R. Kinney Williams
May 21, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Consumers Losing
Trust in Online Banking - Security must be considered a necessity,
not a luxury, report says. U.S. consumers are not as enamored with
online banking as they once were and are citing online security as
their top concern, according to a report.
FYI - A cyberexercise
with real-world lessons - Air Force cadets win 6th annual CDX
competition - Students from the military academies recently came
under cyberattack. Fortunately, it was from a network attack team
composed of National Security Agency and Defense personnel during an
intense, four-day competition-the sixth annual Cyber Defense
FYI - Ohio University
reports two separate security breaches - Ohio University this week
disclosed two separate but apparently unrelated incidents of data
theft involving its computers.
FYI - Gone in 20
Minutes: using laptops to steal cars - High-tech thieves are
becoming increasingly savvy when it comes to stealing automobiles
equipped with keyless entry and ignition systems.
FYI - Schools scramble
to safeguard computer systems - Private industry long ago adopted
safeguards against hacking, but public schools, which just began
putting student records online in recent years, are only starting to
recognize their vulnerability.
FYI - Wells Fargo warns
of possible data theft - Wells Fargo, the second-largest U.S.
mortgage lender, said a computer containing confidential data about
mortgage customers and prospective customers is missing and may have
FYI - Idaho utility hard
drives -- and data -- turn up on eBay - The company is now
scrambling to get the drives back - Anybody with five bucks and a
little patience may be able to score sensitive corporate or customer
data on eBay. If your organization has engaged in the common
practice of disk drive recycling -- selling unneeded disk drives
directly or through a service -- company data might wind up for sale
on eBay Inc.'s auction site, even if the drives have been wiped
FYI - Webroot Uncovers
Thousands of Stolen Identities - Company believes the info--which
includes names and social security numbers--was collected by a
Trojan horse. Spyware researchers at Webroot Software have uncovered
a stash of tens of thousands of stolen identities from 125 countries
that they believe were collected by a new variant of a Trojan horse
program the company is calling Trojan-Phisher-Rebery.
Keylogger spying at work on the rise, survey says - The number of
companies reporting a spyware infestation has increased by almost
half in the past 12 months, according to a new survey.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 5 of
5) Next week
we will begin our series on the FFIEC Authentication in an
Internet Banking Environment.
PROCEDURES TO ADDRESS SPOOFING - Contact the
OCC and Law Enforcement Authorities
If a bank is the target of a spoofing incident, it should promptly
notify its OCC supervisory office and report the incident to the FBI
and appropriate state and local law enforcement authorities. Banks
can also file complaints with the Internet Fraud Complaint Center
a partnership of the FBI and the National White Collar Crime Center.
In order for law enforcement authorities to respond effectively to
spoofing attacks, they must be provided with information necessary
to identify and shut down the fraudulent Web site and to investigate
and apprehend the persons responsible for the attack. The data
discussed under the "Information Gathering" section should meet this
In addition to reporting to the bank's supervisory office and law
enforcement authorities, there are other less formal mechanisms that
a bank can use to report these incidents and help combat fraudulent
activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/),
which is a joint initiative of industry and law enforcement designed
to support apprehension of perpetrators of phishing-related crimes,
including spoofing. Members of Digital Phishnet include ISPs,
online auction services, financial institutions, and financial
service providers. The members work closely with the FBI, Secret
Service, U.S. Postal Inspection Service, Federal Trade Commission
(FTC), and several electronic crimes task forces around the country
to assist in identifying persons involved in phishing-type crimes.
Finally, banks can forward suspicious e-mails to the FTC at
email@example.com. For more
information on how the FTC can assist in combating phishing and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
A firewall is a collection of components (computers, routers, and
software) that mediate access between different security domains.
All traffic between the security domains must pass through the
firewall, regardless of the direction of the flow. Since the
firewall serves as a choke point for traffic between security
domains, they are ideally situated to inspect and block traffic and
coordinate activities with network IDS systems.
Financial institutions have four primary firewall types from which
to choose: packet filtering, stateful inspection, proxy servers, and
application-level firewalls. Any product may have characteristics of
one or more firewall types. The selection of firewall type is
dependent on many characteristics of the security zone, such as the
amount of traffic, the sensitivity of the systems and data, and
applications. Over the next few weeks we will discussed the different
types of firewalls.
Return to the top of the
C. HOST SECURITY
Determine whether an appropriate process exists to authorize access
to host systems and that authentication and authorization controls
on the host appropriately limit access to and control the access of
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Redisclosure of nonpublic personal information received from a
nonaffiliated financial institution outside of Sections 14 and 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information (§11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i)
2. If the institution shares information with entities other
than those under step a above, verify that the institution's
information sharing practices conform to those in the nonaffiliated
financial institution's privacy notice (§11(b)(1)(iii)).
3. Also, review the procedures used by the institution to
ensure that the information sharing reflects the opt out status of
the consumers of the nonaffiliated financial institution (§§10,
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.