R. Kinney Williams
June 4, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - U.S. pulls Lenovo
PCs from State Department - May 19, 2006 - The State Department has
backed down on a decision to install computers made by Chinese
company Lenovo on its classified networks.
FYI - Credit card
security rules to get update - Proposed new security rules for
credit card-accepting businesses will put more scrutiny on software,
but let them off the hook on encryption. The update to the Payment
Card Industry (PCI) Data Security Standard, due this summer,
responds to evolving attacks as well as to challenges some
businesses have with the encryption of consumer data, Tom Maxwell,
director of e-Business and Emerging Technologies at MasterCard
FYI - DoD Offers Free
Anti-Spyware for Personal Use - The Defense Information Systems
Agency (DISA) has licensed free anti-spyware software for all
government employees and armed forces personnel for use on personal
FYI - Japanese power
plant secrets leaked by virus - Sensitive information about Japanese
power plants has leaked online from a virus-infected computer for
the second time in less than four months. Data regarding security
arrangements at a thermoelectric power plant run by the Chubu
Electric Power in Owase, Mie Prefecture in central Japan spilled
online this week as a result of an unnamed virus infection.
FYI - Cyber crooks dip
into Frost accounts - Hackers dipped into the accounts of about 100
Frost Bank customers after they took Visa debit card information
from the database of an unnamed national retailer and went on a
spending spree, Frost officials said.
FYI - University server
in hackers' hands for a year - An unprecedented string of electronic
intrusions has prompted Ohio University to place at least one
technician on paid administrative leave and begin a sweeping
reorganization of the university's computer services department.
FYI - Symantec Plugs Anti-virus
Worm Hole in Record Time - Working feverishly through the holiday
weekend, Symantec's security response team has completed patches for
a "high-risk" worm hole in two enterprise-facing product lines.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Since financial Institutions will be expected to achieve compliance
with the guidance no later than year-end 2006, we continue our
series on the FFIEC Authentication in an Internet Banking
Environment. (Part 2 of
Financial institutions engaging in any form of Internet banking
should have effective and reliable methods to authenticate
customers. An effective authentication system is necessary for
compliance with requirements to safeguard customer information, to
prevent money laundering and terrorist financing, to reduce fraud,
to inhibit identity theft, and to promote the legal enforceability
of their electronic agreements and transactions. The risks of doing
business with unauthorized or incorrectly identified persons in an
Internet banking environment can result in financial loss and
reputation damage through fraud, disclosure of customer information,
corruption of data, or unenforceable agreements.
There are a variety of technologies and methodologies financial
institutions can use to authenticate customers. These methods
include the use of customer passwords, personal identification
numbers (PINs), digital certificates using a public key
infrastructure (PKI), physical devices such as smart cards, one-time
passwords (OTPs), USB plug-ins or other types of "tokens",
transaction profile scripts, biometric identification, and others.
(The appendix to this guidance contains a more detailed discussion
of authentication techniques.) The level of risk protection afforded
by each of these techniques varies. The selection and use of
authentication technologies and methods should depend upon the
results of the financial institution's risk assessment process.
Existing authentication methodologies involve three basic "factors":
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a
Authentication methods that depend on more than one factor are more
difficult to compromise than single-factor methods. Accordingly,
properly designed and implemented multifactor authentication methods
are more reliable and stronger fraud deterrents. For example, the
use of a logon ID/password is single-factor authentication (i.e.,
something the user knows); whereas, an ATM transaction requires
multifactor authentication: something the user possesses (i.e., the
card) combined with something the user knows (i.e., PIN). A
multifactor authentication methodology may also include
"out-of-band" controls for risk mitigation.
The success of a particular authentication method depends on more
than the technology. It also depends on appropriate policies,
procedures, and controls. An effective authentication method should
have customer acceptance, reliable performance, scalability to
accommodate growth, and interoperability with existing systems and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Stateful Inspection Firewalls
Stateful inspection firewalls are packet filters that monitor the
state of the TCP connection. Each
TCP session starts with an initial handshake communicated through
TCP flags in the header information. When a connection is
established the firewall adds the connection information to a table.
The firewall can then compare future packets to the connection or
state table. This essentially verifies that inbound traffic is in
response to requests initiated from inside the firewall.
Proxy Server Firewalls
Proxy servers act as an intermediary between internal and external
IP addresses and block direct access to the internal network.
Essentially, they rewrite packet headers to substitute the IP of the
proxy server for the IP of the internal machine and forward packets
to and from the internal and external machines. Due to that limited
capability, proxy servers are commonly employed behind other
firewall devices. The primary firewall receives all traffic,
determines which application is being targeted, and hands off the
traffic to the appropriate proxy server. Common proxy servers are
the domain name server (DNS), Web server (HTTP), and mail (SMTP)
server. Proxy servers frequently cache requests and responses,
providing potential performance benefits. Additionally, proxy
servers provide another layer of access control by segregating the
flow of Internet traffic to support additional authentication and
logging capability, as well as content filtering. Web and e-mail
proxy servers, for example, are capable of filtering for potential
malicious code and application-specific commands.
Return to the top of the
C. HOST SECURITY
Determine whether the host-based IDSs identified as necessary in the
risk assessment are properly installed and configured, that alerts
go to appropriate individuals using an out-of-band communications
mechanism, and that alerts are followed up.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
1) Does the institution provide a clear and conspicuous
notice that accurately reflects its privacy policies and practices
to all customers not later than when the customer relationship is
established, other than as allowed in paragraph (e) of section four
(4) of the regulation? [§4(a)(1))]?
(Note: no notice is required if nonpublic personal information is
disclosed to nonaffiliated third parties only under an exception in
Sections 14 and 15, and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a
customer relationship when it originates a consumer loan. If the
institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers
with the servicing rights. [§4(c)])
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.