R. Kinney Williams
July 9, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Porn emails land
bankers in hot water - Merrill Lynch, the investment bank and
financial advisory firm, sent home more than 20 employees from its
Dublin office earlier this week for having sent pornographic emails
and has given written warnings to a further 10 staff for
inappropriate email use.
FYI - VA official
defends memos restricting IT centralization - The Veterans Affairs
Department's chief legal officer on Thursday defended memorandums
opposing attempts to centralize authority over technology, telling
legislators that he based them on the laws governing federal
information security. A lack of central authority to enforce
information security policies at the VA has become a focus of
lawmakers who are examining last month's massive data breach.
FYI - Hacker infiltrates
USDA system - Employee data may be compromised - The Agriculture
Department yesterday announced its employees may have become the
latest victims of data theft.
FYI - Ohio U. suspends
two over hackers' theft - Ohio University said Tuesday it has
suspended two information technology supervisors over recent
breaches by hackers who may have stolen 173,000 Social Security
numbers from school computers.
http://www.msnbc.msn.com/id/13456762/ (SANS Editor's Note
(Schultz): The fact that two employees received disciplinary
measures in connection with the security breaches that occurred
could be a positive or a negative thing. It is positive if the
university's policies and procedures clearly spelled out and
communicated security-related responsibilities for employees such as
the ones in question, but the employees did not conform to them. On
the other hand, it is negative if these responsibilities were not
delineated and communicated to the employees.)
FYI - Most Technology
Companies Have Data Losses - Over half of all companies doing
business in the technology, media and telecommunications sectors
have experienced data breaches that potentially exposed their
intellectual property or customer information, a new research report
FYI - FTC latest
government agency to have breach - The Federal Trade Commission said
today in a statement that two laptops, one containing personal
information of 110 people, were stolen from a locked car.
FYI - OMB Sets
Guidelines for Federal Employee Laptop Security - The Bush
administration is giving federal civilian agencies 45 days to
implement new measures to protect the security of personal
information that agencies hold on millions of employees and
FYI - Audit: Ohio U.
Cyber Security Low Priority - Ohio University's Computer Services
department was running seven-figure surpluses and spending on
generous benefits for employees while it was failing to make
adequate investments in firewalls and other computer security
measures, according to an outside consultant's report.
FYI - Bungle exposes
bank files - The banking details of thousands of Australians have
been revealed and an international police investigation jeopardised
in a bungle by Australia's peak internet crime-fighting agency. The
details of 3500 customers from 18 banks, including names and account
numbers, were lost when a classified computer dossier on Russian
mafia "phishing" scams was misplaced by the Australian High Tech
Crime Centre in April last year.
FYI - Sailors' Social
Security Nos. on Web Site - The Navy has begun a criminal
investigation after Social Security numbers and other personal data
for 28,000 sailors and family members were found on a civilian Web
FYI - SFSU students'
information stolen - School alerts 3,000 affected by theft of
faculty laptop - San Francisco State University officials have put
students and staff on alert because a thief broke into a faculty
member's car earlier this month and stole a laptop with nearly 3,000
Social Security numbers and names of former and current students.
FYI - 14 fired as porn
goes viral at DVLA - Up to 115 employees at the Driver and Vehicle
Licensing Agency (DVLA) have been disciplined over the sending of
pornographic emails. The government body has dismissed 14 of those
FYI - International bank
HSBC hit by Bangalore breach - A security breach at international
bank HSBC's offshore data-processing unit in Bangalore has led to
funds being stolen from the accounts of a small number of U.K.
FYI - Hurricanes Katrina
and Rita: Assessing the Aftermath - As Community Affairs staff have
read reports on the aftermath of Hurricanes Katrina and Rita,
visited Eleventh Federal Reserve District towns and cities, and
interviewed evacuees and representatives of community organizations,
we have learned there is no single story to tell. Both old and new
residents of the District have an endless stream of experiences to
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 7 of
The term authentication, as used in this guidance, describes the
process of verifying the identity of a person or entity. Within the
realm of electronic banking systems, the authentication process is
one method used to control access to customer accounts and personal
information. Authentication is typically dependent upon customers
providing valid identification data followed by one or more
authentication credentials (factors) to prove their identity.
Customer identifiers may be a bankcard for ATM usage, or some form
of user ID for remote access. An authentication factor (e.g. PIN or
password) is secret or unique information linked to a specific
customer identifier that is used to verify that identity.
Generally, the way to authenticate customers is to have them present
some sort of factor to prove their identity. Authentication factors
include one or more of the following:
• Something a person knows-commonly a password or PIN. If the user
types in the correct password or PIN, access is granted.
• Something a person has-most commonly a physical device referred to
as a token. Tokens include self-contained devices that must be
physically connected to a computer or devices that have a small
screen where a one-time password (OTP) is displayed, which the user
must enter to be authenticated.
• Something a person is-most commonly a physical characteristic,
such as a fingerprint, voice pattern, hand geometry, or the pattern
of veins in the user's eye. This type of authentication is referred
to as "biometrics" and often requires the installation of specific
hardware on the system to be accessed.
Authentication methodologies are numerous and range from simple to
complex. The level of security provided varies based upon both the
technique used and the manner in which it is deployed. Single-factor
authentication involves the use of one factor to verify customer
identity. The most common single-factor method is the use of a
password. Two-factor authentication is most widely used with ATMs.
To withdraw money from an ATM, the customer must present both an ATM
card (something the person has) and a password or PIN (something the
person knows). Multifactor authentication utilizes two or more
factors to verify customer identity. Authentication methodologies
based upon multiple factors can be more difficult to compromise and
should be considered for high-risk situations. The effectiveness of
a particular authentication technique is dependent upon the
integrity of the selected product or process and the manner in which
it is implemented and managed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Firewall Policy (Part 3 of 3)
Financial institutions can reduce their vulnerability to these
attacks somewhat through network configuration and design, sound
implementation of its firewall architecture that includes multiple
filter points, active firewall monitoring and management, and
integrated intrusion detection. In most cases, additional access
controls within the operating system or application will provide an
additional means of defense.
Given the importance of firewalls as a means of access control, good
! Hardening the firewall by removing all unnecessary services and
appropriately patching, enhancing, and maintaining all software on
the firewall unit;
! Restricting network mapping capabilities through the firewall,
primarily by blocking inbound ICMP traffic;
! Using a ruleset that disallows all traffic that is not
! Using NAT and split DNS (domain name service) to hide internal
system names and addresses from external networks (split DNS uses
two domain name servers, one to communicate outside the network, and
the other to offer services inside the network);
! Using proxy connections for outbound HTTP connections;
! Filtering malicious code;
! Backing up firewalls to internal media, and not backing up the
firewall to servers on protected networks;
! Logging activity, with daily administrator review;
! Using intrusion detection devices to monitor actions on the
firewall and to monitor communications allowed through the firewall;
! Administering the firewall using encrypted communications and
strong authentication, only accessing the firewall from secure
devices, and monitoring all administrative access;
! Limiting administrative access to few individuals; and
! Making changes only through well - administered change control
Return to the top of the
C. HOST SECURITY
13. Determine whether an appropriate archive of
boot disks, distribution media, and security patches exists.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6) Does the institution provide a clear and conspicuous notice
that accurately reflects its privacy policies and practices at least
annually (that is, at least once in any period of 12 consecutive
months) to all customers, throughout the customer relationship? [§5(a)(1)and
(Note: annual notices are not required for former customers. [§5(b)(1)and
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.