Internet Banking News

August 16, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - The Information Security and Risk Management Conference is being held September 28-30, 2009 in Las Vegas, Nevada. This is a great conference that I highly recommend. For more information and to register, please go to http://www.isaca.org/isrmc.

FYI - Web users ignoring security certificate warnings - Digital certificate warnings in Web browsers are not an effective security measure, according to Carnegie Mellon researchers. http://news.cnet.com/8301-1009_3-10297264-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

FYI - Cable fault cuts off West Africa - Large parts of West Africa are struggling to get back online following damage to an undersea cable. The fault has caused severe problems in Benin, Togo, Niger and Nigeria. http://news.bbc.co.uk/2/hi/technology/8176014.stm

FYI - GAO - HUD Needs to Strengthen Its Capacity to Manage and Modernize Its Environment.
Release - http://www.gao.gov/new.items/d09675.pdf
Highlights - http://www.gao.gov/highlights/d09675high.pdf

FYI - Researchers simulate a botnet of 1 million zombies - Computer scientists working for the U.S. Department of Energy announced this week that they have been able to create a simulated botnet consisting of more than one million machines. http://www.scmagazineus.com/Researchers-simulate-a-botnet-of-1-million-zombies/article/140988/?DCMP=EMC-SCUS_Newswire

FYI - Breaking SSL network transactions - By making a simple change, a fake SSL certificate can be created and used to persuade users that it is safe to enter their credit card information on a merchant site. http://www.scmagazineus.com/Black-Hat-Breaking-SSL-network-transactions/article/140941/?DCMP=EMC-SCUS_Newswire

FYI - Clampi banking trojan spreading rapidly - Researchers have identified a new and dangerous banking trojan that can utilize a Windows tool to spread itself to all workstations across an organization. http://www.scmagazineus.com/Black-Hat-Clampi-banking-trojan-spreading-rapidly/article/140925/?DCMP=EMC-SCUS_Newswire

FYI - NIST releases 'historic' final version of Special Publication 800-53 - The agency also released a draft of specs for SCAP - The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. http://gcn.com/Articles/2009/08/03/NIST-release-of-800-53-rev-3-080309.aspx

FYI - Contractor returns money to Pentagon - Probe finds computer security inadequate - BuzzApptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China. http://www.washingtontimes.com/news/2009/jul/25/contractor-returns-money-to-pentagon/

FYI - Man is first to be charged with Web name theft - He allegedly stole prime domain name, sold it to NBA player for over $100K - A northern New Jersey man is charged with stealing a prime piece of Internet real estate and reselling it to basketball player Mark Madsen in one of the nation's first prosecutions of a suspected domain name thief. http://www.msnbc.msn.com/id/32270824/ns/technology_and_science-tech_and_gadgets/

FYI - U.S. Marines block social networking sites - The U.S. Marines issued an "immediate ban" Monday on the use of social networking sites across the military branch's networks. http://www.scmagazineus.com/US-Marines-block-social-networking-sites/article/141176/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Personal Data Mishandled at Commerce Dept. - The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed to a risk of identity theft following an inappropriate transfer of the personal information in mid-July, according to a letter sent to department employees last week. http://www.washingtonpost.com/wp-dyn/content/article/2009/08/03/AR2009080302013_pf.html

FYI - Fake ATM scam rumbled by Defcon hackers - White hat hackers attending the DefCon conference in Vegas last week uncovered the presence of a fake ATM in the show's venue. http://www.theregister.co.uk/2009/08/03/fake_atm_scam_busted_at_defcom/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.

Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.

Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.

Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:

1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.

2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.

3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.

4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.

5) Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

This is the last of three principles regarding Board and Management Oversight. Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Operational Anomalies

Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

12. Determine whether:

! Responsibilities and authorities of security personnel and system administrators for monitoring are established, and
! Tools used are reviewed and approved by appropriate management with appropriate conditions for use.

13. Determine if the responsibility and authority of system administrators is appropriate for handling notifications generated by monitoring systems.

14. Determine if users are trained to report unexpected network behavior that may indicate an intrusion, and that clear reporting lines exist.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]