Internet Banking News

October 29, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Thousands fall victim to data theft - Metropolitan police are struggling to contact UK citizens whose passwords and credit card details have been stolen - Police are trying to contact thousands of UK computer users who have fallen victim to an massive personal data heist. http://news.zdnet.co.uk/internet/security/0,39020375,39284001,00.htm

FYI - Hackers steal personal information from Brock University computers - The personal information - including some credit card and bank account numbers - of about 70,000 people who gave money to Brock University has been stolen from the school's computers by a hacker. http://www.cbc.ca/technology/story/2006/10/12/tech-brock.html

FYI - Most campuses report security breaches - The majority of higher education managers experienced at least one information technology security incident last year and one-third reported a data loss or theft. http://www.fcw.com/article96412-10-10-06-Web&printLayout

FYI - Agency loss of personal information widespread - The loss of personal data is a common occurrence across government, largely because of poor physical security and portable computers and disks that go missing, according to a new report from the House Government Reform Committee. http://www.govexec.com/story_page.cfm?articleid=35270&sid=1

FYI - Researchers claim stealth encryption breakthrough - Two U.S. researchers believe they have found a way to transmit information safely over an optical network without fear of interception. The technique hinges on transmission of encrypted data in the "noise" of signals along fibre-optic cables. http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61960016-39000005c

FYI - Exploit code lurking on cache servers - Malicious code is living on weeks after it has been removed from Web sites thanks to an unexpected culprit -- cache servers. According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbor certain kinds of malicious code even after the Web site that hosted it has been taken down. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_hacking&articleId=9004107&taxonomyId=82

STOLEN COMPUTERS

FYI - UTA alerts students to identity-theft threat - The personal information of about 2,500 University of Texas at Arlington students was on two computers stolen from a faculty member's home last month, school officials said. http://www.chron.com/disp/story.mpl/metropolitan/4253257.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 10 of 10)

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

CONTROLS TO PROTECT AGAINST MALICIOUS CODE

Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.

Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.

Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.

Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.

Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.

Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."

Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.

An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

4. Determine if the institution provides to its employees appropriate security training covering the institution's policies and procedures, on an appropriate frequency, and that institution employees certify periodically as to their understanding and awareness of the policy and procedures.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [�7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [�7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [�7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [�7(a)(2)(i)(B)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.