R. Kinney Williams
April 16, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
NCUA - Letter to Credit Unions 06-CU-07 - IT Security
Thousands of Marines may be at risk for identity theft after loss of
portable drive - A portable drive with personal information on more
than 207,750 Marines was lost earlier this month, possibly
jeopardizing those troops' credit records and privacy.
Feds push for improved privacy notices - The goal: Make financial
institutions' privacy practices easier to decipher - Federal
regulators released a prototype privacy notice designed to make it
easier for consumers to read about, understand and compare the
privacy practices of banks and other financial institutions.
BART to investigate computer work at rush hour - Troubleshooting
crashed system, stranded 35,000 - BART officials promised to
thoroughly investigate why technicians risked working on computers
that control trains while the transit system was running, work that
crashed BART's main computer, stalled 50 to 60 trains, and stranded
35,000 passengers for more than an hour at the peak of the Wednesday
Cash machine 'skimmers' steal thousands - Banks are contacting
hundreds of people who were exposed to an ATM fraud where cash-card
details were copied and used to rob accounts of more than $20,000.
It is New Zealand's first case of "skimming", where sophisticated
devices are used to harvest account information from cards while a
small camera captures the Pin number.
Hacker hits Georgia state database via hole in security software -
Confidential information on more than 570,000 people exposed - An unpatched flaw in a
"widely used security program" was exploited by
an unknown hacker to gain access to a Georgia Technology Authority (GTA)
database containing confidential information on more than 570,000
members of the state's pension plans.
FYI - Study: Online Banking
Gains Users - Electronic bill pay services also prove popular, study
finds. The number of online banking customers in the U.S. grew to
nearly 40 million during the last quarter of 2005, up 27 percent
from the previous year, according to Reston, Virginia-based comScore
Networks. And during the same period the use of online payment
services at banks grew 36 percent, comScore said in a statement.
Return to the top
of the newsletter
WEB SITE COMPLIANCE
We conclude our series on the FFIEC "Authentication in an Internet
Financial institutions have made, and should continue to make,
efforts to educate their customers. Because customer awareness is a
key defense against fraud and identity theft, financial institutions
should evaluate their consumer education efforts to determine if
additional steps are necessary. Management should implement a
customer awareness program and periodically evaluate its
effectiveness. Methods to evaluate a program's effectiveness include
tracking the number of customers who report fraudulent attempts to
obtain their authentication credentials (e.g., ID/password), the
number of clicks on information security links on Web sites, the
number of statement stuffers or other direct mail communications,
the dollar amount of losses relating to identity theft, etc.
Financial institutions offering Internet-based products and services
should have reliable and secure methods to authenticate their
customers. The level of authentication used by the financial
institution should be appropriate to the risks associated with those
products and services. Financial institutions should conduct a risk
assessment to identify the types and levels of risk associated with
their Internet banking applications. Where risk assessments indicate
that the use of single-factor authentication is inadequate,
financial institutions should implement multifactor authentication,
layered security, or other controls reasonably calculated to
mitigate those risks. The agencies consider single-factor
authentication, as the only control mechanism, to be inadequate in
the case of high-risk transactions involving access to customer
information or the movement of funds to other parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 2 of 3)
Other common protocols in a TCP/IP network include the following
! Address resolution protocol (ARP) - Obtains the hardware address
of connected devices and matches that address with the IP address
for that device. The hardware address is the Ethernet card's
address, technically referred to as the "media access
control" (MAC) address. Ethernet systems route messages by the
MAC address, requiring a router to obtain both the IP address and
the MAC address of connected devices. Reverse ARP (RARP) also exists
as a protocol.
! Internet control message protocol (ICMP) - Used to send messages
about network health between devices, provides alternate routing
information if trouble is detected, and helps to identify problems
with a routing.
! File transfer protocol (FTP) - Used to browse directories and
transfer files. Although access can be authenticated or anonymous,
FTP does not support encrypted authentication. Conducting FTP within
encrypted channels, such as a Virtual Private Network (VPN), secure
shell (SSH) or secure sockets layer (SSL) sessions can improve
! Trivial file transfer protocol (TFTP) - A file transfer protocol
with no file - browsing ability, and no support for authentication.
! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail
systems to send mail.
! Post office protocol (POP) - Commonly used to receive e-mail.
! Hypertext transport protocol (HTTP) - Used for Web browsing.
! Secure shell (SSH) -
Encrypts communications sessions, typically used for remote
administration of servers.
! Secure sockets layer (SSL) -
Typically used to encrypt Webbrowsing sessions, sometimes used to
secure e-mail transfers and FTP sessions.
Return to the top of the
C. HOST SECURITY
Determine whether hosts are hardened through the removal of
unnecessary software and services, consistent with the needs
identified in the risk assessment, and that configuration takes
advantage of available object, device, and file access controls.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt
out notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers
(customers and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written records where available, determine if the institution has
adequate procedures in place to provide the opt out notice and
comply with opt out directions of consumers (customers and those who
are not customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time
allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii),
d. Adequacy of procedures to implement and track the status of
a consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).
NETWORK SECURITY TESTING
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.