Internet Banking News

June 24, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - OMB finalizes acquisition language for standard desktop configuration - The Office of Management and Budget yesterday gave agencies the basic language they will be required to use in all procurements after June 30 to ensure they are purchasing hardware and software that meet a standard Windows desktop configuration. http://www.fcw.com/article102895-06-05-07-Web

FYI - India gets offshore cyber crime watchdog - India is to finally get a data privacy watchdog to oversee the country's IT and BPO offshore outsourcing industry and to address international concerns about the security of customer records and data. http://services.silicon.com/bpo/0,3800004865,39167417,00.htm?r=1

FYI - Mass. credit union bills TJX $590k for breach-related costs - But the retailer has given no indication it plans to pay up - HarborOne Credit Union in Brockton, Mass., has sent The TJX Companies Inc. an invoice for $590,000 for what the financial institution says it incurred in actual costs and reputational damage as a result of the data compromise disclosed by the retailer in January. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9023778

FYI - TJX faces five more breach-related state lawsuits - Five additional states have filed lawsuits against TJX over the massive data breach that exposed some 45.7 million credit card numbers to hackers, the retailer reported on Thursday in a federal regulatory filing. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070611/663358/

FYI - Businesses clueless over database protection - Some 40pc of organisations don't monitor their databases for suspicious activity or don't know if such monitoring occurs, according to a new survey. http://www.siliconrepublic.com/news/news.nv?storyid=single8482

MISSING COMPUTERS/DATA

FYI - Hackers load malware onto Mercury music award site - Hackers have been able to load malware onto the official Mercury music awards site, as well as hundreds of other sites, after breaking into the systems of US-based hosting firm DreamHost. http://www.theregister.co.uk/2007/06/07/dreamhost_hack/print.html

FYI - Missing HBOS bank customer data was not encrypted - Bank says breach of security 'unrelated' to earlier data loss - A lost disk holding confidential data on 62,000 HBOS banking group mortgage customers was not encrypted - although it should have been, the bank has admitted. http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=3341

FYI - Stolen Laptop Stored Personal Police Data - The personal information of every police officer in Texas was in the hands of thieves Friday, after a laptop computer containing the data was stolen. http://www.kxan.com/Global/story.asp?S=6601344

FYI - Connecticut AG investigates Pfizer security breach - Connecticut's attorney general said on Monday he is investigating the breach of confidential information of thousands of employees of drugmaker Pfizer Inc, including that of 305 state residents. http://www.reuters.com/article/bondsNews/idUSN1120285320070611
http://www.pcworld.com/article/id,132840/article.html?tk=nl_dnxnws

FYI - Hackers access personal info on faculty members at Univ. of Virginia - The breaches occurred between 2005 and this past April - About 6,000 current and former University of Virginia (UVa) faculty members are being notified that their names, Social Security numbers and birth dates may have been stolen by computer hackers between May 2005 and April 19 of this year. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9024279&source=rss_topic17

FYI - Security breach exposes Concord Hospital patient data - A security lapse exposed the personal information of more than 9,000 Concord Hospital patients, leaving their names, addresses, dates of birth and social security numbers unprotected on the internet "for a period of time," the Concord Monitor has learned.
http://www.concordmonitor.com/apps/pbcs.dll/article?AID=/20070609/NEWS03/70609002/1030
http://seattlepi.nwsource.com/local/6420AP_NH_Patient_Data.html

FYI - UI notifies graduate program students, faculty about security breach - Students and faculty associated with a University of Iowa graduate program are being notified this week about a Web-site security breach. UI has sent letters to about 1,000 current students and applicants to the Molecular and Cellular Biology program and to 100 faculty members, said John Keller, UI Associate Provost and Dean of the Graduate College.
http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20070608/NEWS01/70608007/1079
http://www.grad.uiowa.edu/news/incident.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)

PROCEDURES TO ADDRESS SPOOFING - Detection

Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks. The following is a list of possible indicators of Web-site spoofing:

* E-mail messages returned to bank mail servers that were not originally sent by the bank. In some cases, these e-mails may contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.

Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank. Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name. The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site. Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.

Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.

Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING

A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

IT SECURITY QUESTION: DATA SECURITY

2. Verify that data is protected consistent with the financial institution's risk assessment.

Identify controls used to protect data and determine if the data is protected throughout its life cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the risk assessment.
Consider data security controls in effect at key stages such as data creation/acquisition, storage, transmission, maintenance, and destruction.
Review audit and security review reports that summarize if data is protected consistent with the risk assessment.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 2 of 6)

Notice Duties to Customers:

In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times.

1) A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulations describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship.

2) A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship.

3) Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service.

4) When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.