Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

January 21, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Firms fret as office e-mail jumps security walls - A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased. http://news.com.com/2102-1029_3-6149344.html?tag=st.util.print

FYI - Nuclear Weapons Program Chief Dismissed - Energy Secretary Cites Security Flaws At Los Alamos Lab For Firing - Energy Secretary Samuel Bodman on Thursday announced the dismissal of the head of the U.S. nuclear weapons program because of security breakdowns at weapons facilities including the Los Alamos laboratory in the western state of New Mexico. http://www.cbsnews.com/stories/2007/01/04/politics/main2332032.shtml

FYI - U. of Northern Iowa Uncovers a Hacker's Stash - How long does it take a college to discover that a hacker has started storing music files on one of its servers? As long it takes that hacker to build up a nice collection of tunes, evidently. http://chronicle.com/wiredcampus/index.php?id=1790

FYI - Businesses warned of staff internet and email abuse - Irish employers are being exposed to much greater costs due to employee abuse of their email and internet privileges, the Small Firms Association (SFA) has warned. It has emerged that 57pc of Irish companies do not have an email and internet usage policy in place. http://www.siliconrepublic.com/news/news.nv?storyid=single7554

FYI - From SANS - The Pitfalls of Full Disk Encryption - http://www.sans.edu/resources/leadershiplab/pitfalls.php

FYI - Ready to produce IMs in court? - Guidelines expand types of electronic info you'll need for discovery - Companies that do not keep close tabs on PDAs, instant message conversations and other forms of electronic data may soon be in for a nasty surprise, should they find themselves in court. As of Dec, 1, 2006, new guidelines, called the Federal Rules of Civil Procedure, go into effect. The rules, set by the U.S. Supreme Court, expand the types of electronically stored information that companies could be required to produce in a lawsuit. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9007162&taxonomyId=17&intsrc=kc_top
http://www.law.cornell.edu/rules/frcp/Rule34.htm

FYI - New tool enables sophisticated phishing scams - Security experts at RSA have come across a new tool that automatically creates sophisticated phishing sites, a sign that cybercrooks are getting increasingly professional. http://news.com.com/2102-1029_3-6149090.html?tag=st.util.print

FYI - Los Angeles city employees charged with hacking traffic lights over labor dispute - Two Los Angeles municipal traffic engineers were arraigned and charged with hacking city systems to disable traffic lights, all in connection with a labor dispute. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070110/625180/

MISSING COMPUTERS/DATA

FYI - Third Case of Computer Theft at High School - North Charleston police are trying to find out who stole a laptop computer from Academic Magnet High School. That computer contains personal information about hundreds of students. This theft is actually the third time someone has stolen computers from this school. http://www.wcbd.com/midatlantic/cbd/news.PrintView.-content-articles-CBD-2007-01-03-0015.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.
Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

 LOGGING AND DATA COLLECTION (Part 1 of 2)

Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.

An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including

! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative or root access),
! Application access (especially users and objects with write - and execute privileges), and
! Remote access.

Return to the top of the newsletter

IT SECURITY QUESTION:  SOFTWARE DEVELOPMENT AND ACQUISITION

8. Inquire about the method used to test the newly developed or acquired software for vulnerabilities.

!   For source code reviews, inquire about standards used, the capabilities of the reviewers, and the results of the reviews.
!  If source code reviews are not performed, inquire about alternate actions taken to test the software for covert channels, backdoors, and other security issues.

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated