R. Kinney Williams
April 30, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Major Banking
Sites Insecure - Sites do not use authentication technology to prove
they are genuine, researcher says. Online bank customers may want to
pay a little more attention to their browsers the next time they log
in, because many of the most popular banking sites in the U.S. may
be needlessly placing their customers at risk to online thieves, a
noted security researcher warned this week.
Seven Steps to a Highly Effective IT Compliance Program -
Documenting internal policies and controls, assigning appropriate
compliance management oversight, and ensuring compliance through
training are three of the seven steps incorporated into highly
effective IT compliance programs.
Web fraud costs victims $180M - Victims lost more than $180 million
in web fraud incidents reported by the Internet Crime Complaint
Center (IC3) last year, according to the IC3's fifth-annual Internet
Afghans selling US army 'files' - A market has sprung up outside the
Bagram airbase near Kabul - US forces in Afghanistan are checking
reports that stolen computer hardware containing military secrets is
being sold at a market beside a big US base.
Hackers Access Financial Data At UMDNJ - Computer hackers were able
to gain access to the Social Security numbers and other confidential
financial information of almost 2,000 University of Medicine and
Dentistry of New Jersey students and alumni, university officials
Data exposure: Counties across the U.S. posting sensitive info
online - Social Security numbers, driver's license data and bank
account numbers are all easily available - Broward County, Fla.,
Maricopa County, Ariz., Fort Bend County, Texas. Three counties
separated by hundreds of miles with something in common: They're
among potentially hundreds of counties in several states that in
recent years have made Social Security numbers, driver's license
information, bank account numbers and a variety of other personally
sensitive data belonging to residents available to anyone in the
world with Internet access.
Wells Fargo not required to encrypt data - Wells Fargo Bank
customers sue after their personal financial data was stolen from a
contractor that had not encrypted the information.
Mass e-mail compromises student IDs - University of South Carolina
spreads Social Security numbers by mistake - University of South
Carolina officials are advising students to watch their credit
reports after the Social Security numbers of as many as 1,400
students were mistakenly e-mailed to classmates.
InternetShield vendor pays to settle deceptive-ad suit - Security
vendor SoftwareOnline.com Inc. has agreed to change its business
practices and pay $190,000 in fines after a four-month investigation
into the company by Washington state's Attorney General's Office.
FYI - Malicious-software
spreaders get sneakier, more revalent - Without you realizing it,
attackers are secretly trying to penetrate your PC to tap small bits
of computing power to do evil things. They've already compromised
some 47 million PC's sitting in living rooms, in your kids'
bedrooms, even on the desk in your office.
FYI - University of Texas probes
computer breach - Files illegally accessed; Second intrusion in
three years - Nearly 200,000 electronic records at the University of
Texas at Austin's business school have been illegally accessed, the
Return to the top
of the newsletter
WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 2 of
PROCEDURES TO ADDRESS SPOOFING - Detection
Banks can improve their ability to detect spoofing by monitoring
appropriate information available inside the bank and by searching
the Internet for illegal or unauthorized use of bank names and
trademarks. The following is a list of possible indicators of
* E-mail messages returned to bank mail servers that were not
originally sent by the bank. In some cases, these e-mails may
contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web
addresses indicating that the bank's Web site is being copied or
that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank
personnel, or direct communications from consumer reporting spoofing
Banks can also detect spoofing by searching the Internet for
identifiers associated with the bank such as the name of a company
or bank. Banks can use available search engines and other tools to
monitor Web sites, bulletin boards, news reports, chat rooms,
newsgroups, and other forums to identify usage of a specific company
or bank name. The searches may uncover recent registrations of
domain names similar to the bank's domain name before they are used
to spoof the bank's Web site. Banks can conduct this monitoring
in-house or can contract with third parties who provide monitoring
Banks can encourage customers and consumers to assist in the
identification process by providing prominent links on their Web
pages or telephone contact numbers through which customers and
consumers can report phishing or other fraudulent activities.
Banks can also train customer-service personnel to identify and
report customer calls that may stem from potential Web-site attacks.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
TCP/IP is a packet - based communications system. A packet consists
of a header and a data payload. A header is analogous to a mail
envelope, containing the information necessary for delivery of the
envelope, and the return address. The data payload is the content of
the envelope. The IP packet header contains the address of the
sender (source address) and the intended recipient (destination
address) and other information useful in handling the packet. Under
IP, the addresses are unique numbers known as IP addresses. Each
machine on an IP network is identified by a unique IP address. The
vast majority of IP addresses are publicly accessible. Some IP
addresses, however, are reserved for use in internal networks. Those
addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0
and 192.168.0.0 -
192.168.255.255. Since those internal addresses are not
accessible from outside the internal network, a gateway device is
used to translate the external IP address to the internal address.
The device that translates external and internal IP addresses is
called a network address translation (NAT) device. Other IP packet
header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP),
flags that indicate whether routers are allowed to fragment the
packet, and other information.
If the IP packet indicates the protocol is TCP, a TCP header will
immediately follow the IP header. The TCP header contains the source
and destination ports, the sequence number, and other information.
The sequence number is used to order packets upon receipt and to
verify that all packets in the transmission were received.
Information in headers can be spoofed, or specially constructed to
contain misleading information. For instance, the source address can
be altered to reflect an IP address different from the true source
address, and the protocol field can indicate a different protocol
than actually carried. In the former case, an attacker can hide
their attacking IP, and cause the financial institution to believe
the attack came from a different IP and take action against that
erroneous IP. In the latter case, the attacker can craft an attack
to pass through a firewall and attack with an otherwise disallowed
Return to the top of the
C. HOST SECURITY
Determine if adequate processes exist to apply host security
updates, such as patches and anti - virus signatures, and that such
updating takes place.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13, and 14 and/or 15 but not outside of these
exceptions (Part 2 of 2)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial and annual
privacy notices. Determine whether or not they:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§§6, 13).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§4(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. For customers only, review the timeliness of delivery (§§4(d),
4(e), and 5(a)), means of delivery of annual notice §9(c)), and
accessibility of or ability to retain the notice (§9(e)).
NETWORK SECURITY TESTING
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.