Internet Banking News

October 5, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - LPL to pay $275K fine for hacking incidents - 10,000 clients left vulnerable to ID theft in '07 - LPL Financial has agreed to pay a $275,000 penalty for violating customers' privacy, the Securities and Exchange Commission said.
http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20080915/REG/309159969&template=printart
http://www.sec.gov/litigation/admin/2008/34-58515.pdf

FYI - Record number of active viruses measured - This summer's active virus count hit record numbers, according to security firm Network Box. August was the worst month for cybercrime, with threats increasing by 51 percent. http://www.scmagazineus.com/Record-number-of-active-viruses-measured/article/118252/?DCMP=EMC-SCUS_Newswire

FYI - Hacker answered personal questions to steal Palin password - The hacker who broke into GOP vice presidential candidate Sarah Palin's email correctly answered a few personal questions about the Alaska governor to gain access to her Yahoo email account, according to a first-person account posted to an internet forum. http://www.scmagazineus.com/Hacker-answered-personal-questions-to-steal-Palin-password/article/118196/?DCMP=EMC-SCUS_Newswire

FYI - Nevada Deadline on E-Mail Encryption Looming - On Oct. 1, the state of Nevada will be requiring the encryption of all transmissions, such as e-mail, for all businesses that send personal, identifiable information over the Internet. The statute was signed into law in 2005 and is about to kick in as an enforceable law next month. Three years flies when you're raking in chips at casinos and enjoying the rising popularity of poker. http://blog.baselinemag.com/bottom_line/content/security/nevada_deadline_on_email_encryption_looming.html

FYI - Two-thirds of firms hit by cybercrime - The Department of Justice released data from its 2005 National Computer Security Survey last week, finding that two-thirds of firms detected at least one cybercrime during that year.
Article - http://www.securityfocus.com/brief/825
The actual survey results - http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf

FYI - IT security in the executive suite - The campaign of Alaska Gov. Sarah Palin was shocked - shocked! - to learn that hacktivists had broken into a private Yahoo e-mail account belonging to the Republican vice presidential nominee and posted some of the contents on the Web. http://www.gcn.com/online/vol1_no1/47187-1.html?topic=security&page=1

FYI - GAO - DOD and VA Have Increased Their Sharing of Health Information, but Further Actions Are Needed.
Aritcle - http://www.gao.gov/cgi-bin/getrpt?GAO-08-1158T
Highlights - http://www.gao.gov/highlights/d081158thigh.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - ATF lost 76 weapons, hundreds of laptopsBy Lara Jakes Jordan, Associated Press September 17, 2008 - The Bureau of Alcohol, Tobacco, Firearms and Explosives lost 76 weapons and hundreds of laptops over five years, the Justice Department reported Wednesday, blaming carelessness and sloppy record-keeping. http://www.govexec.com/story_page.cfm?articleid=40984&dcn=todaysnewsss

FYI - Forever 21 says nearly 99,000 cards compromised in data thefts - The thefts, which date back to 2004, were uncovered by the DOJ - Nearly 99,000 payment cards used by customers at several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114839&source=rss_topic17

FYI - A London NHS hospital trust has admitted to losing almost 18,000 staff details on four CDs. The payroll details were lost on 22 July while in transit between the salaries and wages department of Whittington Hospital NHS Trust and payroll company McKesson, where they were to be stored. http://www.zdnet.co.uk/misc/print/0,1000000169,39489341-39001093c,00.htm

FYI - Confidential patient data lost on Teesdale street - TEESDALE is at the centre of the latest data loss scandal after a memory stick containing information on hundreds of NHS mental health patients was found by a member of the public in a Barnard Castle street. http://www.teesdalemercury.co.uk/teesdale-news/story,1843.html

FYI - Palin e-mail hack - Report: FBI searches Tenn. student's apartment in Palin hacking case Report - FBI agents served a search warrant on Sunday at the Knoxville, Tenn., apartment of a college student whom Internet sleuths last week had named as the hacker who accessed Alaska Gov. Sarah Palin's e-mail account, a local television station reported. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115238&source=rss_topic17

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 5 of 10)

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1) due diligence with respect to third parties to which the financial institution is considering links; and

2) written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewalls

A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as a choke point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network IDS systems.

Financial institutions have four primary firewall types from which to choose: packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types. The selection of firewall type is dependent on many characteristics of the security zone, such as the amount of traffic, the sensitivity of the systems and data, and applications. Over the next few weeks we will discussed the different types of firewalls.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

6. Determine whether an appropriate process exists to authorize access to host systems and that authentication and authorization controls on the host appropriately limit access to and control the access of authorized individuals.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.