R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

July 9, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Porn emails land bankers in hot water - Merrill Lynch, the investment bank and financial advisory firm, sent home more than 20 employees from its Dublin office earlier this week for having sent pornographic emails and has given written warnings to a further 10 staff for inappropriate email use. http://www.siliconrepublic.com/news/news.nv?storyid=single6637

FYI - VA official defends memos restricting IT centralization - The Veterans Affairs Department's chief legal officer on Thursday defended memorandums opposing attempts to centralize authority over technology, telling legislators that he based them on the laws governing federal information security. A lack of central authority to enforce information security policies at the VA has become a focus of lawmakers who are examining last month's massive data breach. http://www.govexec.com/dailyfed/0606/062206p1.htm

FYI - Hacker infiltrates USDA system - Employee data may be compromised - The Agriculture Department yesterday announced its employees may have become the latest victims of data theft. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=41137

FYI - Ohio U. suspends two over hackers' theft - Ohio University said Tuesday it has suspended two information technology supervisors over recent breaches by hackers who may have stolen 173,000 Social Security numbers from school computers. http://www.msnbc.msn.com/id/13456762/  (SANS Editor's Note (Schultz): The fact that two employees received disciplinary measures in connection with the security breaches that occurred could be a positive or a negative thing. It is positive if the university's policies and procedures clearly spelled out and communicated security-related responsibilities for employees such as the ones in question, but the employees did not conform to them. On the other hand, it is negative if these responsibilities were not delineated and communicated to the employees.)

FYI - Most Technology Companies Have Data Losses - Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows. http://www.eweek.com/article2/0%2C1895%2C1979919%2C00.asp

FYI - FTC latest government agency to have breach - The Federal Trade Commission said today in a statement that two laptops, one containing personal information of 110 people, were stolen from a locked car.

FYI - OMB Sets Guidelines for Federal Employee Laptop Security - The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700540.html

FYI - Audit: Ohio U. Cyber Security Low Priority - Ohio University's Computer Services department was running seven-figure surpluses and spending on generous benefits for employees while it was failing to make adequate investments in firewalls and other computer security measures, according to an outside consultant's report. http://www.smh.com.au/news/Technology/Audit-Ohio-U-Cyber-Security-Low-Priority/2006/06/24/1150845411386.html

FYI - Bungle exposes bank files - The banking details of thousands of Australians have been revealed and an international police investigation jeopardised in a bungle by Australia's peak internet crime-fighting agency. The details of 3500 customers from 18 banks, including names and account numbers, were lost when a classified computer dossier on Russian mafia "phishing" scams was misplaced by the Australian High Tech Crime Centre in April last year. http://australianit.news.com.au/common/print/0,7208,19588463%5E15306%5E%5Enbv%5E,00.html

FYI - Sailors' Social Security Nos. on Web Site - The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian Web site. http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=20060623&ID=5821436

FYI - SFSU students' information stolen - School alerts 3,000 affected by theft of faculty laptop - San Francisco State University officials have put students and staff on alert because a thief broke into a faculty member's car earlier this month and stole a laptop with nearly 3,000 Social Security numbers and names of former and current students. http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/23/BAGQLJJ2LB1.DTL&type=printable

FYI - 14 fired as porn goes viral at DVLA - Up to 115 employees at the Driver and Vehicle Licensing Agency (DVLA) have been disciplined over the sending of pornographic emails. The government body has dismissed 14 of those people. http://www.theregister.co.uk/2006/06/26/dvla_email_smut_affair/print.html

FYI - International bank HSBC hit by Bangalore breach - A security breach at international bank HSBC's offshore data-processing unit in Bangalore has led to funds being stolen from the accounts of a small number of U.K. customers. http://news.com.com/2102-1029_3-6088474.html?tag=st.util.print

FYI - Hurricanes Katrina and Rita: Assessing the Aftermath - As Community Affairs staff have read reports on the aftermath of Hurricanes Katrina and Rita, visited Eleventh Federal Reserve District towns and cities, and interviewed evacuees and representatives of community organizations, we have learned there is no single story to tell. Both old and new residents of the District have an endless stream of experiences to share. http://dallasfed.org/ca/bcp/2006/bcp0601a.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment.  (Part 7 of 13)


The term authentication, as used in this guidance, describes the process of verifying the identity of a person or entity. Within the realm of electronic banking systems, the authentication process is one method used to control access to customer accounts and personal information. Authentication is typically dependent upon customers providing valid identification data followed by one or more authentication credentials (factors) to prove their identity.

Customer identifiers may be a bankcard for ATM usage, or some form of user ID for remote access. An authentication factor (e.g. PIN or password) is secret or unique information linked to a specific customer identifier that is used to verify that identity.

Generally, the way to authenticate customers is to have them present some sort of factor to prove their identity. Authentication factors include one or more of the following:

Something a person knows-commonly a password or PIN. If the user types in the correct password or PIN, access is granted.
Something a person has-most commonly a physical device referred to as a token. Tokens include self-contained devices that must be physically connected to a computer or devices that have a small screen where a one-time password (OTP) is displayed, which the user must enter to be authenticated.
Something a person is-most commonly a physical characteristic, such as a fingerprint, voice pattern, hand geometry, or the pattern of veins in the user's eye. This type of authentication is referred to as "biometrics" and often requires the installation of specific hardware on the system to be accessed.

Authentication methodologies are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. Single-factor authentication involves the use of one factor to verify customer identity. The most common single-factor method is the use of a password. Two-factor authentication is most widely used with ATMs. To withdraw money from an ATM, the customer must present both an ATM card (something the person has) and a password or PIN (something the person knows). Multifactor authentication utilizes two or more factors to verify customer identity. Authentication methodologies based upon multiple factors can be more difficult to compromise and should be considered for high-risk situations. The effectiveness of a particular authentication technique is dependent upon the integrity of the selected product or process and the manner in which it is implemented and managed.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  


Firewall Policy (Part 3 of 3)

Financial institutions can reduce their vulnerability to these attacks somewhat through network configuration and design, sound implementation of its firewall architecture that includes multiple filter points, active firewall monitoring and management, and integrated intrusion detection. In most cases, additional access controls within the operating system or application will provide an additional means of defense.

Given the importance of firewalls as a means of access control, good practices include:

! Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit;
! Restricting network mapping capabilities through the firewall, primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not specifically allowed;
! Using NAT and split DNS (domain name service) to hide internal system names and addresses from external networks (split DNS uses two domain name servers, one to communicate outside the network, and the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and strong authentication, only accessing the firewall from secure devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control procedures.

Return to the top of the newsletter



13. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [5(a)(1)and (2)]
(Note: annual notices are not required for former customers. [5(b)(1)and (2)])

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated