Internet Banking News

November 25, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Security contractor didn't detect hacker from SCDOR website - The contractor hired by the S.C. Department of Revenue to provide computer security focused on the agency's compliance with rules governing the handling of credit-card information, not stopping malicious programs such as those that hackers used to steal the tax records of 4.5 million S.C. consumers and businesses. http://www.goupstate.com/article/20121114/WIRE/211151017/1088/SPORTS?Title=Security-contractor-didn-t-detect-hacker-from-SCDOR-website

FYI - Adobe suspends Connect user forum after apparent hack - The online leak of login credentials for Connectusers.com has led Adobe to suspend the forum while it resets users' passwords. The hacker claims to have released the data to demonstrate the software maker's security shortcomings. http://www.zdnet.com/adobe-suspends-connect-user-forum-after-apparent-hack-7000007440/

FYI - NASA scrambles to encrypt laptops after major breach - Personally identifiable information on NASA employees, contractors exposed in Oct. 31 laptop theft; workers told of incident this week - NASA is scrambling to implement full disk encryption on agency laptops after one containing unencrypted personal information on a "large" number of people was recently stolen. http://www.computerworld.com/s/article/9233645/NASA_scrambles_to_encrypt_laptops_after_major_breach?taxonomyId=17

FYI - Hackers break into two FreeBSD Project servers using stolen SSH keys - Users who installed third-party software packages distributed by FreeBSD.org are advised to reinstall their machines - Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project's security team warned. http://www.computerworld.com/s/article/9233822/Hackers_break_into_two_FreeBSD_Project_servers_using_stolen_SSH_keys?taxonomyId=17

FYI - Hacker behind bank cyber heist plot gets cold feet - The Russian hacker who was openly recruiting for a coordinated online raid of some 30 banks in the United States has scrapped the plan because he believes the authorities may have caught up to him. http://www.scmagazine.com/hacker-behind-bank-cyber-heist-plot-gets-cold-feet/article/268740/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (8 of 12)

Containment

During the containment phase, the institution should generally implement its predefined procedures for responding to the specific incident (note that containment procedures are a required minimum component). Additional containment-related procedures some banks have successfully incorporated into their IRPs are discussed below.

Establish notification escalation procedures.

If senior management is not already part of the incident response team, banks may want to consider developing procedures for notifying these individuals when the situation warrants. Providing the appropriate executive staff and senior department managers with information about how containment actions will affect business operations or systems and including these individuals in the decision-making process can help minimize undesirable business disruptions. Institutions that have experienced incidents have generally found that the management escalation process (and resultant communication flow) was not only beneficial during the containment phase, but also proved valuable during the later phases of the incident response process.

Document details, conversations, and actions.

Retaining documentation is an important component of the incident response process. Documentation can come in a variety of forms, including technical reports generated, actions taken, costs incurred, notifications provided, and conversations held. This information may be useful to external consultants and law enforcement for investigative and legal purposes, as well as to senior management for filing potential insurance claims and for preparing an executive summary of the events for the board of directors or shareholders. In addition, documentation can assist management in responding to questions from its primary Federal regulator. It may be helpful during the incident response process to centralize this documentation for organizational purposes.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Data Integrity

Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.

Authentication

Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

46. Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a. to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; ['12(b)(1)] or

b. to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? ['12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. ['12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. ['12(c)(2)])