R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

June 13, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Online Crime Costs Rising - Online criminals are attacking corporate and government networks more frequently, costing businesses an estimated $666 million in 2003, according to a survey of computer security executives released today.   http://www.securityfocus.com/printable/news/8767

FYI - FDIC faulted for weak security - The federal agency that insures U.S. bank deposits suffers from network security holes that make it vulnerable to cyber thieves and saboteurs, a report by congressional investigators concluded Friday.
News story:   http://www.securityfocus.com/printable/news/8796
GAO report:  http://www.gao.gov/new.items/d04630.pdf

FYI - Group wants input on vulnerability reporting guidelines - The Organization for Internet Safety is soliciting comments on its guidelines for reporting and responding to software security vulnerabilities. 
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=26045

FYI - GAO Technology Assessment: Cybersecurity for Critical Infrastructure Protection. 
GAO Report:  http://www.gao.gov/new.items/d04321.pdf
Highlights:  http://www.gao.gov/highlights/d04321high.pdf

FYI - GAO Information Security: Agencies Face Challenges in Implementing Effective Software Patch Management Processes.
GAO Report:  http://www.gao.gov/new.items/d04816t.pdf
Highlights:  http://www.gao.gov/highlights/d04816thigh.pdf

FYI - Compliance costly - Keeping pace with ever-more-stringent federal regulations has rocketed to the upper reaches of network executives' concerns, according to the 10th annual Network World 500 survey. http://www.nwfusion.com/news/2004/0607nw500survey.html 

FYI - Missing: A Laptop of DEA Informants- Federal investigators are frantically trying to determine what happened to a missing laptop computer that contains sensitive data on as many as 100 Drug Enforcement Administration investigations around the country, including a wealth of information about many of the agency's confidential informants. http://www.msnbc.msn.com/id/5092991/site/newsweek


Return to the top of the newsletter

INTERNET COMPLIANCE -  We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

A. RISK DISCUSSION

Introduction

Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

CONTROLS TO PROTECT AGAINST MALICIOUS CODE

Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.

Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.

Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.

Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.

Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.

Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."

Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.

An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.


Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

4. Determine if the institution provides to its employees appropriate security training covering the institution's policies and procedures, on an appropriate frequency, and that institution employees certify periodically as to their understanding and awareness of the policy and procedures.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49.  If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a.  required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [14(b)(1)] or

b.  required, or is a usual, appropriate, or acceptable method to:[14(b)(2)]

  1.  carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [14(b)(2)(i)]
  2.  administer or service benefits or claims; [14(b)(2)(ii)]
  3.  confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [14(b)(2)(iii)]
  4.  accrue or recognize incentives or bonuses; [14(b)(2)(iv)]
  5.  underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [14(b)(2)(v)] or
  6.  in connection with:
      i.  the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [14(b)(2)(vi)(A)]
      ii.  the transfer of receivables, accounts or interests therein; [14(b)(2)(vi)(B)] or
      iii.  the audit of debit, credit, or other payment information? [14(b)(2)(vi)(C)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated