FYI - Pharming" Guidance on How Financial Institutions Can Protect Against Pharming Attacks -The FDIC is issuing the attached guidance to financial institutions describing the practice of "pharming," how it occurs, and potential preventive approaches. Financial institutions offering Internet banking should assess potential threats posed by pharming attacks and protect Internet domain names, which - if compromised - can heighten risks to the institutions. www.fdic.gov/news/news/financial/2005/fil6405.html 

FYI - New Credit Card Security Rule Takes Effect - Some merchants are concerned about compliance - A data security standard for all merchants handling credit card data went into effect amid concerns over potential implementation and compliance validation snags. http://www.computerworld.com/printthis/2005/0,4814,102932,00.html

FYI - Man arrested for using neighbour's wireless network - A man has been arrested and charged for riding someone's home Wi-Fi network. http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4001

FYI - Flawed USC admissions site allowed access to applicant data - A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed. http://www.securityfocus.com/news/11239

FYI - Internet Users Change Habits To Avoid Spyware - The survey of 2,000 users found that over 80 percent no longer open attachments from unknown sources, and nearly half have stopped visiting sites they suspect of harboring malware. http://www.cio-today.com/news/Internet-Users-Change-Habits-for-Spyware/story.xhtml?story_id=020000O5OSBS

FYI - Data Encryption - A Must for Today's Corporations - In today's climate of data security breaches, encrypting sensitive information is a step organizations can't afford to miss. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5634

FYI - What Organizations Should Know About VoIP - And Auditors Too - Many organizations are taking advantage of voice-over Internet protocol (VoIP) technology. Although there are great advantages to its use, auditors should understand the security risks posed by VoIP connections and help IT departments find ways to mitigate threats. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5631

FYI - Imposter sites plague free credit report site- A Web site created by federal mandate last year to help consumers spot identity theft is opening up new avenues for fraud, according to a privacy watchdog group. http://news.com.com/2102-1028_3-5789299.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC interagency Information Security Booklet.

BUSINESS CONTINUITY CONSIDERATIONS

Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.

Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls (Part 1 of 2)

If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others. 

Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well. 

Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless. 

When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

IT SECURITY QUESTION:  Network user access controls: (Part 1 of 2)

g. Can the same password be used again within 12 months?
h. Is the user locked out after three unsuccessful attempts to enter the correct password?
i. How long is the user locked out after entering an incorrect password?
j. Automatic timeout if left unattended? If so, how long?
k. Automatic lockout by time of day and day of week?
l. Is user access restricted by workstation?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]

VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.