R. Kinney Williams
July 16, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Stolen VA laptop
recovered; data appears untouched - Taken last month, it contained
data on millions of military personnel and vets - A missing laptop
and hard disk containing personal data on over 26.5 million veterans
has been recovered, Department of Veterans Affairs Secretary Jim
FYI - U.S. vulnerable to
'cyber Katrina' - Shortfalls could spell major Internet disruption -
The United States is poorly prepared for a "cyber Katrina," with no
coordinated plan for restoring and recovering the Internet after a
major disruption, according to a new Business Roundtable report,
FYI - GAO pulls archived
personal data from Web - The Government Accountability Office has
pulled from its Web site personal information on certain government
employees after discovering that the archived data had been
inadvertently posted online.
FYI - Credit card
company to pay $11 million to settle probe - A Georgia-based credit
card company has agreed to pay $11 million in restitution to New
Yorkers to settle a New York state investigation into its practices.
FYI - Nebraska child
support network hacked - A hacker hijacked a server on the
Nebraska's child support payment computer system, gaining access to
the personal information of more than 300,000 individuals and
employers who pay and receive child support, state Treasurer Ron
FYI - Hacker Invades FBI
Computers - Gains Access To Passwords Of 38,000 Employees, Including
Director - A U.S. government consultant used software programs found
on the Internet to break into the FBI's computer system, where he
gained access to the passwords of 38,000 employees, including that
of FBI Director Robert Mueller, the Washington Post reports.
FYI - Western University
of Illinois Hacked - A security breach in the University of Illinois
networks has put more than 180.000 persons at risk. The hackers had
access to Social Security numbers, credit card accounts numbers and
other sensitive and confidential information that were hosted on the
student service servers.
FYI - Standard Bank
accounts hacked - "Some money" was taken from Standard Bank clients
when fraudsters hacked the bank's accounts, group spokesman Ross Linstrom said.
FYI - Security Breaches Afflict
Most Enterprises, Governments - In the past year, 84 percent of
enterprises, as well as state and local governments, reported some
type of security breaches, according to a new survey released by
Computer Associates International. The survey also found that
security breaches have increased 17 percent in the last three years.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 8 of
Authentication Techniques, Processes, and Methodologies
Material provided in the following sections is for informational
purposes only. The selection and use of any technique should be
based upon the assessed risk associated with a particular electronic
banking product or service.
Shared secrets (something a person knows) are information elements
that are known or shared by both the customer and the authenticating
entity. Passwords and PINs are the best known shared secret
techniques but some new and different types are now being used as
well. Some additional examples are:
• Questions or queries that require specific customer knowledge to
answer, e.g., the exact amount of the customer's monthly mortgage
• Customer-selected images that must be identified or selected from
a pool of images.
The customer's selection of a shared secret normally occurs during
the initial enrollment process or via an offline ancillary process.
Passwords or PIN values can be chosen, questions can be chosen and
responses provided, and images may be uploaded or selected.
The security of shared secret processes can be enhanced with the
requirement for periodic change. Shared secrets that never change
are described as "static" and the risk of compromise increases over
time. The use of multiple shared secrets also provides increased
security because more than one secret must be known to authenticate.
Shared secrets can also be used to authenticate the institution's
Web site to the customer.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS
(Part 1 of 2)
Financial institutions must control access to system software within
the various network clients and servers as well as stand-alone
systems. System software includes the operating system and system
utilities. The computer operating system manages all of the other
applications running on the computer. Common operating systems
include IBM OS/400 and AIX, LINUX, various versions of Microsoft
Windows, and Sun Solaris. Security administrators and IT auditors
need to understand the common vulnerabilities and appropriate
mitigation strategies for their operating systems. Application
programs and data files interface through the operating system.
System utilities are programs that perform repetitive functions such
as creating, deleting, changing, or copying files. System utilities
also could include numerous types of system management software that
can supplement operating system functionality by supporting common
system tasks such as security, system monitoring, or transaction
System software can provide high-level access to data and data
processing. Unauthorized access could result in significant
financial and operational losses. Financial institutions must
restrict privileged access to sensitive operating systems. While
many operating systems have integrated access control software,
third - party security software is available for most operating
systems. In the case of many mainframe systems, these programs are
essential to ensure effective access control and can often integrate
the security management of both the operating system and the
applications. Network security software can allow institutions to
improve the effectiveness of the administration and security policy
compliance for a large number of servers often spanning multiple
operating system environments. The critical aspects for access
control software, whether included in the operating system or
additional security software, are that management has the capability
! Restrict access to sensitive or critical system resources or
processes and have the capability, depending on the sensitivity to
extend protection at the program, file, record, or field level;
! Log user or program access to sensitive system resources including
files, programs, processes, or operating system parameters; and
! Filter logs for potential security events and provide adequate
reporting and alerting capabilities.
Return to the top of the
C. HOST SECURITY
14. Determine whether adequate policies and
procedure govern the destruction of sensitive data on machines that
are taken out of service.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6. Does the institution provide an annual privacy notice to each
customer whose loan the institution owns the right to service? [§§5(c),
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.