R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

September 4, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Online scammers pose as execs in 'spear-phishing' - That e-mail may not be from the CEO - Online criminals trying to pry passwords and other sensitive information out of companies have started using phony e-mails that look as if they were sent from powerful executives of the targeted organizations. http://www.computerworld.com/printthis/2005/0,4814,104000,00.html

FYI - This appears to be the new pre-examination Information Technology Examination Officer's Questionnaire announced recently by FDIC.  http://www.fdic.gov/regulations/examinations/questionnaire/index.html

FYI - Finnish security exec arrested over bank hack - The data security chief at the Helsinki branch of financial services firm GE Money has been arrested on suspicion of conspiracy to steal 200,000 from the firm's online bank account. The 26 year-old allegedly copied passwords and e- banking software onto a laptop used by accomplices to siphon off money from an unnamed bank. http://www.theregister.co.uk/2005/08/19/finnish_wifi_bank_hack/print.html

FYI - Air Force investigates data breach - Personal details on more than 33,000 officers compromised - The U.S. Air Force is notifying more than 33,000 officers that their personal data has been breached by a malicious hacker. The hacker used a legitimate user's ID and password to access personal information on the officers contained in the Assignment Management System. http://www.computerworld.com/printthis/2005/0,4814,104080,00.html

FYI - Lloyd's underwriters to cover legal risks arising from open-source use - Lloyd's of London syndicates are poised to underwrite the use of open source software by users who are worried about being sued by proprietary software makers claiming their software patents have been violated. http://www.computerweekly.com/Articles/Article.aspx?liArticleID=211374&PrinterFriendly=true

FYI - Credit card makers forced to scrutinize security - Visa is responsible for ensuring that all the big retailers, data processors and banks that directly hook into its network meet its security requirements. But it is the job of the member banks to make sure that the merchants and data processors they hire follow Visa's rules.  http://news.com.com/2102-1029_3-5842959.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)

PROCEDURES TO ADDRESS SPOOFING - Information Gathering

After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response.  The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation.  Below is a list of useful information that a bank can collect.  In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.

*  The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
*  Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
*  Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
*  Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
*  The geographic locations of the IP address (city, state, and country).


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information Security BookletThis booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (2 of 2)

Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should

1)  Ensure the security process is governed by organizational policies and practices that are consistently applied,
2)  Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
3)  Enforce compliance with the security program in a balanced and consistent manner across the organization, and
4Coordinate information security with physical security.

Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.

Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

5. Evaluate the effectiveness and timeliness with which changes in access control privileges are implemented and the effectiveness of supporting policies and procedures.

Review procedures and controls in place and determine whether access control privileges are promptly eliminated when they are no longer needed.  Include former employees, and temporary access for remote access and contract workers in the review.

Assess the procedures and controls in place to change, when appropriate, access control privileges (e.g., changes in job responsibility and promotion).

Determine whether access rights expire after a predetermined period of inactivity.


Review and assess the effectiveness of a formal review process to periodically review the access rights to assure all access rights are proper.  Determine whether necessary changes made as a result of that review.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

39.  Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [9(e)(2)(iii)]

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated