R. Kinney Williams
August 6, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
The Federal Financial Institutions Examination
Council issued revised guidance for examiners and financial
institutions to use in identifying information security risks and
evaluating the adequacy of controls and applicable risk management
practices of financial institutions.
July 2006 Information Security Handbook:
FYI - System glitches
hit two banks' online services - Two of the nation's banks struggled
on Tuesday to repair glitches at their Web sites that had prevented
customers from fully accessing their accounts for as long as two
FYI - Professional
Hackers Target World Finance - Professional Hackers and Organised
Crime Target World's Largest Financial Institutions - The world's
largest financial institutions experienced a surge in the number of
security attacks over the past year, specifically from external
sources. More than three-quarters (78%, up from 26% in 2005) of
respondents confirmed a security breach from outside the
organization and almost half (49%, up from 35% in 2005) experienced
at least one internal breach.
FYI - More than
half-million injured NY workers have personal info compromised - A
PC holding the personal information of some 540,000 injured workers
in New York state has been lost by a Chicago company contracted to
manage the data.
FYI - Personal
information of NYC homeless leaked - The personal information of
more than 8,000 of New York City's homeless accidentally was leaked
in an email Friday, the New York Daily News reported in its Saturday
FYI - Beware fake Google
Toolbar trojan - Researchers warned PC users this week to be on the
lookout for a trojan in the wild disguising itself as Google
FYI - Hackers striking
databases in record numbers - Databases are under increasing assault
from SQL injection attacks - Hackers are striking databases in
record numbers, trying to pilfer a rich trove of personal and
financial data, a security vendor said Wednesday. SecureWorks, based
in Atlanta, is detecting up to 8,000 attacks per day on databases
owned by its clients, up from an average 100 to 200 attacks per day
in the first three months of this year.
FYI - Time running out for
Sarbanes-Oxley compliance - Like it or not, the clock is ticking for
non-US companies that need to be compliant to one of the most
talked-about elements of the Sarbanes-Oxley (SOX) Act established in
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 11 of
Non-Hardware-Based One-Time-Password Scratch Card
Scratch cards (something a person has) are less-expensive,
"low-tech" versions of the OTP generating tokens discussed
previously. The card, similar to a bingo card or map location
look-up, usually contains numbers and letters arranged in a
row-and-column format, i.e., a grid. The size of the card determines
the number of cells in the grid.
Used in a multifactor authentication process, the customer first
enters his or her user name and password in the established manner.
Assuming the information is input correctly, the customer will then
be asked to input, as a second authentication factor, the characters
contained in a randomly chosen cell in the grid. The customer will
respond by typing in the data contained in the grid cell element
that corresponds to the challenge coordinates.
Conventional OTP hardware tokens rely on electronics that can fail
through physical abuse or defects, but placing the grid on a
wallet-sized plastic card makes it durable and easy to carry. This
type of authentication requires no training and, if the card is
lost, replacement is relatively easy and inexpensive.
Out-of-band authentication includes any technique that allows the
identity of the individual originating a transaction to be verified
through a channel different from the one the customer is using to
initiate the transaction. This type of layered authentication has
been used in the commercial banking/brokerage business for many
years. For example, funds transfer requests, purchase
authorizations, or other monetary transactions are sent to the
financial institution by the customer either by telephone or by fax.
After the institution receives the request, a telephone call is
usually made to another party within the company (if a
business-generated transaction) or back to the originating
individual. The telephoned party is asked for a predetermined word,
phrase, or number that verifies that the transaction was legitimate
and confirms the dollar amount. This layering approach precludes
unauthorized transactions and identifies dollar amount errors, such
as when a $1,000.00 order was intended but the decimal point was
misplaced and the amount came back as $100,000.00.
In today's environment, the methods of origination and
authentication are more varied. For example, when a customer
initiates an online transaction, a computer or network-based server
can generate a telephone call, an e-mail, or a text message. When
the proper response (a verbal confirmation or an
accepted-transaction affirmation) is received, the transaction is
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION - APPLICATION
(Part 2 of 2)
Institution management should consider a number of issues regarding
application-access control. Many of these issues could also apply to
oversight of operating system access:
! Implementing a robust authentication method consistent with the
criticality and sensitivity of the application. Historically, the
majority of applications have relied solely on user IDs and
passwords, but increasingly applications are using other forms of
authentication. Multi-factor authentication, such as token and PKI-based
systems coupled with a robust enrollment process, can reduce the
potential for unauthorized access.
! Maintaining consistent processes for assigning new user access,
changing existing user access, and promptly removing access to
! Communicating and enforcing the responsibilities of programmers
(including TSPs and vendors), security administrators, and business
line owners for maintaining effective application-access control.
Business line managers are responsible for the security and privacy
of the information within their units. They are in the best position
to judge the legitimate access needs of their area and should be
held accountable for doing so. However, they require support in the
form of adequate security capabilities provided by the programmers
or vendor and adequate direction and support from security
! Monitoring existing access rights to applications to help ensure
that users have the minimum access required for the current business
need. Typically, business application owners must assume
responsibility for determining the access rights assigned to their
staff within the bounds of the AUP. Regardless of the process for
assigning access, business application owners should periodically
review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications
or for the more sensitive functions within an application. The
nature of some applications requires limiting the location and
number of workstations with access. These restrictions can support
the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by
utilizing software that supports group profiles. Some financial
institutions manage access rights individually and it often leads to
inappropriate access levels. By grouping employees with similar
access requirements under a common access profile (e.g., tellers,
loan operations, etc.), business application owners and security
administrators can better assign and oversee access rights. For
example, a teller performing a two-week rotation as a proof operator
does not need year-round access to perform both jobs. With group
profiles, security administrators can quickly reassign the employee
from a teller profile to a proof operator profile. Note that group
profiles are used only to manage access rights; accountability for
system use is maintained through individuals being assigned their
own unique identifiers and authenticators.
Return to the top of the
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
3. Determine whether adequate inspection for, and
removal of, unauthorized hardware and software takes place.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of
nonpublic personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with
nonaffiliated third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency? [§6(c)(1)(iv)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.