FYI - The Federal Financial Institutions Examination Council has issued the attached guidance to help institutions identify and implement appropriate risk-management practices when using "free and open source software"
Press Release: www.fdic.gov/news/news/financial/2004/fil11404.html 
Press Release: www.ffiec.gov/press/pr102104.htm 
Press Release www.ots.treas.gov/docs/7/77445.html 
Press Release: www.ncua.gov/news/press_releases/2004/JR04-1021.pdf

FYI - FFIEC Brochure with Information on Internet "Phishing." www.federalreserve.gov/boarddocs/srletters/2004/sr0414.htm 

FYI - Lack of trust affects online banking - Users feel safer participating in ecommerce than utilising online banking, a survey has shown. The survey of 2,000 global users, implemented by Entrust, showed 85 percent participate in some form of ecommerce but less than two thirds bank online. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=3e7082d6-d883-45a9-9062-d164d51d1f17&newsType=Latest%20News

FYI - Citigroup Forces Resignations of 3 Senior Executives - Three senior executives at Citigroup were forced to resign yesterday as Charles O. Prince, the firm's chief executive, delivered on a promise to improve the bank's sullied reputation in the aftermath of its private banking operations being shut down in Japan last month. http://www.nytimes.com/2004/10/20/business/20citi.html?oref=login&ex=1098936000

FYI - Hacker strikes university computer system - A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday. http://news.com.com/Hacker+strikes+university+computer+system/2100-7349_3-5418388.html?tag=nefd.top

FYI - NIST details minimum security controls - Guidelines for setting computer security controls to protect federal information systems are described in a new publication from the National Institute of Standards and Technology. NIST officials said the document forms the basis for security controls that will become mandatory in December 2005.
News story: http://www.fcw.com/fcw/articles/2004/1011/web-nist-10-11-04.asp
NIST Report: http://csrc.nist.gov/publications/drafts/SP800-53-Draft2nd.pdf

FYI - Companies risk security by not introducing wireless - Enterprise IT managers are interested in wireless technology but reluctant to introduce it to their business for no good reason -- and as a result could be risking security breaches. At least according to a survey by researchers at IDC. http://www.computerworld.com/printthis/2004/0,4814,96597,00.html

FYI - An August intrusion into a social researcher's computer may mean that more than a million Californians need to call the credit bureaus. - The California Department of Social Services warned the providers and recipients of the state's In Home Support Services (IHSS) that their names, addresses, telephone numbers, Social Security numbers and dates of birth may be circulating the Internet. IHSS allows individuals to get paid for providing in-home care to senior citizens. http://news.com.com/Online+attack+puts+1.4+million+records+at+risk/2100-1029_3-5420149.html?tag=nefd.top

Return to the top of the newsletter

INTERNET COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 4 of 4)

Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.

Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.

The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.

Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

IT SECURITY QUESTION:  INTRUSION DETECTION AND RESPONSE

8. Determine whether an incident response team:

!  Contains appropriate membership,
!  Is available at all times,
!  Has appropriate training to investigate and report findings,
!  Has access to back-up data and systems, an inventory of all approved hardware and software, and monitored access to systems (as appropriate), and
!  Has appropriate authority and timely access to decision makers for actions that require higher approvals.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 1 of 3)

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information 

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)).

IN CLOSING - {firstname}, did you know that we offer internal-VISTA security testing of your network?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the programming and testing procedures.  For more information about the VISTA testing options available, please visit http://www.internetbankingaudits.com.