R. Kinney Williams
May 28, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FTC settles data security case - Settlement calls for real-estate
firm NHC to improve its information security practices and submit to
audits - Nations Holding Co. (NHC), a real-estate firm operating in
44 U.S. states, has settled a data security case after the U.S.
Federal Trade Commission (FTC) accused it of allowing a common Web
attack to compromise customer data, the FTC announced.
Lloyds TSB admits chip and Pin flawed - A MAJOR bank has finally
conceded that serious flaws in the new chip and PIN system has
opened it up to fraud. Lloyds TSB admitted a surge in thefts by
gangs who clone debit and credit cards then plunder accounts at ATMs
FTC launches ID theft prevention program - The Federal Trade
Commission (FTC) has launched an identity theft education campaign
to coincide with President Bush's creation of a task force designed
to tackle America's fastest growing crime.
SCADA (Supervisory Control and Data Acquisition) on thin ice -
Industrial control systems pose little-noticed security threat - The
electronic control systems that act as the nervous system for all
critical infrastructures are insecure and pose disastrous risks to
national security, cybersecurity experts warn.
Execs tell regulators Sarbanes-Oxley costs exceed benefits - Faced
with a tidal wave of complaints about high costs and implementation
difficulties, federal regulators say they will consider modifying
rules and auditing standards related to the Sarbanes-Oxley Act.
Florida theater chain hit by virus attack - It made buying tickets a
'Mission Impossible' for would-be movie-goers - Buying tickets
online for Tom Cruise's latest movie became a Mission: Impossible
for some theater goers last weekend thanks to a computer virus that
gummed up ticket-buying in the Southeastern U.S.
Search engines point to malicious Web sites - Around 285M clicks
each month go terribly wrong - Search engines deliver links to
dangerous Web sites that download spyware and adware to visitors'
PCs, exploit security vulnerabilities and attempt to scam users and
include them in spam lists, a new study has found. U.S. users land
on malicious Web sites about 285 million times per month by clicking
on search results from the five major search engines, according to
the study, conducted by McAfee Inc.'s SiteAdvisor unit. Google Inc.,
Yahoo Inc., Microsoft Corp.'s MSN unit, IAC/InterActiveCorp's
Ask.com and Time Warner Inc.'s AOL LLC comprise the top search
Indian IT firms look for data security chief - The Indian IT
industry is setting up an organisation to police data security among
firms handling outsourcing contracts from countries such as the UK.
FYI - Personal data on millions
of US veterans stolen - Personal information on 26.5 million U.S.
veterans was stolen from an employee of the Department of Veterans
Affairs who took the data home without authorization, exposing them
to possible identity theft, the department said.
FYI - University server in
hackers' hands for a year - An unprecedented string of electronic
intrusions has prompted Ohio University to place at least one
technician on paid administrative leave and begin a sweeping
reorganization of the university's computer services department.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - While we
normally try not to repeat articles within a year, some readers have
asked us if we would cover again authentication for Internet banking
since financial Institutions will be expected to achieve compliance
with the guidance no later than year-end 2006. This is an
important subject; therefore, in response to reader request, we
begin our 13 part series on the FFIEC
Authentication in an Internet Banking Environment.
On August 8, 2001, the FFIEC agencies (agencies) issued guidance
entitled Authentication in an Electronic Banking Environment (2001
Guidance). The 2001 Guidance focused on risk management controls
necessary to authenticate the identity of retail and commercial
customers accessing Internet-based financial services. Since 2001,
there have been significant legal and technological changes with
respect to the protection of customer information; increasing
incidents of fraud, including identity theft; and the introduction
of improved authentication technologies. This updated guidance
replaces the 2001 Guidance and specifically addresses why financial
institutions regulated by the agencies should conduct risk-based
assessments, evaluate customer awareness programs, and develop
security measures to reliably authenticate customers remotely
accessing their Internet-based financial services.
