R. Kinney Williams
June 18, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Mobile devices
'inadequately protected', survey finds - IT managers are failing to
protect data on corporate mobile devices by not enforcing PIN codes
and passwords to protect the data stored on their laptops, PDAs and
mobile phones, according to a new study.
FYI - Two more
organizations report data breaches - Texas Guaranteed, Sacred Heart
University disclose separate incidents involving personal data - In
yet another large data breach, Texas Guaranteed (TG) a Round Rock,
Texas-based nonprofit organization that administers student loans
today announced that an outside contractor had lost an unspecified
piece of equipment containing the names and Social Security numbers
of approximately 1.3 million borrowers.
FYI - FIU Student
Records Compromised By Hacker - Thousands of students at Florida
International University have received notices in the mail warning
that their personal records might have been compromised because of a
FYI - Hackers gain
access to server hosting bank Web sites - Premier Banks, which
operates 22 branches, was among more than 100 banks across the
nation that were affected when hackers gained access to a server
operated by Goldleaf Technologies Inc. of Brentwood, Tenn. Goldleaf
is host to Web sites mostly for smaller community banks.
FYI - Hotels.com
credit-card numbers stolen - Names and credit-card numbers of
243,000 Hotels.com customers were on a laptop stolen from an Ernst &
Young employee. The names and credit-card numbers of 243,000
Hotels.com customers were on a laptop computer stolen from an
employee of accounting firm Ernst & Young, according to sources
familiar with the matter.
FYI - Circuit City
Support-Site Hack Installed Spamming Program - The customer support
Web site for Richmond-based Circuit City, a leading supplier of
computers and other consumer electronics, was for several weeks
serving up an invasive computer virus to any visitor who browsed the
site with an unpatched version of Microsoft's Internet Explorer Web
FYI - PaineWebber
Systems Admin Faces Trial For Computer Sabotage - The trial is
scheduled to start Tuesday for a former employee charged with
building and planting malicious code that took down two-thirds of
the company's network, hindering investment trading for several
weeks and racking up $3 million in recovery costs. But the
defendant's lawyer says the cops got the wrong man. A former systems
administrator for financial giant UBS PaineWebber goes on trial
Tuesday for allegedly sabotaging two-thirds of the company's
computer network in what prosecutors say was a vengeful attempt to
profit from a crashing stock price.
FYI - WestJet apologizes
to Air Canada for web snooping - WestJet Airlines says it's sorry
that members of its management team covertly accessed a confidential
Air Canada website, and has agreed pay $15.5 million. Air Canada
claimed WestJet used the still active password of a former employee
who had access to the site, and that the information was used by
WestJet to plan the airline's flight schedule and expansion.
FYI - Four in ten security
staffers write down passwords - Nearly 40 percent of IT
professionals store important passwords on paper, according to a new
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 4 of
Account Origination and Customer Verification
With the growth in electronic banking and commerce, financial
institutions should use reliable methods of originating new customer
accounts online. Moreover, customer identity verification during
account origination is required by section 326 of the USA PATRIOT
Act and is important in reducing the risk of identity theft,
fraudulent account applications, and unenforceable account
agreements or transactions. Potentially significant risks arise when
a financial institution accepts new customers through the Internet
or other electronic channels because of the absence of the physical
cues that financial institutions traditionally use to identify
One method to verify a customer's identity is a physical
presentation of a proof of identity credential such as a driver's
license. Similarly, to establish the validity of a business and the
authority of persons to perform transactions on its behalf,
financial institutions typically review articles of incorporation,
business credit reports, board resolutions identifying officers and
authorized signers, and other business credentials. However, in an
Internet banking environment, reliance on these traditional forms of
paper-based verification decreases substantially. Accordingly,
financial institutions need to use reliable alternative methods.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Firewall Services and Configuration
Firewalls may provide some additional services:
! Network address translation (NAT) - NAT readdresses outbound
packets to mask the internal IP addresses of the network. Untrusted
networks see a different host IP address from the actual internal
address. NAT allows an institution to hide the topology and address
schemes of its trusted network from untrusted networks.
! Dynamic host configuration protocol (DHCP) - DHCP assigns IP
addresses to machines that will be subject to the security controls
of the firewall.
! Virtual Private Network (VPN) gateways - A VPN gateway provides an
encrypted tunnel between a remote external gateway and the internal
network. Placing VPN capability on the firewall and the remote
gateway protects information from disclosure between the gateways
but not from the gateway to the terminating machines.
Placement on the firewall, however, allows the firewall to
inspect the traffic and perform access control, logging, and
malicious code scanning.
One common firewall implementation in financial institutions hosting
Internet applications is a DMZ, which is a neutral Internet
accessible zone typically separated by two firewalls. One firewall
is between the institution's private network and the DMZ and then
another firewall is between the DMZ and the outside public network.
The DMZ constitutes one logical security domain, the outside public
network is another security domain, and the institution's internal
network may be composed of one or more additional logical security
domains. An adequate and effectively managed firewall can ensure
that an institution's computer systems are not directly accessible
to any on the Internet.
Financial institutions have a variety of firewall options from which
to choose depending on the extent of Internet access and the
complexity of their network. Considerations include the ease of
firewall administration, degree of firewall monitoring support
through automated logging and log analysis, and the capability to
provide alerts for abnormal activity.
Return to the top of the
C. HOST SECURITY
10. Determine if vulnerability testing takes
place after each configuration change.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
3) Does the institution provide to existing customers, who
obtain a new financial product or service, an initial privacy notice
that covers the customer's new financial product or service, if the
most recent notice provided to the customer was not accurate with
respect to the new financial product or service? [§4(d)(1)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.