Internet Banking News

October 1, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Internet banking virtual keypads are vulnerable to snoops - In hopes of fighting Internet fraud, some online banking sites make customers use "virtual keypads" - a method of entering passwords on the screen, generally with a mouse. The system is designed to thwart keystroke-logging programs that capture everything a user types. Now those virtual keypads appear just as vulnerable to snoops. http://business.bostonherald.com/technologyNews/view.bg?articleid=158597

FYI - B.C. facility loses public's personal data - 'Hundreds of thousands' of files were on missing tapes - Computer tapes containing the private health and welfare records of "hundreds of thousands" of British Columbians were discovered missing from the government's main data centre in Victoria last year and have never been found, according to a confidential government investigation obtained by the Vancouver Sun. http://www.canada.com/victoriatimescolonist/news/story.html?id=e1b03e3e-d043-4e64-9a09-415a24636751&k=71796

FYI - UTSA hunts computer hacker but says no information stolen - Officials at the University of Texas at San Antonio are searching for a computer hacker who jeopardized the security of records for tens of thousands of students and faculty members. University spokesman David Gabler said the incident is being investigated by the university's technology team and police as well as state and federal officials. http://www.mysanantonio.com/news/metro/stories/MYSA091606.02B.UTSAHACKER.2e77063.html

FYI - Customer information mistakenly released on Web site - Personal information on more than 3,200 subscribers of a magazine published by Nikon Inc. was available on a Web site before the breach was discovered, the imaging company said. http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/15519104.htm

FYI - Identity Theft Scare Hits Closing Indy Business - Workers at a telemarketing company on Indianapolis' south side are concerned about identity theft after they said they found piles of personal information in a Dumpster. http://www.theindychannel.com/news/9818472/detail.html and http://www.theindychannel.com/call6/9824917/detail.html

STOLEN COMPUTERS

FYI - Thousands of U students have IDs at risk after computer theft - More than 600 Social Security numbers in hands of thieves - A pair of computers containing the personal information - in some cases Social Security numbers - of thousands of University of Minnesota students was stolen from a campus office. Now officials are scrambling to let past and present students know their identities may be in danger. http://www.twincities.com/mld/pioneerpress/news/local/15475291.htm

FYI - Laptop theft triggers security review - The Florida National Guard was conducting a security review Thursday after a laptop computer assigned to one of its soldiers was stolen in a car burglary. http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20060907/BREAKINGNEWS/60907027/1086

FYI - Missing computer containing sensitive VA data recovered - A stolen desktop computer containing sensitive data on about 16,000 patients at Veterans Affairs Department medical centers has been recovered, and a suspect has been arrested, officials announced. http://www.govexec.com/story_page.cfm?articleid=35028&printerfriendlyVers=1&

FYI - Howard Rice Data on Stolen Laptop - As many as 500 current and former employees of San Francisco's Howard, Rice, Nemerovski, Canady, Falk & Rabkin may be at risk of identity theft after a laptop computer containing confidential employee pension plan information was stolen from an auditor. http://www.law.com/jsp/legaltechnology/PubArticleFriendlyLT.jsp?id=1158311123646

FYI - Census Bureau Loses Hundreds of Laptops - The Census Bureau collects the most personal information about Americans, from how much money they earn and where they spend it to how they live and die. It's all confidential - as long as no one steals it. Lost or stolen from the Census Bureau since 2003 are 217 laptop computers, 46 portable data storage devices and 15 handheld devices used by survey takers. http://apnews1.iwon.com/article/20060922/D8K9RCB80.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 6 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1) due diligence with respect to third parties to which the financial institution is considering links; and

2) written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

ENCRYPTION KEY MANAGEMENT

Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address

! Generating keys for different cryptographic systems and different applications;
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be activated when received;
! Storing keys, including how authorized users obtain access to keys;
! Changing or updating keys including rules on when keys should be changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or deactivated;
! Recovering keys that are lost or corrupted as part of business continuity management;
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting the usage period of keys.

Secure key management systems are characterized by the following precautions.

! Key management is fully automated (e.g. personnel do not have the opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by hardware.
! Key - encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key - encrypting key. (A key - encrypting key is used to encrypt other keys, securing them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well - authenticated parties.
! Key generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

4. Determine whether information processing and communications devices and transmissions are appropriately protected against physical attacks perpetrated by individuals or groups, as well as against environmental damage and improper maintenance. Consider the use of halon gas, computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other protective and detective devices.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as:

a. a toll-free telephone number that the consumer may call to request the notice; [�6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery? [�6(d)(4)(ii)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.