R. Kinney Williams
October 1, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Internet banking
virtual keypads are vulnerable to snoops - In hopes of fighting
Internet fraud, some online banking sites make customers use
"virtual keypads" - a method of entering passwords on the screen,
generally with a mouse. The system is designed to thwart
keystroke-logging programs that capture everything a user types. Now
those virtual keypads appear just as vulnerable to snoops.
FYI - B.C. facility
loses public's personal data - 'Hundreds of thousands' of files were
on missing tapes - Computer tapes containing the private health and
welfare records of "hundreds of thousands" of British Columbians
were discovered missing from the government's main data centre in
Victoria last year and have never been found, according to a
confidential government investigation obtained by the Vancouver Sun.
FYI - UTSA hunts
computer hacker but says no information stolen - Officials at the
University of Texas at San Antonio are searching for a computer
hacker who jeopardized the security of records for tens of thousands
of students and faculty members. University spokesman David Gabler
said the incident is being investigated by the university's
technology team and police as well as state and federal officials.
FYI - Customer
information mistakenly released on Web site - Personal information
on more than 3,200 subscribers of a magazine published by Nikon Inc.
was available on a Web site before the breach was discovered, the
imaging company said.
FYI - Identity Theft
Scare Hits Closing Indy Business - Workers at a telemarketing
company on Indianapolis' south side are concerned about identity
theft after they said they found piles of personal information in a
Dumpster. http://www.theindychannel.com/news/9818472/detail.html and
FYI - Thousands of U
students have IDs at risk after computer theft - More than 600
Social Security numbers in hands of thieves - A pair of computers
containing the personal information - in some cases Social Security
numbers - of thousands of University of Minnesota students was
stolen from a campus office. Now officials are scrambling to let
past and present students know their identities may be in danger.
FYI - Laptop theft
triggers security review - The Florida National Guard was conducting
a security review Thursday after a laptop computer assigned to one
of its soldiers was stolen in a car burglary.
FYI - Missing computer
containing sensitive VA data recovered - A stolen desktop computer
containing sensitive data on about 16,000 patients at Veterans
Affairs Department medical centers has been recovered, and a suspect
has been arrested, officials announced.
FYI - Howard Rice Data
on Stolen Laptop - As many as 500 current and former employees of
San Francisco's Howard, Rice, Nemerovski, Canady, Falk & Rabkin may
be at risk of identity theft after a laptop computer containing
confidential employee pension plan information was stolen from an
FYI - Census Bureau
Loses Hundreds of Laptops - The Census Bureau collects the most
personal information about Americans, from how much money they earn
and where they spend it to how they live and die. It's all
confidential - as long as no one steals it. Lost or stolen from the
Census Bureau since 2003 are 217 laptop computers, 46 portable data
storage devices and 15 handheld devices used by survey takers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 6 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
ENCRYPTION KEY MANAGEMENT
Since security is primarily based on the encryption keys, effective
key management is crucial. Effective key management systems are
based on an agreed set of standards, procedures, and secure methods
! Generating keys for different cryptographic systems and different
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be
activated when received;
! Storing keys, including how authorized users obtain access to
! Changing or updating keys including rules on when keys should be
changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or
! Recovering keys that are lost or corrupted as part of business
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting
the usage period of keys.
Secure key management systems are characterized by the following
! Key management is fully automated (e.g. personnel do not have the
opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by
! Key - encrypting keys are separate from data keys. No data ever
appears in clear text that was encrypted using a key - encrypting
key. (A key - encrypting key is used to encrypt other keys, securing
them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used,
the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises
linearly while the cost of attacking the keys rises exponentially.
Therefore, all other factors being equal, changing keys increases
the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well -
! Key generating equipment is physically and logically secure from
construction through receipt, installation, operation, and removal
Return to the top of the
4. Determine whether information processing and
communications devices and transmissions are appropriately protected
against physical attacks perpetrated by individuals or groups, as
well as against environmental damage and improper maintenance.
Consider the use of halon gas, computer encasing, smoke alarms,
raised flooring, heat sensors, notification sensors, and other
protective and detective devices.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
17. Does the institution provide consumers who receive the
short-form initial notice with a reasonable means of obtaining the
longer initial notice, such as:
a. a toll-free telephone number that the consumer may call to
request the notice; [§6(d)(4)(i)] or
b. for the consumer who conducts business in person at the
institution's office, having copies available to provide immediately
by hand-delivery? [§6(d)(4)(ii)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.