Internet Banking News

November 7, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched. Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

FYI - California warns on massive ID theft - UC Berkeley used intrusion-detection software to uncover the hacking - The state of California has warned residents that their personal data may have been stolen from computers at the University of California, Berkeley, after a database used by researchers there was compromised by hackers. http://www.computerworld.com/printthis/2004/0,4814,96816,00.html

FYI - Seoul Metropolitan Government Bans Internet Messenger - Seoul Metropolitan Government employees can no longer use Internet messengers at work. The government announced Friday that it will ban all employees from using messengers, chatting services and other connections to harmful Internet sites during working hours. This new rule is to protect information, said the SMG. http://english.chosun.com/w21data/html/news/200410/200410220031.html

FYI - Computer hacker gets prison term - Daniel Baas' computer skills were expert enough that he was able to make a living using them. But, he admitted Monday, he used those same skills to penetrate the computers and networks of lawyers and companies. For that, Hamilton County Common Pleas Court Judge Dennis Helmick sentenced him to 2˝ years in prison. http://www.cincypost.com/2004/10/19/baas101904.html

FYI - Five mistakes of log analysis - As the IT market grows, organizations are deploying more security solutions to guard against the ever-widening threat landscape. All those devices are known to generate copious amounts of audit records and alerts, and many organizations are setting up repeatable log collection and analysis processes. http://www.computerworld.com/printthis/2004/0,4814,96587,00.html

FYI - What your CEO thinks about security (and how to change it) - Up to now, enterprises' security budgets have been so lean they could almost be considered anorexic. That's because CEOs have considered security as necessary but haven't bought the argument that there is an economic advantage to going above a minimal level of security. http://www.computerworld.com/printthis/2004/0,4814,96803,00.html

FYI - Beating the social engineering scams: what employees must do to protect company data - While technology can dramatically reduce the risk associated with threats and vulnerabilities in enterprise IT, the human factor is always critical in a comprehensive security strategy. http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=6bbcb578-68ae-4249-8f78-01918e84d195&newsType=Opinion

FYI - Back-up or pack-up? - Data is the lifeblood of the organisation and any incidents, which stop access or result in a loss of critical data can have serious consequences for the business in terms of day-to-day operations and financial loss. This emphasises the ongoing need for back-up and recovery processes to be in place to minimise the effects of unplanned downtime and ensure the continuity of business processes. http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=82165f80-e3aa-410b-8512-889b4fc195fb&newsType=Opinion

FYI - OCC Banker Education Update - Information from the July and September Telephone Seminars have been posted to the Banker Education page. Items include the transcript and slides from "Outsourcing Technology Services: A Management Decision" and the information package from "Financing Minority Businesses". Also, see the announcement on the Upcoming Telephone Seminar page.
Attachment: www.occ.treas.gov/IT_OutSrce_Final_Slides.pdf
Attachment: www.occ.treas.gov/Edited_Outsourcing_Transcript_Final_110404.pdf

Return to the top of the newsletter

INTERNET COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations.

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Honeypots

A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network. Honeypots have three key advantages over network and host IDS systems. Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion. Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant. Network IDS systems gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack. Finally, unlike IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.

Honeypots have two key disadvantages. They are ineffective unless they are attacked. Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker. Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity. Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.

Honeypots also introduce the risk of being compromised without triggering an alarm, then becoming staging grounds for attacks on other devices. The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity. For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy - to - compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data. On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.

Return to the top of the newsletter

IT SECURITY QUESTION: INTRUSION DETECTION AND RESPONSE

9. Evaluate the selection of systems to monitor and objectives for monitoring.

10. Determine whether the data and data streams to monitor are established and consistent with the risk assessment.

11. Determine whether users are appropriately notified regarding security monitoring.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13). (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices

1) Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

b. Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c. For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).

IN CLOSING - {firstname}, did you know that we offer internal-VISTA security testing of your network? To keep your cost affordable, we install our pre-programmed scanner box on your network. To maintain the independent testing required by the examiners, we control the programming and testing procedures. For more information about the VISTA testing options available, please visit http://www.internetbankingaudits.com.