R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 15, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Time Warner employee data missing - Information on 600,000 current, ex-workers lost by storage firm; Secret Service investigating. Time Warner says computer backup tapes with information on 600,000 former and current employees is missing. The Secret Service is investigating the matter, working closely with the company and Iron Mountain Inc., the data storage firm that lost the tapes. http://money.cnn.com/2005/05/02/news/fortune500/security_timewarner/index.htm?cnn=yes

FYI - Backups tapes a backdoor for identity thieves - In many cases, low paid workers are handling sensitive tapes, but only a small fraction of companies are securing the data with encryption. Large companies are reconsidering their security and backup policies after a handful of financial and information-technology companies have admitted that tapes holding unencrypted customer data have gone missing. http://www.securityfocus.com/printable/news/11048

FYI - Florida Uni on brown alert after hack attack - Students and staff at Florida International University (FIU) were warned they are at risk of identity fraud this week after techies discovered hackers had broken into college systems. A file found on a compromised computer showed that an unknown hacker had access to the username and password for 165 computers at the University, sparking a major security alert. http://www.theregister.com/2005/04/29/fiu_id_fraud_alert/print.html

FYI - Web attacks soar - Web server attacks and website defacements rose 36 per cent last year, according to an independent report. zone-h, the Estonian security firm best known for its defacement archive, recorded 392,545 web attacks globally in 2004, up from 251,000 in 2003. http://www.theregister.co.uk/2005/04/27/zone-h_defacement_survey/print.html

FYI - Massive bank security breach uncovered in N.J. - Bank employees implicated in conspiracy; 500,000 victims alleged - In court, Orazio Lembo was described as the alleged ring leader of what police say was a massive scheme to steal 500,000 bank accounts and personal information, then sell it to bill collectors. http://msnbc.msn.com/id/7670774/

FYI - The best defense for email retention - Some organizations believe that minimizing the retention time of historical email reduces their business risk. They make it a routine practice, and in certain instances attempt to set company-wide policies, to delete old electronic communications, assuming that the messages will not be needed nor recoverable in other places. http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=17b9a355-6293-4777-bb15-f88400e60f6b&newsType=Opinion

FYI - U.S. military security defeated by copy and paste - Experts are warning people to be careful with electronic documents that contain sensitive data after a breach in which classified U.S. military information thought to be hidden in a PDF document was uncovered. http://news.com.com/2102-1002_3-5694982.html?tag=st.util.print

FYI - Google down - hijacking or human error? - Google refuted rumors it was hacked on Sunday, following a 15 minute downtime. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=9e8c0e4d-9d8e-4819-a675-98611d9c91e3&newsType=Latest%20News&s=n


Return to the top of the newsletter

WEB SITE COMPLIANCE -
Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.
 


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls 

A primary concern in controlling system access is the safeguarding of user IDs and passwords.  The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism. 

The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder. 


Security Flaws and Bugs / Active Content Languages 

Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications. 

Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.
  

Viruses / Malicious Programs 


Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.


Return to the top of the newsletter

IT SECURITY QUESTION:  Backup operations: (Part 2 of 2)

f. Are duplicate backup tapes kept on premises in a secure location with restricted access?
g. Have the backup tapes been recently tested to ensure that the backup procedures work?
h. Overall, will the backup procedures provide reasonable assurance that the data can be reconstruction of customer data in a timely manner?

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice


19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under 13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [7(a)(1)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated