FYI - The great intrusion prevention debate - No security topic generates more spirited debate than intrusion prevention. Deployed on the edge -- and increasingly, deep inside -- the network, IPSes (intrusion prevention systems) purport to identify and stop attacks before they start based on constantly updated threat profiles. http://www.infoworld.com/article/05/05/09/19FEipsids_1.html?SECURITY

FYI - Internet Attack Called Broad and Long Lasting by Investigators - The incident seemed alarming enough: a breach of a Cisco Systems network in which an intruder seized programming instructions for many of the computers that control the flow of the Internet. Now federal officials and computer security investigators have acknowledged that the Cisco break-in last year was only part of a more extensive operation - involving a single intruder or a small band, apparently based in Europe - in which thousands of computer systems were similarly penetrated. http://www.nytimes.com/2005/05/10/technology/10cisco.html?ei=5065&en=0871aec1c2d2e970&ex=1116302400&partner=MYWAY&pagewanted=print&position
http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=8444181

FYI - Missing backup tapes spur encryption at Time Warner - The data security move follows a loss of info on 600,000 employees - Time Warner Inc. said it will "quickly" begin encrypting all data saved to backup tapes after 40 tapes with personal information on about 600,000 current and former employees were lost in transit to a storage facility. http://www.computerworld.com/printthis/2005/0,4814,101589,00.html

FYI - That classified US military report's secrets in full - The error was caused by the US military itself, which posted an unclassified version of the report on the internet as a PDF file with large chunks blacked out. However, the Pentagon had failed to save the file with the edit lines in place so a simple copy-and-paste of the document into a word processing application revealed the report in full. http://www.theregister.co.uk/2005/05/03/military_report_secrets/print.html

FYI - Interior faces possible IT security catastrophe - Some Interior Department systems that house American Indian trust data are so easy to penetrate, according to the department's inspector general, that they potentially could cause "severe or catastrophic" problems. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35743

FYI - Key-loggers the new phisherman's friend - Combination attacks becoming the norm as users wise up to the scam - Phishing attacks are increasingly using key-loggers as another method to steal personal information, according to the Anti-Phishing Working Group. http://www.vnunet.com/news/1162890

FYI - Michigan State's Wharton Center says computer security breached - Michigan State University has warned more than 40,000 Wharton Center patrons that a hacker broke into a computer server involved in credit card processing for the performing arts venue. http://www.freep.com/news/statewire/sw115435_20050506.htm

FYI - IT managers spending more time on security - A survey released Monday by security vendor Secure Computing showed that IT managers are spending more hours on security and are more worried about spyware than spam. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=e3e89669-095d-42b8-add1-ee629d7046ec&newsType=Latest%20News&s=n

FYI - NCUA Chairman Urges Credit Unions To Enhance Due Diligence Of Third Party Vendors and Consumer Compliance - Enhanced due diligence by America's credit unions of all third party vendors and compliance should be a top safety and soundness priority, says National Credit Union Administration Board Chairman JoAnn Johnson. www.ncua.gov/news/press_releases/2005/NR05-0516.htm 

FYI - Data theft involving four banks could affect 500,000 customers - "This thing's getting bigger and bigger," says one police officer. - Electronic account records for some 500,000 banking customers at four different banks were allegedly stolen and sold to collection agencies in a data-theft case that has so far led to criminal charges against nine people, including seven former bank employees. http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,101831,00.html?source=NLT_AM&nid=101831

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Utilization of the Internet presents numerous issues and risks which must be addressed. While many aspects of system performance will present additional challenges to the bank, some will be beyond the bank's control. The reliability of the Internet continues to improve, but situations including delayed or misdirected transmissions and operating problems involving Internet Service Providers (ISPs) could also have an effect on related aspects of the bank's business. 

The risks will not remain static. As technologies evolve, security controls will improve; however, so will the tools and methods used by others to compromise data and systems. Comprehensive security controls must not only be implemented, but also updated to guard against current and emerging threats. Security controls that address the risks will be presented over the next few weeks.

SECURITY MEASURES

The FDIC paper discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.

Encryption, Digital Signatures, and Certificate Authorities 

Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity.  Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation.  Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication.  The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities.  The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.

Return to the top of the newsletter

IT SECURITY QUESTION:  Internal controls and procedures:  (Part 1 of 2)

a. Are output reports satisfactory for employees to perform their respective duties?
b. Are output reports satisfactory for management?
c. Are output reports satisfactory for auditing purposes?
d. Are there satisfactory user procedures?
e. Is there separation of duties for input preparation and balancing?
f. Is there separation of duties for data entry?
g. Is there separation of duties for operation of the computer system?
h. Is there separation of duties for handling rejected items for reentry?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]

b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]

VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.