R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

July 23, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- Phishers try to best banks' authentication - Some 35 Web sites have been set up to use a new attack that gets around token-based authentication systems - Over the past few weeks, approximately 35 phishing Web sites have been set up that use the new attack. They attempt to trick users into divulging the temporary passwords created by the security token devices used by banks such as Citigroup Inc., said Rich Miller, an analyst with Internet research company Netcraft Ltd. http://www.infoworld.com/article/06/07/14/HNbankphishers_1.html

FYI - VA info security chief says he had impossible task - The chief information security officer for the Veterans Affairs Department, who resigned Thursday and was subsequently placed on paid administrative leave for his final two weeks of employment, said Friday that he had been prevented from fixing the department's information security weaknesses.
http://www.govexec.com/story_page.cfm?articleid=34461&printerfriendlyVers=1&
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=41230

FYI - Hackers steal thousands from internet bank accounts - Hackers have penetrated internet banking facilities and gained access to the accounts of clients of three major banks, the Cape Times reported. http://www.mg.co.za/articlePage.aspx?articleid=276144&area=/breaking_news/breaking_news__national/

FYI - Identity Thieves Hit NIH Credit Union - Scheme Is Latest in Spate of Breaches Affecting Millions - The National Institutes of Health's federal credit union has notified some customers that their personal information has been compromised by an identity theft scheme, officials said. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/28/AR2006062801936_pf.html

FYI - Customer data abuse rife among UK companies - Nearly half of UK companies could be breaching the Data Protection Act (DPA) through the misuse of customer data, according to research published on Monday. The study involved 100 UK IT directors, and found 44 per cent use genuine customer data when developing and testing applications. This is a breach of the second principle of the DPA, which states data should not be used for purposes other than that for which it was collected. http://management.silicon.com/government/0,39024852,39160080,00.htm

FYI - Visa, MasterCard to unveil new security rules - The updated PCI standard will cover Web apps, third-party controls - Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001637

FYI - Consultant pleads guilty to FBI curiosity hacks - A technology consultant agreed to plead guilty to four charges of exceeding authorized access after he used common hacking tools to breach the security of FBI systems during his stint upgrading the agency's computers. http://www.securityfocus.com/brief/244

FYI - Personal data exposed on Navy Web site - The Naval Safety Center (NSC) said July 7 it had discovered that personal information on more than 100,000 Navy and Marine Corps aviators and aircrew was accessible on its public Web site and has since removed the information from the site. http://www.fcw.com/article95202-07-08-06-Web

FYI - Open source phone system open to DoS attack - Hackers could launch DoS attacks against telephone systems, new research has revealed. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060719/570049/

FYI - FBI: Cybercrime losses down last year - The financial losses related to cybercrime are going down, and the number of businesses willing to report these crimes is going up, according to a new survey co-sponsored by the FBI. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060717/569885/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment.  (Part 9 of 13)

Tokens

Tokens are physical devices (something the person has) and may be part of a multifactor authentication scheme. Three types of tokens are discussed here: the USB token device, the smart card, and the password-generating token.
USB Token Device

The USB token device is typically the size of a house key. It plugs directly into a computer's USB port and therefore does not require the installation of any special hardware on the user's computer. Once the USB token is recognized, the customer is prompted to enter his or her password (the second authenticating factor) in order to gain access to the computer system.

USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. The device has the ability to store digital certificates that can be used in a public key infrastructure (PKI) environment.

The USB token is generally considered to be user-friendly. Its small size makes it easy for the user to carry and, as noted above, it plugs into an existing USB port; thus the need for additional hardware is eliminated.

Smart Card

A smart card is the size of a credit card and contains a microprocessor that enables it to store and process data. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. To be used, a smart card must be inserted into a compatible reader attached to the customer's computer. If the smart card is recognized as valid (first factor), the customer is prompted to enter his or her password (second factor) to complete the authentication process.

Smart cards are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. Smart cards are easy to carry and easy to use. Their primary disadvantage as a consumer authentication device is that they require the installation of a hardware reader and associated software drivers on the consumer's home computer.

Password-Generating Token

A password-generating token produces a unique pass-code, also known as a one-time password each time it is used. The token ensures that the same OTP is not used consecutively. The OTP is displayed on a small screen on the token. The customer first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The customer is authenticated if (1) the regular password matches and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically generated every 60 seconds-in some systems, every 30 seconds. This very brief period is the life span of that password. OTP tokens generally last 4 to 5 years before they need to be replaced.

Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)


Additional operating system access controls include the following actions:

! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
! Ensure effective authentication methods are used to restrict system access to both users and applications.
! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
! Restrict operating system access to specific terminals in physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
! Segregate operating system access, where possible, to limit full or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time of access.
! Update operating systems with security patches and using appropriate change control mechanisms.


Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

1. Determine whether new workstations are prepared according to documented procedures for secure configuration or replication and that vulnerability testing takes place prior to deployment.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice  

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable:  (Part 1 of 2)

a)  the categories of nonpublic personal information that the institution collects; [6(a)(1)]

b)  the categories of nonpublic personal information that the institution discloses; [6(a)(2)]

c)  the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in 14 or 15; [6(a)(3)]

d)  the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in 14 or 15; [6(a)(4)]


NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated