Internet Banking News

December 2, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Patent trolls and their effect on security - The influence of computers in our everyday lives cannot be underestimated. The wealth of knowledge, comfort, and ease afforded to the average individual is unparalleled in human history. Despite this, there is a dark side that can threaten even the most casual user and inflict incalculable damages. http://www.scmagazine.com/patent-trolls-and-their-effect-on-security/article/269476/?DCMP=EMC-SCUS_Newswire

FYI - CyberCity allows government hackers to train for attacks - CyberCity has all the makings of a regular town. There’s a bank, a hospital and a power plant. A train station operates near a water tower. The coffee shop offers free WiFi. http://www.washingtonpost.com/investigations/cybercity-allows-government-hackers-to-train-for-attacks/2012/11/26/588f4dae-1244-11e2-be82-c3411b7680a9_story.html

FYI - Obama issues insider threat guidance for gov't agencies - President Obama has issued a memorandum to the heads of federal agencies, informing them of new guidance for deterring the information security threat posed by insiders. http://www.scmagazine.com/obama-issues-insider-threat-guidance-for-govt-agencies/article/269817/

FYI - TSA drops ‘insider threat’ label from spyware buy - The Transportation Security Administration has reissued a June 20 purchase order for spyware that monitors employees’ computer activities under a new name, explaining that contractors complained the scope of the earlier descriptor was too constricting. http://www.nextgov.com/cybersecurity/2012/11/tsa-drops-insider-threat-label-spyware-buy/59654/?oref=ng-channelriver

FYI - Texan schoolgirl expelled for refusing to wear RFID tag - A plan by a San Antonio school district to continuously monitor its students using RFID has run into legal problems after one of them took a stand against being forced to use the tracking technology. http://www.theregister.co.uk/2012/11/21/schoolgirl_expelled_rfid_chip/

FYI - Shylock banking malware can detect remote desktops - Shylock, a trojan dropper that steals bank account information, is employing a new trick to avoid detection: hiding from researchers who may be studying it via remote desktop connections. http://www.scmagazine.com/shylock-banking-malware-can-detect-remote-desktops/article/270240/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - S.C. tax breach began when employee fell for spear phish - A targeted phishing email delivered to an employee at the South Carolina Department Revenue opened the door for attackers to exfiltrate Social Security numbers and other personal data belonging to millions of residents, according to a report prepared by a forensic firm that investigated the mega breach. http://www.scmagazine.com/sc-tax-breach-began-when-employee-fell-for-spear-phish/article/269448/?DCMP=EMC-SCUS_Newswire

FYI - Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data - A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s website was found guilty on Tuesday. http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/

FYI - U.S. accused of cyberattack on French government - The United States denies it was involved in any attack on the French government, calling it a top ally. The United States has been charged with launching a cyberattack against France -- a claim the U.S. government has categorically denied. http://news.cnet.com/8301-1009_3-57553153-83/u.s-accused-of-cyberattack-on-french-government/

FYI - Former resident physician kept patient docs without permission - University of Arkansas for Medical Sciences (UAMS) is alerting hundreds of patients that a former resident physician stored confidential medical documents without consent. http://www.scmagazine.com/former-resident-physician-kept-patient-docs-without-permission/article/270061/?DCMP=EMC-SCUS_Newswire

FYI - Yahoo email hijack possible with $700 XSS exploit - Yahoo reportedly has yet to fix vulnerable code that is allowing a hacker to sell a $700 exploit capable of undermining a cross-site scripting (XSS) issue in Yahoo's website. http://www.scmagazine.com/yahoo-email-hijack-possible-with-700-xss-exploit/article/270005/?DCMP=EMC-SCUS_Newswire

FYI - Personal info of 1m compromised in Nationwide breach - The FBI is investigating a breach at Nationwide Insurance, where hackers recently accessed the sensitive information of about one million people, including policy and non-policy holders. http://www.scmagazine.com/personal-info-of-1m-compromised-in-nationwide-breach/article/270448/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (9 of 12)

Organize a public relations program.

Whether a bank is a local, national, or global firm, negative publicity about a security compromise is a distinct possibility. To address potential reputation risks associated with a given incident, some banks have organized public relations programs and designated specific points of contact to oversee the program. A well-defined public relations program can provide a specific avenue for open communications with both the media and the institution's customers.

Recovery

Recovering from an incident essentially involves restoring systems to a known good state or returning processes and procedures to a functional state. Some banks have incorporated the following best practices related to the recovery process in their IRPs.

Determine whether configurations or processes should be changed.

If an institution is the subject of a security compromise, the goals in the recovery process are to eliminate the cause of the incident and ensure that the possibility of a repeat event is minimized. A key component of this process is determining whether system configurations or other processes should be changed. In the case of technical compromises, such as a successful network intrusion, the IRP can prompt management to update or modify system configurations to help prevent further incidents. Part of this process may include implementing an effective, ongoing patch management program, which can reduce exposure to identified technical vulnerabilities. In terms of non-technical compromises, the IRP can direct management to review operational procedures or processes and implement changes designed to prevent a repeat incident.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Non-repudiation

Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions.

Access Control / System Design

Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47. If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a. the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b. the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c. the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]