FYI - IT under siege: The security arms race - The enterprise's security defense must get more sophisticated to stop criminal-minded attackers who are out for high stakes -- money and identities. The security arms race is escalating to unprecedented levels and has security professionals more nervous -- and more vigilant -- than ever. http://www.infoworld.com/article/05/09/26/39FEattack_1.html

FYI - Survey: Security breaches could prove costly to data companies - Some people cut their ties with data management companies; others hire lawyers - Security breaches that compromise confidential customer data could prove far costlier for the companies involved than generally thought. http://www.computerworld.com/printthis/2005/0,4814,105015,00.html

FYI - Computer forensics -Businesses are failing to capture essential evidence from their computer systems, according to a UK industry group which has published a new set of guidelines designed to help firms gen up on computer forensics.
Press release: http://www.theregister.co.uk/2005/09/27/computer_forensics_guide/print.html
The Directors and Corporate Advisors' Guide to Digital Investigations and Evidence: http://www.iaac.org.uk/Default.aspx?tabid=65

FYI - FTC Launches Aggressive Campaign to Educate Online Consumers - Saying a consumer that is aware of online threats is essential to a strong U.S. economy, the Federal Trade Commission (FTC) has launched its most ambitious effort yet to educate Americans on the dangers lurking on the Web.
Press release: http://www.technewsworld.com/story/46373.html
FTC consumer educational site: http://onguardonline.gov/index.html  (You may wish to consider linking this site off your institution's web site.  Kinney)

FYI - FAA air-traffic systems lack cyberprotections, GAO finds - Air-traffic control systems operated by the Federal Aviation Administration contain significant cybersecurity weaknesses and are vulnerable to attack, according to a recent report from the Government Accountability Office. In the report, GAO concluded that the agency has not completely implemented information security programs that protect its systems from cyberattack.
Press relase: http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=37127
GAO Report: http://www.gao.gov/new.items/d05712.pdf

FYI - Judge holds off disclosure in credit card heist - Visa and MasterCard won't have to inform customers that their personal details were exposed in a high-profile data security breach - at least for now, a judge ruled. http://news.com.com/Judge+holds+off+disclosure+in+credit+card+heist/2100-7350_3-5879179.html

FYI - Improving Controls Over Wireless Networks - They increase flexibility and ease network installation, but wireless networks also present significant security challenges - and federal agencies have a lot of room for improvement. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5629

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)

Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:

!  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
!  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
!  Increasing suspicious activity monitoring and employing additional identity verification controls;
!  Offering customers assistance when fraud is detected in connection with customer accounts;
!  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
!  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.

Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:

!  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
!  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
!  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
!  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
!  Monitoring for fraudulent Web sites using variations of the financial institution's name;
!  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
!  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Conclusion
E-mail and Internet-related fraudulent schemes present a substantial risk to financial institutions and their customers. Financial institutions should consider developing programs to educate customers about e-mail and Internet-related fraudulent schemes and how to avoid them, consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes, and implement appropriate information security controls to help mitigate the risks associated with e-mail and Internet-related fraudulent schemes.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (2 of 2)

Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.

Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.

The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.

The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.

Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

4. Determine if all authenticators (e.g., passwords, shared secrets) are protected while in storage and during transmission to prevent disclosure.

• Identify processes and areas where authentication information may be available in clear text and evaluate the effectiveness of compensating risk management controls.

• Identify the encryption used and whether one-way hashes are employed to secure the clear text from anyone, authorized or unauthorized, who accesses the authenticator storage area.

Return to the top of the newsletter

INTERNET PRIVACY -  We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

44.  If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b).  The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.