R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

October 24, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - Chinese Authorities Apprehend Online Bank Robber - After eight months on the run, Chinese authorities have announced that the suspected mastermind behind a large online theft from a Chinese bank has been arrested.   http://www.chinatechnews.com/index.php?action=show&type=news&id=1910

FYI - Firms failing on security - GLOBAL corporations are failing to safeguard their information networks against potent threats from viruses, worms and especially their own employees, according to a report by consultancy firm Ernst and Young.  http://australianit.news.com.au/articles/0,7204,10997993%5e15331%5e%5enbv%5e15306-15318,00.html

FYI - Prosecutor leaves crime files on dumped PC - Dutch public prosecutor Joost Tonino was condemned yesterday for putting his old PC out with the trash. It contained sensitive information about criminal investigations in Amsterdam, and also his email address, credit card number, social security number and personal tax files.   http://www.theregister.co.uk/2004/10/08/prosecutor_dumps_pc/

FYI - Fighting New Breeds of Application Vulnerabilities - Database applications house an enterprise's most vital information, fueling business transactions and sitting at the core of most business processes. As such, data availability, integrity, and confidentiality are critical to the success of any enterprise.
http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5559

FYI -
Civil money penalty against AmSouth Bank of Birmingham - The Financial Crimes Enforcement Network and the Board of Governors of the Federal Reserve System announced today that they have jointly assessed a $10 million civil money penalty against AmSouth Bank of Birmingham, Alabama for its violations of the Bank Secrecy Act. www.federalreserve.gov/boarddocs/press/Enforcement/2004/20041012/default.htm 

FYI -
NCUA - The purpose of this regulatory alert is to inform credit union officials about The Check Clearing for the 21st Century Act, which becomes effective on October 28, 2004. www.ncua.gov/reg_alerts/2004/04-RA-12.pdf 

Return to the top of the newsletter

INTERNET COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems
(IDS) (Part 3 of 4)

Some network IDS units allow the IP addresses associated with certain signatures to be automatically blocked. Financial institutions that use that capability run the risk of an attacker sending attack packets that falsely report the sending IP addresses as that of service providers and others that the institution needs to continue offering service, thereby creating a denial - of - service situation. To avoid such a situation, the institution also may implement a list of IP addresses that should not be blocked by the IDS.

Hosts also use a signature-based method. One such method creates a hash of key binaries, and periodically compares a newly generated hash against the original hash. Any mismatch signals a change to the binary, a change that could be the result of an intrusion. Successful operation of this method involves protection of the original binaries from change or deletion, and protection of the host that compares the hashes. If attackers can substitute a new hash for the original, an attack may not be identified. Similarly, if an attacker can alter the host performing the comparison so that it will report no change in the hash, an attack may not be identified.

An additional host-based signature method monitors the application program interfaces for unexpected or unwanted behavior, such as a Web server calling a command line interface.

Attackers can defeat host-based IDS systems using loadable kernel modules, or LKMs. A LKM is software that attaches itself to the operating system kernel. From there, it can redirect and alter communications and processing. With the proper LKM, an attacker can force a comparison of hashes to always report a match and provide the same cryptographic fingerprint of a file, even after the source file was altered. LKMs can also hide the use of the application program interfaces. Detection of LKMs is extremely difficult and is typically done through another LKM.


Return to the top of the newsletter

IT SECURITY QUESTION: 
INTRUSION DETECTION AND RESPONSE

7. Determine if appropriate detection capabilities exist related to:

!  System resource usage and anomalies,
!  Active host and network intrusion detection systems,
!  User related anomalies,
!  Operating and tool configuration anomalies,
!  File and data integrity problems, and
!  Vulnerability testing.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1)  Summarize all findings.

2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4)  Discuss findings with management and obtain a commitment for corrective action.

IN CLOSING - {firstname}, did you know that we offer internal-VISTA security testing of your network?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the programming and testing procedures.  For more information about the VISTA testing options available, please visit http://www.internetbankingaudits.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated