Internet Banking News

May 25, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Cybercrims dump swag on open botnet server - Everyone knows Trojans steal personal data, but the discovery of a server containing more than 1.4 gigabytes of stolen business and personal info brings home the real extent of the problem. http://www.theregister.co.uk/2008/05/06/crimeware_server/print.html

FYI - Online banking call to arms - 'Banking organizations have failed to pledge that they will stop sending emails that add to the confusion.' According to a recent report released by UK payments industry association APACS, the rate of phishing attacks in the UK has increased dramatically over the last 12 months, with the number of incidents reported during the first quarter of 2008 up 200 per cent on the same period last year. http://www.virusbtn.com/virusbulletin/archive/online-banking-comment

FYI - Stolen data could fetch in the thousands - The going price for stolen information is like any other commodity: the higher the quality, the higher the price, according to McAfee Avert Labs. http://www.scmagazineus.com/Stolen-data-could-fetch-in-the-thousands/article/109997/?DCMP=EMC-SCUS_Newswire

FYI - Privacy watchdog welcomes tough data laws - The Information Commissioner's Office has warmly embraced the introduction of the Criminal Justice Bill, which will give it the power to issue heavy fines to organisations for deliberate or reckless breaches of the Data Protection Act. http://www.scmagazine.com/uk/news/article/808512/privacy-watchdog-welcomes-tough-data-laws/

FYI - Few expected to make June 30 PCI deadline for Web application security - Retailers covered by the Payment Card Industry Data Security Standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9085038&source=rss_topic17

FYI - GAO - Challenges in Implementing an Electronic Records Archive.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-738T
Highlights - http://www.gao.gov/highlights/d08738thigh.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers' posts on epilepsy forum cause migraines, seizures - But in a rare example of an attack apparently motivated by malice rather than money, hackers recently bombarded the Epilepsy Foundation's Web site with hundreds of pictures and links to pages with rapidly flashing images. http://news.smh.com.au/hackers-posts-on-epilepsy-forum-cause-migraines-seizures/20080508-2c4w.html

FYI - Personal info on six million Chileans posted - According to various news reports, a hacker has exposed the personal information of about six million Chilean people. http://www.scmagazineus.com/Personal-info-on-six-million-Chileans-posted/article/110014/?DCMP=EMC-SCUS_Newswire

FYI - Three accused of hacking Dave & Buster's computers - Three people have been charged with stealing credit and debit card numbers from customers at U.S. restaurant chain Dave & Buster's Inc by hacking into cash register terminals, the Department of Justice said. http://theusdaily.com/articles/viewarticle.jsp?id=383646&type=home

FYI - Another Laptop Stolen from Pfizer, Employee Information Compromised - About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen, the pharmaceutical giant confirmed. http://www.theday.com/re.aspx?re=712c0410-ee9a-47a8-b08d-c7a71a713a5e

FYI - Classified Hong Kong "watch-list" leaked on internet - A government investigation was underway Friday after it was revealed that confidential files from the Immigration Department had been mistakenly leaked on to the internet. http://www.topnews.in/classified-hong-kong-watch-list-leaked-internet-240641

Return to the top of the newsletter

WEB SITE COMPLIANCE - e continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (6 of 12)

Best Practices-Going Beyond the Minimum

Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.

Preparation

Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.

Establish an incident response team.

A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Shared Secret Systems (Part 2 of 2)

Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.

! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.

Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.

! An additional attack method targets a specific account and submits passwords until the correct password is discovered.

Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.

! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.

Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.

! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

! Some attacks depend on patience, waiting until the logged - in workstation is unattended.

Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.

! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.

Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.

! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

Controls include a policy that forbids the same or similar password on particular network devices.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

6. Determine whether appropriate segregation exists between the responsibility for networks and the responsibility for computer operations.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]