This guidance applies to both retail and commercial customers and
does not endorse any particular technology. Financial institutions
should use this guidance when evaluating and implementing
authentication systems and practices whether they are provided
internally or by a service provider. Although this guidance is
focused on the risks and risk management techniques associated with
the Internet delivery channel, the principles are applicable to all
forms of electronic banking activities.
Summary of Key Points
The agencies consider single-factor authentication, as the only
control mechanism, to be inadequate for high-risk transactions
involving access to customer information or the movement of funds to
other parties. Financial institutions offering Internet-based
products and services to their customers should use effective
methods to authenticate the identity of customers using those
products and services. The authentication techniques employed by the
financial institution should be appropriate to the risks associated
with those products and services. Account fraud and identity theft
are frequently the result of single-factor (e.g., ID/password)
authentication exploitation. Where risk assessments indicate that
the use of single-factor authentication is inadequate, financial
institutions should implement multifactor authentication, layered
security, or other controls reasonably calculated to mitigate those
Consistent with the FFIEC Information Technology Examination
Handbook, Information Security Booklet, December 2002, financial
institutions should periodically:
• Ensure that their information security program:
- Identifies and assesses the risks associated with Internet-based
products and services,
- Identifies risk mitigation actions, including appropriate
authentication strength, and
- Measures and evaluates customer awareness efforts;
• Adjust, as appropriate, their information security program in
light of any relevant changes in technology, the sensitivity of its
customer information, and internal or external threats to
• Implement appropriate risk mitigation strategies.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Packet Filter Firewalls
Basic packet filtering was described in the router section and does
not include stateful inspection. Packet filter firewalls evaluate
the headers of each incoming and outgoing packet to ensure it has a
valid internal address, originates from a permitted external
address, connects to an authorized protocol or service, and contains
valid basic header instructions. If the packet does not match the
pre-defined policy for allowed traffic, then the firewall drops the
packet. Packet filters generally do not analyze the packet contents
beyond the header information. Dynamic packet filtering incorporates
stateful inspection primarily for performance benefits. Before
re-examining every packet, the firewall checks each packet as it
arrives to determine whether it is part of an existing connection.
If it verifies that the packet belongs to an established connection,
then it forwards the packet without subjecting it to the firewall
Weaknesses associated with packet filtering firewalls include the
! The system is unable to prevent attacks that employ application
specific vulnerabilities and functions because the packet filter
cannot examine packet contents.
! Logging functionality is limited to the same information used to
make access control decisions.
! Most do not support advanced user authentication schemes.
! Firewalls are generally vulnerable to attacks and exploitation
that take advantage of problems in the TCP/IP specification.
! The firewalls are easy to misconfigure, which allows traffic to
pass that should be blocked.
Packet filtering offers less security, but faster performance than
application-level firewalls. The former are appropriate in high -
speed environments where logging and user authentication with
network resources are not important. Packet filter firewalls are
also commonly used in small office/home office (SOHO) systems and
default operating system firewalls.
Institutions internally hosting Internet-accessible services should
consider implementing additional firewall components that include
Return to the top of the
C. HOST SECURITY
Determine whether access to utilities on the host are appropriately
restricted and monitored.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Account number sharing
A. If available, review a sample of telemarketer scripts used
when making sales calls to determine whether the scripts indicate
that the telemarketers have the account numbers of the institution's
B. Obtain and review a sample of contracts with agents or service
providers to whom the financial institution discloses account
numbers for use in connection with marketing the institution's own
products or services. Determine whether the institution shares
account numbers with nonaffiliated third parties only to perform
marketing for the institution's own products and services. Ensure
that the contracts do not authorize these nonaffiliated third
parties to directly initiate charges to customer's accounts (§12(b)(1)).
C. Obtain a sample of materials and information provided to the
consumer upon entering a private label or affinity credit card
program. Determine if the participants in each program are
identified to the customer when the customer enters into the program
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.