R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 28, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI -
San Francisco hunts for mystery device on city network - It was apparently installed by accused rogue network admin Terry Childs - With costs related to an alleged rogue network administrator's hijacking of the city's network now estimated at $1 million, San Francisco officials say they are searching for a mysterious networking device hidden somewhere on the network. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114479&source=rss_topic17

FYI -
8 Laptop Bags That Zip Through Airport Security - While no one questions the need to properly scan laptops when going through airport security, the requirement to remove them from their protective cases is a different story. "Naked" notebooks can easily get dropped, damaged, forgotten and even stolen outright. One study done for Dell estimated that about 12,000 laptops are lost in U.S. airports every week -- a claim that has been challenged by the Transportation Security Administration. http://www.pcworld.com/article/151020/article.html?tk=nl_dnxnws

FYI -
Five ways to clean your firewall of clutter and stay secure - Firewalls are an important line of defense for enterprises, handling vast amounts of traffic. On the perimeter alone firewalls typically filter millions of packets daily. http://www.scmagazineus.com/Five-ways-to-clean-your-firewall-of-clutter-and-stay-secure/article/116507/?DCMP=EMC-SCUS_Newswire

FYI -
It's time to think differently about protecting data - The recent rash of high profile security breaches, data loss incidents and associated fraud highlights the fact that the security industry is failing to meet the threats organizations face when it comes to protecting the lifeblood of their business - their data and their customer's data. http://www.scmagazineus.com/Its-time-to-think-differently-about-protecting-data/article/116505/?DCMP=EMC-SCUS_Newswire

FYI -
Man accused in TJX data breach pleads guilty - One of the 11 people arrested last month in connection with the massive data theft at TJX Companies Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=knowledge_center&articleId=9114579&taxonomyId=1&intsrc=kc_top

FYI -
Alleged Carleton hacker faces criminal charges - A student who called himself "Kasper Holmberg" gained access to the data by installing software that he wrote on a terminal in a computer lab that was attached to a card reader. The software recorded keystrokes made on the computer and included magnetic stripe card reader software, police said. http://www.cbc.ca/technology/story/2008/09/11/ot-carleton-080911.html

FYI -
GAO - Information Technology: Federal Laws, Regulations, and Mandatory Standards to Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors. http://www.gao.gov/new.items/d081075r.pdf

FYI -
GAO - Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-1138
Highlights - http://www.gao.gov/highlights/d081138high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
Irate Ark. man posts county e-mail records in privacy fight - He wants sensitive data expunged from county docs - An Arkansas resident is posting the internal e-mail records of various officials in the Pulaski County clerk's office on his Web site in retaliation for what he calls the county's refusal to remove certain public documents containing Social Security numbers from its Web site. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114438&source=rss_topic17

FYI -
Massive ATM fraud triggers Gulf banking jitters - Cash machine chaos - Banks across the United Arab Emirates are fighting to restore confidence in its banking system after hackers used counterfeit cards to withdraw funds from cash machines. http://www.theregister.co.uk/2008/09/12/uae_atm_hacking_attack/print.html

FYI -
Lenders say private customer records have been breached - Hundreds of thousands of Florida customers of Countrywide Finance Corp. and The Bank of New York Mellon Shareowner Services are at risk after two instances of data being compromised. The personal information of nearly 750,000 Florida consumers may have been compromised in recent weeks, the result of data breaches at both Countrywide Financial and the Bank of New York Mellon Shareowner Services.
http://www.miamiherald.com/business/personal-finance/story/684578.html
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/13/AR2008091300337_pf.html

FYI -
Security breach at State Farm in Surprise exposes customers to ID fraud - A security breach at a Surprise insurance agency early this summer has potentially exposed hundreds of customers across the U.S. and Canada to identity theft. http://www.azcentral.com/community/westvalley/articles/2008/09/13/20080913gl-nwvstatefarm0913.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 4 of 10)

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 2 of 2)

Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.

DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.

Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.


Return to the top of the newsletter

IT SECURITY QUESTION:  

C. HOST SECURITY

5. Determine whether remotely configurable hosts are configured for secure remote administration.


Return to the top of the newsletter

INTERNET PRIVACY
- With this issue, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below. 

1)  A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2)  Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3)  A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4)  A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated