R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

October 22, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- Data attack targets Commerce Department - A Commerce Department bureau was the target of an attempt to gain access to employees' user accounts on its computer network, according to media reports. The attack, which was discovered in July and came to public attention this week, specifically focused on the Department's Bureau of Industry and Security (BIS), which is responsible for such areas as export control and treaty compliance. http://news.com.com/2102-7349_3-6123601.html?tag=st.util.print

FYI - No End in Sight: Data Breach Tally Approaches 100 Million - The total number of records containing sensitive personal information involved in security breaches over the past two years now stands at 93,754,333, according to the Privacy Rights Clearinghouse. The updated tally includes thousands of instances of data exposure in the past month alone. http://www.technewsworld.com/story/53222.html

FYI - DHS laptops still vulnerable, IG finds - Laptop computers used by the Homeland Security Department's Office of the Inspector General (OIG) are still susceptible to cyberattacks despite several recent steps taken to harden security, a report has found. http://www.fcw.com/article96332-10-04-06-Web

FYI - CMS' IT controls need strengthening - A review of the effectiveness of information security controls used by the Center for Medicare and Medicaid Services found 47 weaknesses in its communication networks - electronic access and other system controls - according to the Government Accountability Office. http://www.gcn.com/online/vol1_no1/42213-1.html?topic=security

FYI - USB memory sticks pose new dangers - Some new drives can be used to automatically run malware - The ability to use tiny USB memory sticks to download and walk away with relatively large amounts of data has already made the ubiquitous devices a potent security threat in corporate environments. Now, the emergence of USB flash drives that can store and automatically run applications straight off the device could soon make the drives even more of a security headache. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003592

STOLEN COMPUTERS

FYI - Washington Airport Reports Worker Information Missing - The Port of Seattle announced today that six computer disks, containing personal information for 6,939 people who work for employers at Seattle-Tacoma International Airport, are missing. "We have no reason to believe that the information has been misused by anyone," said Mark Reis, managing director at Sea-Tac. "However, we do not know at this time whether the disks were misplaced, or were removed from Port property." http://www.govtech.net/magazine/channel_story.php/101387

FYI - U.S. Marine base probes missing laptop - A laptop computer loaded with personal information on 2,400 residents of the Camp Pendleton Marine Corps base has been lost. The computer was reported missing Tuesday by Lincoln B.P. Management Inc., which helps manage base housing. http://news.yahoo.com/s/ap/20061007/ap_on_hi_te/missing_laptop

FYI - FAA data in Oberlin computer lost - Drives had names, Social Security numbers - The names and Social Security numbers of at least 400 air traffic controllers are missing from a computer at the Cleveland Air Route Traffic Control Center in Oberlin, a union official says. http://www.cleveland.com/news/plaindealer/index.ssf?/base/lorain/1160124449197870.xml&coll=2&thispage=1

FYI -
OTS Appoints Wayne Leiss As Chief Information Officer - Office of Thrift Supervision Director John M. Reich announced the selection of Wayne G. Leiss as the agency's Chief Information Officer.  www.ots.treas.gov/docs/7/776048.html 

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 9 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships


Customer Service Complaints

Financial institutions should have plans to respond to customer complaints, including those regarding the appropriateness or quality of content, services, or products provided or the privacy and security policies of the third-party site. The plan also should address how the financial institution will address complaints regarding any failures of linked third parties to provide agreed upon products or services.

Monitoring Weblinking Relationships

The financial institution should consider monitoring the activities of linked third parties as a part of its risk management strategy. Monitoring policies and procedures should include periodic content review and testing to ensure that links function properly, and to verify that the levels of services provided by third parties are in accordance with contracts and agreements.  Website content is dynamic, and third parties may change the presentation or content of a website in a way that results in risk to the financial institution's reputation. Periodic review and testing will reduce this risk exposure. The frequency of review should be commensurate with the degree of risk presented by the linked site.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


MALICIOUS CODE

Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.

Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.

Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.


Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

3. Determine if the institution requires personnel with authority to access customer information and confidential institution information to sign and abide by confidentiality agreements.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party;
[7(a)(1)(i)]

b. that the consumer has the right to opt out of that disclosure; [7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [7(a)(1)(iii)]


NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated