Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 5, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Man sues Pfizer over data on Net - A Baton Rouge man who once worked for Pfizer Inc. is suing the nation's largest pharmaceutical company over its unauthorized release of personal data. An internal investigation found the breach occurred about three weeks earlier when a worker's spouse used a company laptop computer to install unauthorized software and access a file-sharing network. http://www.2theadvocate.com/news/8614177.html

FYI - GAO - Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-705
Highlights - http://www.gao.gov/highlights/d07705high.pdf

FYI - GAO - Information Technology: Treasury Needs to Strengthen Its Investment Board Operations and Oversight.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-865
Highlights - http://www.gao.gov/highlights/d07865high.pdf

FYI - OMB, DHS outline data security best practices - The Office of Management and Budget and the Homeland Security Department today explained 10 common mistakes agencies make when securing data and personal information and offered a host of best practices to correct each mistake.
New article: http://www.fcw.com/article103240-07-17-07-Web&printLayout
Document: http://csrc.nist.gov/pcig/document/Common-Risks-Impeding-Adequate-Protection-Govt-Info.pdf

FYI - DOT data held for ransom - Pay up to see data on your hard drive, cybercrooks tell Transportation Department, others - The Transportation Department, as well as Booz Allen Hamilton, Hewlett-Packard, Nortel Networks and Unisys have all recently had data on some desktop computers encrypted and held for ransom, charges a British Internet security provider.
http://www.gcn.com/online/vol1_no1/44686-1.html?topic=security&CMP=OTC-RSS
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001860

FYI - Standard configuration to give agencies a real test - Network administrators must figure out how to blend security, legacy apps - Once the National Institute of Standards and Technology, Microsoft and other federal and private-sector experts finish developing the test image for the standard Windows desktop configuration for XP and Vista, agencies will face their toughest test - literally. http://www.gcn.com/print/26_18/44694-1.html?topic=security&CMP=OTC-RSS

FYI - Computer Crimes Charged In College Cash-For-Grades Scheme - The former director of the computer center for Touro College has been charged with computer tampering and computer trespass. Ten people, including the former director of admissions and the former director of the computer center at a Manhattan college, were indicted as being part of a scheme that involved forging transcripts and altering grades. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200429

MISSING COMPUTERS/DATA

FYI - USB encryption vendor suffers computer breach - A technology firm that recently entered the data security market reported this week that thieves infiltrated a company computer nearly two years ago, illegally accessing some 27,000 customer credit card files. http://www.scmagazine.com/us/news/article/672567/usb-encryption-vendor-suffers-computer-breach/ 

FYI - Data goofs preceded theft - State seeks accountability in inspector's report - Gov. Ted Strickland hopes to figure out why there was no follow up to a memo regarding data theft.E-mail exchanges among state officials about the theft of a computer backup tape containing sensitive personal information are clear: That material was not supposed to be on the tape. http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/07/19/datagone.ART_ART_07-19-07_A1_SF7APIO.html

FYI - Hacker accesses personal information from U-M databases - The University of Michigan has notified 5,500 current and former students that a hacker gained access to personal information on two School of Education databases. http://www.freep.com/apps/pbcs.dll/article?AID=/20070721/NEWS06/70721011/

FYI - Report by Ohio's inspector general spreads blame for theft of state data - An investigative report released this afternoon assigns "shared blame" for a series of decisions that led to the theft of a state computer device containing the personal information of more than 1 million Ohioans. http://toledoblade.com/apps/pbcs.dll/article?AID=/20070720/BREAKINGNEWS/70720026

FYI - Breach forces M&T to reissue cards - Visa cards compromised at third-party retailer - Thousands of M&T Bank Visa cardholders have been issued new cards because of a security breach at a major retailer. http://www.pressconnects.com/apps/pbcs.dll/article?AID=/20070720/BUSINESS/707200312/1006

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)

Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:

!  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
!  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
!  Increasing suspicious activity monitoring and employing additional identity verification controls;
!  Offering customers assistance when fraud is detected in connection with customer accounts;
!  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
!  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.

Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:

!  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
!  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
!  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
!  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
!  Monitoring for fraudulent Web sites using variations of the financial institution's name;
!  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
!  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Conclusion
E-mail and Internet-related fraudulent schemes present a substantial risk to financial institutions and their customers. Financial institutions should consider developing programs to educate customers about e-mail and Internet-related fraudulent schemes and how to avoid them, consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes, and implement appropriate information security controls to help mitigate the risks associated with e-mail and Internet-related fraudulent schemes.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYWe continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Using "Wired Equivalent Privacy" (WEP) by itself to provide wireless network security may lead a financial institution to a false sense of security. Information traveling over the network appears secure because it is encrypted. This appearance of security, however, can be defeated in a relatively short time.

Through these types of attacks, unauthorized personnel could gain access to the financial institution's data and systems. For example, an attacker with a laptop computer and a wireless network card could eavesdrop on the bank's network, obtain private customer information, obtain access to bank systems and initiate unauthorized transactions against customer accounts.

Another risk in implementing wireless networks is the potential disruption of wireless service caused by radio transmissions of other devices. For example, the frequency range used for 802.11b equipment is also shared by microwave ovens, cordless phones and other radio-wave-emitting equipment that can potentially interfere with transmissions and lower network performance. Also, as wireless workstations are added within a relatively small area, they will begin to compete with each other for wireless bandwidth, decreasing the overall performance of the wireless network.

Risk Mitigation Components -- Wireless Internal Networks

A key step in mitigating security risks related to the use of wireless technologies is to create policies, standards and procedures that establish minimum levels of security. Financial institutions should adopt standards that require end-to-end encryption for wireless communications based on proven encryption methods. Also, as wireless technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless network devices.

For wireless internal networks, financial institutions should adopt standards that require strong encryption of the data stream through technologies such as the IP Security Protocol (IPSEC). These methods effectively establish a virtual private network between the wireless workstation and other components of the network. Even though the underlying WEP encryption may be broken, an attacker would be faced with having to defeat an industry-proven security standard.

Financial institutions should also consider the proximity of their wireless networks to publicly available places. A wireless network that does not extend beyond the confines of the financial institution's office space carries with it far less risk than one that extends into neighboring buildings. Before bringing a wireless network online, the financial institution should perform a limited pilot to test the effective range of the wireless network and consider positioning devices in places where they will not broadcast beyond the office space. The institution should also be mindful that each workstation with a wireless card is a transmitter. Confidential customer information may be obtained by listening in on the workstation side of the conversation, even though the listener may be out of range of the access device.

The financial institution should consider having regular independent security testing performed on its wireless network environment. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless security implementation and the identification of rogue wireless devices that do not conform to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.
Return to the top of the newsletter

IT SECURITY QUESTION:  Building physical access controls:

a. Is the building locked after hours?
b. Do locks restrict the interior access?
c. Is there a security guard?
d. Is there a 24 hours camera surveillance system?
e. Is there a burglar alarm system to a remote location?
f.  Is there a fire alarm system to a remote location?
g. Does each employee have a different deactivation code for the alarm systems?
h. Are fire extinguishers regularly inspected?

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Objectives 

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a)  Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice; 
b)  Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out; 
c)  Appropriately honoring consumer opt out directions; 
d)  Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e)  Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated