Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
January 21, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - Firms fret as
office e-mail jumps security walls - A growing number of
Internet-literate workers are forwarding their office e-mail to free
Web-accessible personal accounts offered by Google, Yahoo and other
companies. Their employers, who envision corporate secrets leaking
through the back door of otherwise well-protected computer networks,
are not pleased.
FYI - Nuclear Weapons
Program Chief Dismissed - Energy Secretary Cites Security Flaws At
Los Alamos Lab For Firing - Energy Secretary Samuel Bodman on
Thursday announced the dismissal of the head of the U.S. nuclear
weapons program because of security breakdowns at weapons facilities
including the Los Alamos laboratory in the western state of New
FYI - U. of Northern
Iowa Uncovers a Hacker's Stash - How long does it take a college to
discover that a hacker has started storing music files on one of its
servers? As long it takes that hacker to build up a nice collection
of tunes, evidently.
FYI - Businesses warned
of staff internet and email abuse - Irish employers are being
exposed to much greater costs due to employee abuse of their email
and internet privileges, the Small Firms Association (SFA) has
warned. It has emerged that 57pc of Irish companies do not have an
email and internet usage policy in place.
FYI - From SANS - The
Pitfalls of Full Disk Encryption -
FYI - Ready to produce
IMs in court? - Guidelines expand types of electronic info you'll
need for discovery - Companies that do not keep close tabs on PDAs,
instant message conversations and other forms of electronic data may
soon be in for a nasty surprise, should they find themselves in
court. As of Dec, 1, 2006, new guidelines, called the Federal Rules
of Civil Procedure, go into effect. The rules, set by the U.S.
Supreme Court, expand the types of electronically stored information
that companies could be required to produce in a lawsuit.
FYI - New tool enables
sophisticated phishing scams - Security experts at RSA have come
across a new tool that automatically creates sophisticated phishing
sites, a sign that cybercrooks are getting increasingly
FYI - Los Angeles city
employees charged with hacking traffic lights over labor dispute -
Two Los Angeles municipal traffic engineers were arraigned and
charged with hacking city systems to disable traffic lights, all in
connection with a labor dispute.
FYI - Third Case of
Computer Theft at High School - North Charleston police are trying
to find out who stole a laptop computer from Academic Magnet High
School. That computer contains personal information about hundreds
of students. This theft is actually the third time someone has
stolen computers from this school.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the
Official Staff Commentary (OSC,) an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated," is a consumer's
authorization via a home banking system.
To satisfy the regulatory requirements, the institution must
have some means to identify the consumer (such as a security code)
and make a paper copy of the authorization available (automatically
or upon request). The
text of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device. Therefore,
the institution should ensure that controls are in place to review
these notifications and also to ensure that an investigation is
initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
LOGGING AND DATA COLLECTION (Part 1 of 2)
Financial institutions should take reasonable steps to ensure that
sufficient data is collected from secure log files to identify and
respond to security incidents and to monitor and enforce policy
compliance. Appropriate logging controls ensure that security
personnel can review and analyze log data to identify unauthorized
access attempts and security violations, provide support for
personnel actions, and aid in reconstructing compromised systems.
An institution's ongoing security risk assessment process should
evaluate the adequacy of the system logging and the type of
information collected. Security policies should address the proper
handling and analysis of log files. Institutions have to make
risk-based decisions on where and when to log activity. The
following data are typically logged to some extent including
! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative or
! Application access (especially users and objects with write - and
execute privileges), and
! Remote access.
Return to the top of the
SOFTWARE DEVELOPMENT AND ACQUISITION
8. Inquire about the method used to test the newly developed or
acquired software for vulnerabilities.
! For source code reviews, inquire about standards used,
the capabilities of the reviewers, and the results of the reviews.
! If source code reviews are not performed, inquire about
alternate actions taken to test the software for covert channels,
backdoors, and other security issues.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
37. For annual notices only, if the institution does not
employ one of the methods described in question 36, does the
institution employ one of the following reasonable means of
delivering the notice such as:
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.