R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 16, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - GAO - Federal Reserve Banks: Areas for Improvement in Computer Controls. 
http://www.gao.gov/new.items/d04672r.pdf

FYI  - This enforcement action has a section on IT that you may find interesting. -
The Federal Reserve Board on Friday announced the execution of a Written Agreement by and among Putnam-Greene Financial Corporation, Eatonton, Georgia; The Citizens Bank of Cochran, Cochran, Georgia; the Banking Commissioner of the State of Georgia, Atlanta, Georgia; and the Federal Reserve Bank of Atlanta. 
www.federalreserve.gov/boarddocs/press/Enforcement/2004/200405142/default.htm 

FYI  - Security breaches drive customers away - Companies whose IT networks suffer a security breach risk losing a large slice of revenue as their customers lose trust and move elsewhere. 
http://www.zdnet.co.uk/print/?TYPE=story&AT=39153693-39020375t-10000025c

FYI  - Security Policy a Paper Tiger - Ignored security policies result in problems ranging from rogue access points to inadequate incident response.  http://www.computerworld.com/printthis/2004/0,4814,92946,00.html

FYI - Extended Enforcement - Companies are using compliance tools to ensure that security policies are followed at network endpoints.  http://www.computerworld.com/printthis/2004/0,4814,92943,00.html

FYI  - NIST offers guidelines for securing VOIP - Voice over IP technology offers potential cost savings and increased functionality, but it also may introduce new security headaches for systems administrators, the National Institute of Standards and Technology has warned. 
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25844

FYI - Firms failing to deploy proper audit trails, warns security study - Few companies have the proper audit trails in place to get convictions against hackers, according to security firm NTA Monitor.  http://www.vnunet.com/News/1154909

FYI - Hacker Accesses UCSD Computers - About 380,000 University of California San Diego students, alumni, applicants, staff and faculty are being warned that a hacker may have had access to their personal information.  http://www.thesandiegochannel.com/technology/3276449/detail.html

Return to the top of the newsletter

INTERNET COMPLIANCE - Part 1 of 3 - FDIC's "
Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes" that was published March 12, 2004.

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDICs legitimate Web site and asked for confidential information, including bank account information.




Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


ENCRYPTION KEY MANAGEMENT

Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address

! Generating keys for different cryptographic systems and different applications;
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be activated when received;
! Storing keys, including how authorized users obtain access to keys;
! Changing or updating keys including rules on when keys should be changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or deactivated;
! Recovering keys that are lost or corrupted as part of business continuity management;
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting the usage period of keys.

Secure key management systems are characterized by the following precautions.

! Key management is fully automated (e.g. personnel do not have the opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by hardware.
! Key - encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key - encrypting key. (A key - encrypting key is used to encrypt other keys, securing them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well - authenticated parties.
! Key generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.


Return to the top of the newsletter

IT SECURITY QUESTION:

E. PHYSICAL SECURITY

4. Determine whether information processing and communications devices and transmissions are appropriately protected against physical attacks perpetrated by individuals or groups, as well as against environmental damage and improper maintenance. Consider the use of halon gas, computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other protective and detective devices.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

45.  If the institution receives information from a nonaffiliated financial institution other than under an exception in 14 or 15, does the institution refrain from disclosing the information except:

a.  to the affiliates of the financial institution from which it received the information; [11(b)(1)(i)]

b.  to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [11(b)(1)(ii)] and

c.  to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [11(b)(1)(iii)]  

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist {custom4}.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated