Internet Banking News

December 30, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The Top 10 Data Breaches of 2007 - Stolen hard drives, websites infected with malware and Social Security numbers as passwords--the most brilliant lunacy of a year full of security disclosures. http://www2.csoonline.com/exclusives/column.html?CID=33366

FYI - Test feds' info security savvy, report suggests - A majority of federal workers continue to violate information security policies despite being aware of threats to agency systems and knowing the importance of following data security policies, a survey by SecureInfo found. http://www.fcw.com/online/news/151066-1.html?topic=security

FYI - Rogue servers point users to impostor sites - Researchers have uncovered a large network of rogue servers that threatens end users by silently feeding them counterfeit versions of trusted websites. http://www.theregister.co.uk/2007/12/11/dns_liar_attack/print.html

FYI - Data breach prompts Ohio pact with McAfee for SafeBoot - Still reeling from a massive data breach caused by a stolen backup tape, the state of Ohio is planning to provide government agencies and schools with access to encryption software in 2008 to help protect sensitive data. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9052304&taxonomyId=19&intsrc=kc_top

FYI - Commercial banking accounts targeted by Prg trojan variant - UpLevel, a Russian criminal organization, and its German affiliates are using a version of the Prg trojan to attack commercial banking clients, according to anti-virus vendor SecureWorks. http://www.scmagazineus.com/SecureWorks-Commercial-banking-accounts-targeted-with-Prg-trojan-variant/article/99951/

FYI - Insurer gets record fine for ID theft disaster - $6.6 million lifted by social engineers while firm did next to nothing - A U.K. insurance house has been slapped with a record fine by the Financial Services Authority (FSA) watchdog for incompetent customer account security. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9053298&source=rss_topic17

FYI - Bank a/c hacker nabbed - In a major breakthrough, Karnataka's Cyber Crime police of the Corps of Detectives (CoD) arrested seven persons, who allegedly hacked various bank accounts (internet) and siphoned off close to Rs 12 lakh.
The kingpin of the racket, Joseph, an unemployed techie hailing from Virudunagar in Madurai district of Tamil Nadu, was nabbed from a cyber cafe in Mahadevapura near Whitefield by the police on November 29. Six of his associates have also been nabbed. http://www.business-standard.com/common/storypage_c.php?leftnm=10&autono=307570

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UK.gov loses driver ID data - Unencrypted computer discs containing the names and addresses of 6,000 Northern Ireland motorists has gone missing in the post. http://www.theregister.co.uk/2007/12/11/driver_data_discs_disaster/print.html

FYI - Stolen laptop holds private information - Sutter Lakeside Hospital (SLH) reported Monday that a laptop computer containing personal and medical information of approximately 45,000 former patients, employees and physicians has been stolen from the residence of a contractor. It has not been recovered. http://www.record-bee.com/local/ci_7687954

FYI - Deloitte partner, principal confidential information on stolen laptop - A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and other employees was stolen while in possession of a contractor responsible for scanning the accounting firm's pension fund documents, SCMagazineUS.com learned. http://www.scmagazineus.com/Deloitte-partner-principal-confidential-information-on-stolen-laptop/article/99945/

FYI - 'Sensitive' security data is lost - Electronic details of the new security system protecting Parliament have been lost, sparking a Commons security alert. http://www.telegraph.co.uk/news/main.jhtml?view=DETAILS&grid=&xml=/news/2007/12/17/npols517.xml

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We begin our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

SECURITY OBJECTIVES

Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) - related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

1) Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.

2) Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

3) Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

4) Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.

5) Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.

Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

Return to the top of the newsletter

IT SECURITY QUESTION: A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

1. Evaluate the adequacy of policies and procedures for authentication and access controls to manage effectively the risks to the financial institution.

Evaluate the processes that management uses to define access rights and privileges (e.g., software and/or hardware systems access) and determine if they are based upon business need requirements.

Review processes that assign rights and privileges and ensure that they take into account and provide for adequate segregation of duties.

Determine if access rights are the minimum necessary for business purposes. If greater access rights are permitted, determine why the condition exists and identify any mitigating issues or compensating controls.

Ensure that access to operating systems is based on either a need-to-use or an event-by-event basis.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

8) Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e) if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f) an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g) any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h) the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i) a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]