R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

January 15, 2012

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Pessimism over FISMA deadline starts at the top, survey finds - Fewer than half of the agencies represented in a recent poll expect to meet the September deadline for using continuous monitoring to meet Federal Information Security Management Act reporting requirements, and C-level executives interviewed were more pessimistic about their prospects for success than rank-and-file administrators. http://gcn.com/articles/2012/01/03/most-agencies-to-miss-fisma-continuous-monitoring-deadline.aspx

FYI - No Warrant Needed for GPS Monitoring, Judge Rules - A Missouri federal judge ruled the FBI did not need a warrant to secretly attach a GPS monitoring device to a suspect’s car to track his public movements for two months. http://www.wired.com/threatlevel/2012/01/warrantless-gps-monitoring/

FYI - Password case reframes Fifth Amendment rights in context of digital world - Beyond the log-in screen of Ramona Fricosu's laptop computer lies what federal prosecutors say could be the key evidence in the bank-fraud case against her. http://www.denverpost.com/recommended/ci_19669803

FYI - GAO - Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use
Release - http://www.gao.gov/products/GAO-12-92
Highlights - http://www.gao.gov/assets/590/587530.pdf

FYI - FTC settles with rewards company over security infractions - A company that helps students save for college may have made them richer, but also could have opened them up to fraud. http://www.scmagazine.com/ftc-settles-with-rewards-company-over-security-infractions/article/222391/

FYI - FedRAMP Security Controls Unveiled - Federal Risk and Authorization Mgt. Program Vets Providers - The federal government has issued some 170 controls for FedRAMP, the program designed to vet cloud computing providers for federal government agencies. http://www.govinfosecurity.com/articles.php?art_id=4391

FYI - Israel vows to retaliate after credit cards are hacked - Israel has said it will respond to cyber-attacks in the same way it responds to violent "terrorist" acts after the credit card details of thousands of its citizens were published online. http://www.bbc.co.uk/news/world-middle-east-16456100

FYI - HSBC ATM Skimmer Arrested - Romanian Charged with $1.5 Million Scam - New York law enforcement authorities have announced the takedown of an ATM skimming scheme that compromised more than 40 ATMs at HSBC bank branches in Manhattan, Long Island, and Westchester, N.Y. http://www.bankinfosecurity.com/articles.php?art_id=4388

FYI - BYOD planning gets a big boost - A key technology to allow for the secure use of personal devices on the network is virtual desktop infrastructure. We're making big strides toward our CIO's goal of enabling a "bring your own device" (BYOD) policy.


FYI - Saudi hackers plaster 14,000 credit card privates on web - Raid on Israeli sites exposes up to 400,000 punters - A Saudi Arabian hacking group claims it has leaked information on up to 400,000 Israelis, including names, addresses and credit card details. http://www.theregister.co.uk/2012/01/04/israel_credit_card_hack_fallout/

FYI - Stratfor subscribers receive phony emails - The hackers who raided the servers belonging to global intelligence firm Stratfor are using some of their plunder to send fictitious emails to subscribers. http://www.scmagazine.com/stratfor-subscribers-receive-phony-emails/article/222199/

FYI - Hackers say they have Symantec's Norton AV source code - Hackers, possibly from India, claim they have lifted the source code for Symantec's Norton AntiVirus product, and are planning to post it.

FYI - Spam with QR code targets mobile users - Researchers have revealed a new type of spam campaign that appears to be a test run to find out how mobile users will respond to social engineering attempts on their smartphones and tablets. http://www.scmagazine.com/spam-with-qr-code-targets-mobile-users/article/222640/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.

Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.

Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.

Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.

Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.

Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."

Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.

An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).

2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated