R. Kinney Williams & Associates®
R. Kinney Williams
& Associates

Internet Banking News

October 10, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Electronic Consumer Disclosures and Notices - This advisory letter highlights issues that should be considered by national banks that provide electronic consumer disclosures. The failure to provide such electronic disclosures in a proper manner can expose the bank to significant compliance, transaction, and reputation risk. www.occ.treas.gov/ftp/advisory/2004-11.txt  

FYI - The risks of outsourcing - What if you learned that your closest competitor had an indirect network connection to your company? Would you be worried? If you outsource any aspect of your company's functions, and that outsourcing vendor has your competitor as a customer, an indirect link may exist http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=3353b706-80a9-41b5-85a4-34eec3509843&newsType=Opinion

FYI - Following protocol - The virtual private network (VPN) is now a widely accepted feature of corporate IT security - and SSL is gaining on the established IPSec standard as the most popular VPN security protocol. How do they stack up? http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=6bd04576-dac1-4747-8e12-bb5713234f70&newsType=Opinion

FYI - Virus-obsessed firms ignore insider risk - Company chiefs are aware of the threats of information security breaches posed by their employees, but are failing to safeguard their assets against insider attack. Keeping control of security will only get more difficult as organisations move toward increasingly decentralised business models through outsourcing and other external partnerships, Ernst & Young's 2004 Information Security Survey warns. http://www.theregister.co.uk/2004/09/23/insider_risk/print.html

FYI - HFC bank loses its marbles over customer CC details - Customers of HFC Bank, a subsidiary of HSBC, are threatening legal action after an "operator error" exposed personal information in emails from the bank. http://www.theregister.co.uk/2004/09/27/e-bank_email_blunder/print.html

FYI - Bank Fraud - FBI Announces Operation Continued Action Targeting Financial Institution Fraud The Federal Bureau of Investigation has published developments in a nationwide enforcement operation directed at organized groups and individuals engaged in financial institution fraud. www.fdic.gov/news/news/financial/2004/fil11104.html 

FYI - FDIC, Federal Banking Agencies and Treasury Enter Agreement to Strengthen BSA Compliance - The Federal Deposit Insurance Corporation announced today that it has partnered with the U.S. Department of the Treasury's Financial Crimes Enforcement Network and other federal banking regulators in a Memorandum of Understanding that will enhance information-sharing procedures between FinCEN and the regulatory agencies and strengthen compliance with the Bank Secrecy Act. www.fdic.gov/news/news/press/2004/pr10204.html

Return to the top of the newsletter

INTERNET COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

 INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 1 of 4)

Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.

A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.

Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.

Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."

Return to the top of the newsletter

IT SECURITY QUESTION:  INTRUSION DETECTION AND RESPONSE

2. Determine if the IDSs identified as necessary in the risk assessment process are properly installed and configured.

3. Determine whether an appropriate firewall ruleset and routing controls are in place and updated as needs warrant.

!  Identify personnel responsible for defining and setting firewall rulesets and routing controls.
!  Review procedures for updating and changing rulesets and routing controls.
!  Determine that appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network entry and exit.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1)  Notices (initial, annual, revised, opt out, short-form, and simplified);

2)  Institutional privacy policies and procedures, including those to: 
     a)  process requests for nonpublic personal information, including requests for aggregated data; 
     b)  deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders); 
     c)  prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and 
     d)  prevent the unlawful disclosure of account numbers;

3)  Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4)  Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5)  Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6)  Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7)  Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8)  Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9)  Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).

IN CLOSING - {firstname}, did you know that we offer internal-VISTA security testing of your network?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the programming and testing procedures.  For more information about the VISTA testing options available, please visit http://www.internetbankingaudits.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated