R. Kinney Williams
August 13, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Banks face Web
security deadline - Many aren't prepared for guidelines on
authenticating online users - For some bank IT managers, last fall's
release of federal guidelines for validating the identities of
online users helped catalyze ongoing efforts to adopt so-called
strong authentication measures. But a majority of U.S. banks appear
unprepared to meet the Dec. 31 deadline by which they're supposed to
comply with the guidelines, several analysts said this week.
FYI - Navy Computers
With Personal Data Stolen - Two laptop computers with personal
information on about 31,000 Navy recruiters and their prospective
recruits were stolen from Navy offices in New Jersey in June and
July, the Navy disclosed.
FYI - Missing laptop
with data on 540,000 N.Y. state workers found, The computer had been
missing since May 9 - A laptop computer containing personal
information on more than half a million New York state workers has
been found after it disappeared May 9 from the offices of a
third-party data management company.
FYI - Armstrong: Stolen
laptop had personal info on 12,000 workers - A laptop stolen from a
payroll auditor contains personal information regarding about 12,000
current and former Armstrong World Industries Inc. employees. The
laptop was stolen from a locked car belonging to a Deloitte & Touche
LLP employee, Armstrong said.
FYI - CIOs release
updated guide to information sharing - The CIO Council has released
a third version of its Federal Enterprise Architecture Security and
Privacy Profile (FEA SPP), which helps agencies safeguard
information they share with others. The 63-page document describes
best practices for program executives to use in complying with
security and privacy requirements. It also suggests ways to
integrate those requirements into major information technology
FYI - Public, private
sectors still far apart on protecting IT infrastructure - The
Homeland Security Department and private industry continue to work
separately, rather than closer together, on instituting measures to
protect the nation's cyber and telecommunications infrastructure,
and part of the disconnect can be attributed to DHS' failure to name
an assistant secretary to take the lead on the issue.
FYI - Visa looks to
bolster security with PCI classification changes - Visa U.S.A. Inc.
has changed the way it classifies merchants under its Payment Card
Industry (PCI) data security standards program, which will require
about 1,000 merchants to meet more rigorous compliance-validation
FYI - U.S. Army requires
trusted computing - The U.S. Army will open its second purchase
period this year for small computers, requiring that all systems
have specialized hardware designed to add strong data security to
the system. Known as the Trusted Computing Platform, the hardware
specification uses encryption and specialized memory to secure a
computer's data, allowing only the application that created a file
to access that data and allowing hard drive data to be locked to a
specific computer, for example.
FFIEC Information Security Booklet - The Federal
Financial Institutions Examination Council updated its Information
Security Booklet for examiners and financial institutions to reflect
changes in technology and mitigation strategies, as well as recent
revisions to related supervisory guidance.
FYI - Sentry Insurance
says customer data stolen - Personal information on 72 worker's
compensation claimants was stolen from Sentry Insurance and later
sold over the Internet, the company said. The data sold included
names and Social Security numbers but not medical records, Sentry
said. Data on an additional 112,198 claimants was also stolen but
there is no evidence it was sold, the company said.
FYI - Security breach
raises new doubt son CIS capability - An employee of U.S.
Citizenship and Immigration Services distributed the personal and
private employment information of thousands of her fellow workers
last week, raising concerns that those responsible for granting
visas and other immigration benefits could be exposed to outside
influence. Top officials at CIS and the Department of Homeland
Security, of which CIS is a part, spent last weekend and this week
evaluating the extent of the security breach for the 8,700 employees
FYI - Now a VA subcontractor's
computer is missing - Three months after a laptop breach put the
personal information of millions of active duty service people at
risk, another computer containing the personal information of
veterans has gone missing. The VA was notified last week that a
subcontractor, Unisys Corporation, hired to assist in insurance
collections for veterans' medical centers in Philadelphia and
Pittsburgh, lost a desktop computer from its offices.
FYI - 2 Md. Men Arrested In
Theft of VA Laptop - Montgomery County police charged two men
yesterday with felonies in the May 3 theft of computer equipment
from the home of a Department of Veterans Affairs analyst, a case
that blossomed into the largest data breach in federal government
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our series on the FFIEC Authentication in an Internet
Banking Environment. (Part 12 of
Internet Protocol Address (IPA) Location and Geo-Location
One technique to filter an online transaction is to know who is
assigned to the requesting Internet Protocol Address. Each computer
on the Internet has an IPA, which is assigned either by an Internet
Service Provider or as part of the user's network. If all users were
issued a unique IPA that was constantly maintained on an official
register, authentication by IPA would simply be a matter of
collecting IPAs and cross-referencing them to their owners. However,
IPAs are not owned, may change frequently, and in some cases can be
"spoofed." Additionally, there is no single source for associating
an IPA with its current owner, and in some cases matching the two
may be impossible.
Some vendors have begun offering software products that identify
several data elements, including location, anonymous proxies, domain
name, and other identifying attributes referred to as "IP
Intelligence." The software analyzes this information in a real-time
environment and checks it against multiple data sources and profiles
to prevent unauthorized access. If the user's IPA and the profiled
characteristics of past sessions match information stored for
identification purposes, the user is authenticated. In some
instances the software will detect out-of-character details of the
access attempt and quickly conclude that the user should not be
Geo-location technology is another technique to limit Internet users
by determining where they are or, conversely, where they are not.
Geo-location software inspects and analyzes the small bits of time
required for Internet communications to move through the network.
These electronic travel times are converted into cyberspace
distances. After these cyberspace distances have been determined for
a user, they are compared with cyberspace distances for known
locations. If the comparison is considered reasonable, the user's
location can be authenticated. If the distance is considered
unreasonable or for some reason is not calculable, the user will not
IPA verification or geo-location may prove beneficial as one factor
in a multifactor authentication strategy. However, since
geo-location software currently produces usable results only for
land-based or wired communications, it may not be suitable for some
wireless networks that can also access the Internet such as
Mutual authentication is a process whereby customer identity is
authenticated and the target Web site is authenticated to the
customer. Currently, most financial institutions do not authenticate
their Web sites to the customer before collecting sensitive
information. One reason phishing attacks are successful is that
unsuspecting customers cannot determine they are being directed to
spoofed Web sites during the collection stage of an attack. The
spoofed sites are so well constructed that casual users cannot tell
they are not legitimate. Financial institutions can aid customers in
differentiating legitimate sites from spoofed sites by
authenticating their Web site to the customer.
Techniques for authenticating a Web site are varied. The use of
digital certificates coupled with encrypted communications (e.g.
Secure Socket Layer, or SSL) is one; the use of shared secrets such
as digital images is another. Digital certificate authentication is
generally considered one of the stronger authentication
technologies, and mutual authentication provides a defense against
phishing and similar attacks.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Many financial institutions use modems, remote - access servers
(RAS), and VPNs to provide remote access into their systems or to
allow remote access out of their systems. Remote access can support
mobile users through wireless, Internet, or dial-in capabilities. In
some cases, modem access is required periodically by vendors to make
emergency program fixes or to support a system.
Remote access to a financial institution's systems provides an
attacker with the opportunity to remotely attack the systems either
individually or in groups. Accordingly, management should establish
policies restricting remote access and be aware of all remote access
devices attached to their systems. These devices should be strictly
controlled. Good controls for remote access include the following
! Disallow remote access by policy and practice unless a compelling
business justification exists.
! Disable remote access at the operating system level if a business
need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by
default, to enable modems only for specific, authorized external
requests, and disable the modem immediately when the requested
purpose is completed.
! Configure modems not to answer inbound calls, if modems are for
outbound use only.
! Use automated callback features so the modems only call one number
(although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a
different prefix than internal numbers and does not respond to
! Log and monitor the date, time, user, user location, duration, and
purpose for all remote access.
! Require a two-factor authentication process for all remote access
(e.g., PIN-based token card with a one-time random password
! Implement controls consistent with the sensitivity of remote use
(e.g., remote system administration requires strict controls and
oversight including encrypting the authentication and log-in
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet
access, to provide a consistent authentication process, and to
subject the inbound and outbound network traffic to firewalls.
Return to the top of the
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
4. Determine whether adequate policies and
procedures exist to address the loss of equipment, including laptops
and other mobile devices. Such plans should encompass the potential
loss of customer data and authentication devices.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
10) Does the institution list the following categories of
nonpublic personal information that it discloses, as applicable, and
a few examples of each, or alternatively state that it reserves the
right to disclose all the nonpublic personal information that it
a) information from the consumer;
b) information about the consumer's transactions with the
institution or its affiliates;
c) information about the consumer's transactions with
nonaffiliated third parties; and
d) information from a consumer reporting agency? [§6(c)(2)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.