R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

October 17, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - North Korea ready to launch cyber war: report - SEOUL: North Korea has trained more than 500 computer hackers capable of launching cyber warfare against the United States, South Korea's defense ministry says. http://www.channelnewsasia.com/stories/afp_asiapacific/print/109911/1/.html

FYI - Judge disarms Patriot Act proviso - A key part of the USA Patriot Act that allows the FBI to secretly demand information from Internet providers violates the U.S. Constitution, a federal judge said Wednesday in a ruling that could have a broad impact on government surveillance. http://news.com.com/2102-1028_3-5388764.html?tag=st.util.print

FYI - Worldpay struck by online attack - Worldpay handles credit and debit card payments - The internet payment system Worldpay is under attack from unknown hackers, disrupting thousands of online retailers around the world. http://news.bbc.co.uk/2/hi/business/3713174.stm

FYI - Outsourcing firms warned of 'significant cost of security' - International enterprises cannot afford to ignore the potentially serious IT security implications that arise when they decide to outsource core business functions to third party providers, industry analysts have warned. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=d946e652-cbfe-428c-8950-9fcce57d47c1&newsType=Latest%20News

FYI - Online extortion growing more common - Online extortion is rife and that cybercrime is set to get worse, the SANS Institute's research director said Friday. http://news.com.com/Expert+Online+extortion+growing+more+common/2100-7349-5403162.html?part=dht&tag=ntop&tag=nl.e433

Return to the top of the newsletter

INTERNET COMPLIANCE -
Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.


Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems
(IDS) (Part 2 of 4)

"Tuning" refers to the creation of signatures that can distinguish between normal network traffic and potentially malicious traffic. Proper tuning of these IDS units is essential to reliable detection of both known attacks and newly developed attacks. Tuning of some signature - based units for any particular network may take an extended period of time, and involve extensive analysis of expected traffic. If an IDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.

Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed. A signature method meant to focus on sophisticated attackers is protocol analysis, when the contents of a packet or session are analyzed for activity that violates standards or expected behavior. That method can catch, for instance, indicators that servers are being attacked using Internet control message protocol (ICMP).

Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a network IDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.

Encrypted network traffic will drastically reduce the effectiveness of a network IDS. Since a network IDS only reads traffic and does not decrypt the traffic, encrypted traffic will avoid detection.


Return to the top of the newsletter

IT SECURITY QUESTION: 
INTRUSION DETECTION AND RESPONSE

4. Determine whether logs of security-related events are sufficient to assign accountability for intrusion detection system activities, as well as support intrusion forensics and IDS.

5. Determine if logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.

6. Determine if an appropriate process exists to authorize employee access to intrusion detection systems and that authentication and authorization controls limit access to and control the access of authorized individuals.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree."  Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1)  Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2)  Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3)  Frequency and effectiveness of monitoring procedures;

4)  Adequacy and regularity of the institution's training program;

5)  Suitability of the compliance audit program for ensuring that: 

     a)  the procedures address all regulatory provisions as applicable; 
     b)  the work is accurate and comprehensive with respect to the institution's information sharing practices; 
     c)  the frequency is appropriate; 
     d)  conclusions are appropriately reached and presented to responsible parties; 
     e)  steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6)  Knowledge level of management and personnel.

IN CLOSING - R. Kinney, did you know that we offer internal-VISTA security testing of your network?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the programming and testing procedures.  For more information about the VISTA testing options available, please visit http://www.internetbankingaudits.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated