R. Kinney Williams
April 23, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - SEC has failed to
fix security gaps, GAO says - Information security weaknesses
persist at the Securities Exchange Commission because the agency has
not followed through on recommendations the Government
Accountability Office made last year for comprehensive, agency wide
FYI - HP printer users
warned of critical flaw - HP has warned users of its Color LaserJet
2500 and 4600 printers of a flaw that could be exploited by hackers
to gain remote admin control over PCs running the devices' control
FYI - New e-greeting
spam hides keylogger - Security watchers have identified a new batch
of malicious e-greeting spam that conceals keylogging spyware
designed to steal online banking passwords and other sensitive
FYI - Better web banking
security demanded - Almost 90 percent of U.S. bank account holders
would like their financial service providers to monitor online
banking sessions for signs of irregular activity in the way they
currently scrutinize credit card transactions, recently released
research has found.
FYI - Postbank unveils
anti-phishing measures - In an attempt to stop phishing attacks on
its internet banking customers, a German bank will introduce
electronic signatures in its customer emails.
FYI - Update: Fla.
residents' data exposure a statewide issue - The Social Security
numbers, driver's license information and bank account details
belonging to potentially millions of current and former residents of
Florida are available to anyone on the Internet because sensitive
information has not been redacted from public records being posted
on county Web sites.
FYI - RaboDirect's 100%
No Fraud Guarantee - Online bank RaboDirect, has announced a 100%
Secure Guarantee for its Irish customers. The bank, which implements
the highest levels of online banking security is the first bank in
Ireland to give a guaranteed protection to its customers.
FYI - Data breach at
Progressive highlights insider threat - An employee, later fired,
improperly accessed data on foreclosed properties - A recent case in
which an employee at Progressive Casualty Insurance Co. wrongfully
accessed information on foreclosure properties she was interested in
buying highlights again the dangers posed to corporate security by
FYI - Compliance, Not
Malware, Drives IT Budgets: Survey - Chief security officers say
their primary reasons for investing in security software have to do
with compliance rules, not virus threats. Regulatory compliance and
protecting intellectual property (IP) are among the top reasons
driving demand for security products - not phishing, worms, spyware
and hack attacks, according to a recent report.
FYI - Researcher:
Security risks in Web services largely ignored - AJAX, XML could be
exploited by hackers, Stamos warns - In their rush to implement Web
services, some companies may be exposing themselves to new security
risks that they may not fully understand, a security researcher said
FYI - Half of European companies unprotected against vulnerabilities
- Nearly half of IT professionals believe their infrastructures are
not completely protected against vulnerabilities, new research has
found. The study, conducted by Ipsos Research, found that 45 percent
of over 600 senior IT personnel throughout Europe questioned felt
that their IT infrastructure was "never 100 percent protected from
software and network vulnerabilities."
NCUA - Disaster Planning and Response - Letter to Credit
Unions - Influenza Pandemic Preparedness.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents
(Part 1 of 5)
Web-site spoofing is a method of creating fraudulent Web sites that
look similar, if not identical, to an actual site, such as that of a
bank. Customers are typically directed to these spoofed Web
sites through phishing schemes or pharming techniques. Once at
the spoofed Web site, the customers are enticed to enter information
such as their Internet banking username and password, credit card
information, or other information that could enable a criminal to
use the customers' accounts to commit fraud or steal the customers'
identities. Spoofing exposes a bank to strategic, operational,
and reputational risks; jeopardizes the privacy of bank customers;
and exposes banks and their customers to the risk of financial
PROCEDURES TO ADDRESS SPOOFING
Banks can mitigate the risks of Web-site spoofing by implementing
the identification and response procedures discussed in this
bulletin. A bank also can help minimize the impact of a
spoofing incident by assigning certain bank employees responsibility
for responding to such incidents and training them in the steps
necessary to respond effectively. If a bank's Internet
activities are outsourced, the bank can address spoofing risks by
ensuring that its contracts with its technology service providers
stipulate appropriate procedures for detecting and reporting
spoofing incidents, and that the service provider's process for
responding to such incidents is integrated with the bank's own
Banks can improve the effectiveness of their response procedures by
establishing contacts with the Federal Bureau of Investigation (FBI)
and local law enforcement authorities in advance of any spoofing
incident. These contacts should involve the appropriate
departments and officials responsible for investigating computer
security incidents. Effective procedures should also include
appropriate time frames to seek law enforcement involvement, taking
note of the nature and type of information and resources that may be
available to the bank, as well as the ability of law enforcement
authorities to act rapidly to protect the bank and its customers.
Additionally, banks can use customer education programs to mitigate
some of the risks associated with spoofing attacks. Education
efforts can include statement stuffers and Web-site alerts
explaining various Internet-related scams, including the use of
fraudulent e-mails and Web-sites in phishing attacks. In
addition, because the attacks can exploit vulnerabilities in Web
browsers and/or operating systems, banks should consider reminding
their customers of the importance of safe computing practices.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 3 of 3)
are built in conformance with the protocols to provide services from
hosts to clients. Because clients must have a standard way of
accessing the services, the services are assigned to standard host
ports. Ports are logical not physical locations that are either
assigned or available for specific network services. Under TCP/IP,
65536 ports are available, and the first 1024 ports are commercially
accepted as being assigned to certain services. For instance, Web
servers listen for requests on port 80, and secure socket layer Web
servers listen on port 443. A complete list of the commercially
accepted port assignments is available at www.iana.org.
Ports above 1024 are known as high ports, and are user - assignable.
However, users and administrators have the freedom to assign any
port to any service, and to use one port for more than one service.
Additionally, the service listening on one port may only proxy a
connection for a separate service. For example, a Trojan horse
keystroke - monitoring program can use the Web browser to send
captured keystroke information to port 80 of an attacker's machine.
In that case, monitoring of the packet headers from the compromised
machine would only show a Web request to port 80 of a certain IP
Return to the top of the
C. HOST SECURITY
Determine if the configuration minimizes the functionality of
programs, scripts, and plug - ins to what is necessary and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13=, 14, and/or 15 but outside of these
exceptions (Part 1 of 2)
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party. The sample should
include a cross-section of relationships but should emphasize those
that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the data shared and with whom the data were shared
to ensure that the institution accurately categorized its
information sharing practices and is not sharing nonpublic personal
information outside the exceptions (§§13, 14, 15).
b. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers in its notices about its
policies and practices in this regard and what the institution
actually does are consistent (§§10, 6).
2) Review contracts with nonaffiliated third parties that
perform services for the financial institution not covered by the
exceptions in section 14 or 15. Determine whether the contracts
adequately prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts. (§13(a)).
NETWORK SECURITY TESTING
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.