R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 13, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
 
Internet Privacy
 
Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Programming languages can't have copyright protection, EU court rules - Europe's top court ruled Wednesday that the functionality of a computer program and the programming language it is written in cannot be protected by copyright. http://www.computerworld.com/s/article/9226783/Programming_languages_can_t_have_copyright_protection_EU_court_rules?taxonomyId=17

FYI - Furious judge decries "blizzard" of copyright troll lawsuits - Courts around the country are being flooded with mass copyright lawsuits. http://arstechnica.com/tech-policy/news/2012/05/furious-judge-decries-blizzard-of-copyright-troll-lawsuits.ars

FYI - Jetting off abroad? Pack protection ... for your Wi-Fi - Feds warn of malware attacks on hotel net surfers - A US government agency is warning travellers to be wary of malware that installs itself via pop-up browser windows on hotel internet connections. http://www.theregister.co.uk/2012/05/09/hotel_wi_fi_malware_warning/

FYI
- Queen's Speech gives details on surveillance plans - The Queen has confirmed that "vital communications data" will potentially be accessed, "subject to scrutiny of draft clauses". http://www.scmagazineuk.com/queens-speech-gives-details-on-surveillance-plans/article/240267/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Attack takes Soca crime agency website down - The website of the UK's Serious Organised Crime Agency (Soca) has been taken offline following a cyber-attack. Soca confirmed to the BBC that soca.gov.uk had suffered a Distributed Denial of Service (DDoS) attack.
http://www.bbc.co.uk/news/technology-17936962
http://www.bbc.com/news/technology-18005505

FYI - Hackers have breached top secret MoD systems, cyber-security chief admits - Major General Jonathan Shaw says 'it was a surprise to people quite how vulnerable we are - Computer hackers have managed to breach some of the top secret systems within the Ministry of Defence, the military's head of cyber-security has revealed. http://www.guardian.co.uk/technology/2012/may/03/hackers-breached-secret-mod-systems?newsfeed=true

FYI - Global Payments Data Breach Exposes Card Payments Vulnerability - Cardholders around the world received a shock late last week when Global Payments Inc. announced a breach in its card data processing system. http://www.forbes.com/sites/greatspeculations/2012/04/03/global-payments-data-breach-exposes-card-payments-vulnerability/

FYI - Personal data of welfare workers posted online - The personal information of employees of the Florida Department of Children and Families (DCF) was breached. http://www.scmagazine.com/personal-data-of-welfare-workers-posted-online/article/239794/?DCMP=EMC-SCUS_Newswire

FYI - The Pirate Bay hits out at DDoS attacks on ISPs - File-sharing website The Pirate Bay has called distributed denial of service (DDoS) and similar attacks "forms of censorship". http://www.scmagazineuk.com/the-pirate-bay-hits-out-at-ddos-attacks-on-isps/article/240265/

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.

Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.

Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.

Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:

1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.

2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.

3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.

4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.

5)  Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

This is the last of three principles regarding Board and Management Oversight.  Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems
(IDS) (Part 1 of 4)

Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.

A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.

Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.

Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy?  [6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated