Internet Banking News

June 11, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Sony DRM settlement passes final legal hurdle - Rootkit fiasco put to bed. A federal judge gave final approval to a endgame in a class action suit against Sony BMG Music Entertainment over anti-piracy software the company had embedded in some music CDs. http://software.silicon.com/security/0,39024888,39159045,00.htm

FYI - Loan company reports loss of data on 1.3 million - About 1.3 million customers of a Texas provider of student loans are at risk of ID fraud, after a contractor lost computer equipment with sensitive information on them. http://news.com.com/2102-1029_3-6079261.html?tag=st.util.print

FYI - Americans want better data security laws - The U.S. public wants stronger federal data security legislation as its confidence wanes in current laws intended to protect them on the Internet, according to a new survey the Cybersecurity Industry Alliance. The April survey of 1,150 adults found that only 18 percent - less than one in five - believe that existing laws are sufficient to protect them on the Internet. http://www.fcw.com/article94613-05-23-06-Web

FYI - OMB to agencies: Review personal data protections - The Office of Management and Budget has directed agencies' senior privacy officials to review and correct any policies and processes to ensure that they protect against misuse of or unauthorized access to personally identifiable information. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40842

FYI - Red Cross warns blood donors of possible ID thefts in Midwest - As many as 1M people in Illinois and Missouri could be vulnerable; four victims so far confirmed - About 1 million blood donors in the Missouri-Illinois Blood Services Region of the American Red Cross were warned last week that personal information about them could have been stolen earlier this year by a former employee and might have been used in identity thefts. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000754

FYI - Public Safety reports computer security breach - A recent security breach involving a University of Delaware Department of Public Safety computer server has resulted in the possible exposure of names, Social Security Numbers and driver's license numbers. http://www.udel.edu/PR/UDaily/2006/may/breach052306.html

FYI - Barclays banks on anti-virus deal - Barclays is buying every one of its online banking customers anti-virus software in a bid to improve security. The deal also includes two years' worth of updates to ensure the security package keeps customers protected. http://news.bbc.co.uk/2/hi/technology/5019856.stm

FYI - Sacred Heart is latest university to be hacked - Sacred Heart University is the latest school to be victimized by hackers, according to a message posted on the school's Web site. The Fairfield, Conn.-based university said in the posting that it discovered the intrusion on May 8 and notified police and the FBI, which have launched investigations. Sacred Heart offered no details on when the hackers may have entered the system or the kind of information that may have been exposed. http://news.com.com/2102-7349_3-6077212.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment. (Part 3 of 13)

Risk Assessment

The implementation of appropriate authentication methodologies should start with an assessment of the risk posed by the institution's Internet banking systems. The risk should be evaluated in light of the type of customer (e.g., retail or commercial); the customer transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of customer information being communicated to both the institution and the customer; the ease of using the communication method; and the volume of transactions. Prior agency guidance has elaborated on this risk-based and "layered" approach to information security.

An effective authentication program should be implemented to ensure that controls and authentication tools are appropriate for all of the financial institution's Internet-based products and services. Authentication processes should be designed to maximize interoperability and should be consistent with the financial institution's overall strategy for Internet banking and electronic commerce customer services. The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application.

A comprehensive approach to authentication requires development of, and adherence to, the institution's information security standards, integration of authentication processes within the overall information security framework, risk assessments within lines of businesses supporting selection of authentication tools, and central authority for oversight and risk monitoring. This authentication process should be consistent with and support the financial institution's overall security and risk management programs.

The method of authentication used in a specific Internet application should be appropriate and reasonable, from a business perspective, in light of the reasonably foreseeable risks in that application. Because the standards for implementing a commercially reasonable system may change over time as technology and other procedures develop, financial institutions and technology service providers should develop an ongoing process to review authentication technology and ensure appropriate changes are implemented.

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Single-factor authentication tools, including passwords and PINs, have been widely used for a variety of Internet banking and electronic commerce activities, including account inquiry, bill payment, and account aggregation. However, financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

The risk assessment process should:

• Identify all transactions and levels of access associated with Internet-based customer
products and services;
• Identify and assess the risk mitigation techniques, including authentication methodologies,
employed for each transaction type and level of access; and
• Include the ability to gauge the effectiveness of risk mitigation techniques for current and
changing risk factors for each transaction type and level of access.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Application - Level Firewalls

Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.

The primary disadvantages of application - level firewalls are:

! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.

! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

9. Determine whether logs are sufficient to affix accountability for host activities and to support intrusion forensics and IDS and are appropriately secured for a sufficient time period.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

2) Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]?

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.