R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 19, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI - Security guard charged with hacking hospital systems - He intended to use a botnet to launch a massive DDoS attack on July 4 - The grainy video shows a bleary-eyed young man in a hoodie inside the Carrell Clinic in Dallas. As he hits the elevator button, the theme music from Mission Impossible plays in the background. "You're on a mission with me: Infiltration," he says to the camera. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9135089

FYI -
Data breach defense: Response ability - When a breach occurs, customers expect more than an apology, says Bob Maley, Pennsylvania's CISO. Dan Kaplan reports. Bob Maley, chief information security officer for the state of Pennsylvania, was about two weeks on the job when he had to deal with his first data breach. http://www.scmagazineus.com/Data-breach-defense-Response-ability/article/139460/?DCMP=EMC-SCUS_Newswire

FYI -
Practical forensics - Large and small enterprises are facing a number of issues when it comes to forensic investigations, reports Deb Radcliff. Whether or not to launch a digital forensics investigation depends on many things: What is it the organization is trying to find, where is the evidence located, and how does an enterprise define forensics in the first place? http://www.scmagazineus.com/Practical-forensics/article/139459/?DCMP=EMC-SCUS_Newswire

FYI -
PC Invader Costs Ky. County $415,000 - Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky this week. The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html

FYI -
Gamer embezzles virtual cash to settle real debts - As if high-profile investment scandals and the economic downturn weren't bad enough here on Earth, now folks have to deal with it outside our galaxy. Virtually, at least. http://www.theregister.co.uk/2009/07/03/eve_banker_does_a_runner/

FYI -
Law enforcement may never get ahead of cybercriminals, an FBI supervisory special agent has said. - "It's a race," Austin Berglas, who works in the FBI's cybercrime squad, said Tuesday during a panel session at Symantec's Cybercrime Day 2009 event in New York. "Zero-days happen every day." http://www.scmagazineus.com/FBI-trying-new-ways-to-stem-cybercrime-tide/article/139644/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
Hackers steal money from Bullitt County account - The federal agents and members of the Bullitt County Fiscal Court are trying to recover thousands of dollars that went missing from a county account at First Federal Savings Bank in what appears to be a cyber crime. Limited information is being released, but a FBI agent WAVE 3 spoke with believes this crime has international ties. http://www.wave3.com/Global/story.asp?S=10629488

FYI -
Malicious server used to propagate Zbot shut down - A criminal operation has been halted by the shutdown of a malicious server in the Cayman Islands, but attackers are probably now looking for a new home, researchers at a U.K. security firm said this week. http://www.scmagazineus.com/Malicious-server-used-to-propagate-Zbot-shut-down/article/139411/

FYI -
Programmer charged with stealing code freed on bail - A software programmer charged with copying secret financial-trading code from Goldman Sachs computers is out on $750,000 bail. http://www.scmagazineus.com/Programmer-charged-with-stealing-code-freed-on-bail/article/139660/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight
 

The Board of Directors and senior management are responsible for developing the banking institution's business strategy. An explicit strategic decision should be made as to whether the Board wishes the bank to provide e-banking transactional services before beginning to offer such services. Specifically, the Board should ensure that e-banking plans are clearly integrated within corporate strategic goals, a risk analysis is performed of the proposed e-banking activities, appropriate risk mitigation and monitoring processes are established for identified risks, and ongoing reviews are conducted to evaluate the results of e-banking activities against the institution's business plans and objectives.

In addition, the Board and senior management should ensure that the operational and security risk dimensions of the institution's e-banking business strategies are appropriately considered and addressed. The provision of financial services over the Internet may significantly modify and/or even increase traditional banking risks (e.g. strategic, reputational, operational, credit and liquidity risk). Steps should therefore be taken to ensure that the bank's existing risk management processes, security control processes, due diligence and oversight processes for outsourcing relationships are appropriately evaluated and modified to accommodate e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems
(IDS) (Part 2 of 4)

"Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.

Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).

Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.

Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.


Return to the top of the newsletter

IT SECURITY QUESTION: 
INTRUSION DETECTION AND RESPONSE

4. Determine whether logs of security-related events are sufficient to assign accountability for intrusion detection system activities, as well as support intrusion forensics and IDS.

5. Determine if logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.

6. Determine if an appropriate process exists to authorize employee access to intrusion detection systems and that authentication and authorization controls limit access to and control the access of authorized individuals.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [6(d)(1)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated