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
      iii. the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]