R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 29, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
-
Supervision Manuals - Consumer Compliance Handbook, June 2008 update - The June 2008 update contains a new chapter covering section 5 of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce." Besides a discussion and examination procedures, the new chapter contains the joint statement on unfair or deceptive acts and practices by state-chartered banks issued by the Board and the FDIC. www.federalreserve.gov/boarddocs/supmanual/cch/announce/200806cch_update.htm 

FYI - Insider threat exaggerated, says study - Verizon report looked at 500 data breach incidents over the last four years and found 73 percent involved outsiders - Insiders are not, after all, the main threat to networks, a detailed new analysis of real-world data breaches has concluded. http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/06/16/Insider_threat_exaggerated_says_study_1.html

FYI - Three charged with stealing Trop players' list - A high-level casino marketing executive and two other casino marketers who formerly worked with him at the Tropicana Hotel and Casino in Atlantic City were indicted today on charges they stole a list of more than 20,000 rated players from the Tropicana. http://www.nj.com/southjersey/index.ssf/2008/06/three_charged_with_stealing_tr.html
 
FYI - GAO - Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-795T
Highlights - http://www.gao.gov/highlights/d08795thigh.pdf

FYI - Stolen data found on international crimeservers - Two crimeservers containing 500 megabytes of stolen data have been discovered in Argentina and Malaysia. The data was likely being made available online to the highest bidder. http://www.scmagazineus.com/Stolen-data-found-on-international-crimeservers/article/111440/?DCMP=EMC-SCUS_Newswire

FYI - Malware to blame for porn on state worker's laptop - Child porn possession charges were dropped against a Massachusetts man after forensic experts proved his state-issued computer had been infected with malware. http://www.scmagazineus.com/Malware-to-blame-for-porn-on-state-workers-laptop/article/111407/?DCMP=EMC-SCUS_Newswire

FYI - One in three IT staff snoops on co-workers: survey - One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal emails or board-meeting minutes, according to a survey. http://www.reuters.com/article/technologyNews/idUSL1911968220080619

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Security breach at Belgacom exposed - Belgacom, the largest Belgian ISP, admitted today that 2,000 of its ADSL accounts were compromised earlier this year. http://www.theregister.co.uk/2008/06/11/security_breach_at_belgacom/print.html

FYI - Card details stolen in web hack - Cotton Traders has annual sales of £5m - The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website, BBC News has learned. http://news.bbc.co.uk/2/hi/technology/7446871.stm

FYI - Credit unions investigate weekend withdrawals overseas - More than 100 credit union members in South Bend had money fraudulently taken from their accounts from ATMs over the weekend in places such as Russia and the Ukraine, officials said. http://www.chicagotribune.com/news/chi-ap-in-creditunions-brea,0,5481329,print.story

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (11 of 12)

Last week's best practices focused on the more common criteria that have been noted in actual IRPs, but some banks have developed other effective incident response practices. Examples of these additional practices are listed below. Organizations may want to review these practices and determine if any would add value to their IRPs given their operating environments.

Additional IRP Best Practices


1) Test the incident response plan (via walkthrough or tabletop exercises) to assess thoroughness.
2) Implement notices on login screens for customer information systems to establish a basis for disciplinary or legal action.
3) Develop an incident grading system that quantifies the severity of the incident, helps determine if the incident response plan needs to be activated, and specifies the extent of notification escalation.
4) Provide periodic staff awareness training on recognizing potential indicators of unauthorized activity and reporting the incident through proper channels. Some institutions have established phone numbers and e-mail distribution lists for reporting possible incidents.
5) Inform users about the status of any compromised system they may be using.
6) Establish a list of possible consultants, in case the bank does not have the expertise to handle or investigate the specific incident (especially regarding technical compromises).
7) Establish evidence-gathering and handling procedures aimed at preserving evidence of the incident and aiding in prosecution activities.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION -
Public Key Infrastructure (Part 3 of 3)

When utilizing PKI policies and controls, financial institutions need to consider the following:

! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;

! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;

! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;

! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;

! Updating the database of revoked certificates frequently, ideally in real - time mode;

! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;

! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;

! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;

! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and

! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.

The encryption components of PKI are addressed more fully under "Encryption."


Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

11. Determine if network-based IDSs (Intrusion Detection System) are properly coordinated with firewalls (see "Intrusion Detection" procedures).

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated