Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Microsoft extends virus warnings for Windows XP to 2015 -
Microsoft has decided to continue providing virus warnings for the
ageing Windows XP operating system until 2015.
- Feds Failing To Secure Their Mobile Devices - The federal
government may have specific policies for security, but many of its
users aren't adopting secure mobile practices and behaviors,
according to a new study by the Mobile Work Exchange.
- 13 indicted in $2M gas station card-skimming scheme - Pump-mounted
devices used Bluetooth chips that allowed the thieves to retrieve
the data without having to physically connect to the devices,
- Companies settle over false data security framework compliance
claims - Twelve U.S. companies have agreed to settle Federal Trade
Commission (FTC) charges, which accuse the firms of falsely claiming
to comply with an international data security framework.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- A First Look at the Target Intrusion, Malware - Last weekend,
Target finally disclosed at least one cause of the massive data
breach that exposed personal and financial information on more than
110 million customers: Malicious software that infected
point-of-sale systems at Target checkout counters.
Marcus breach dates back to July 2013, according to report - The
attack on Neiman Marcus point-of-sale systems dates back to July
2013 and the threat was not completely mitigated until Sunday,
unnamed people briefed on the retailer's investigation told the New
York Times in a Thursday report.
Veterans Affairs eBenefits site results in data compromise - When a
Navy veteran signed into the Department of Veterans Affairs (VA)
eBenefits website on Wednesday night, he was shocked to see a
different person's name and information pop up each time he came
data breach: Yes, it gets worse - Target and Neiman Marcus weren't
the only name-brand retailers to be stung by cybercriminals last
holiday season. Plus: Was a teenager behind the malware?
Data of 20
million South Koreans copied to USB stick, sold to marketing firms -
An IT worker was arrested after allegedly copying names, Social
Security numbers, and credit card details of 20 millions South
Koreans to a USB stick, so the trove of information could be sold to
phone marketing firms.
affects 16M in Germany - A data breach affecting 16 million German
internet users was announced this week by the country's Federal
Office for Information Security (BSI).
new verification already hacked - Security researcher shows that the
service's new "find the ghost" system to prove that you're a human
and not a bot can be easily tricked.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fair Housing Act
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in person"
applications. Accordingly, information about these applicants' race
or national origin and sex must be collected. An institution that
accepts applications through electronic media without a video
component, for example, the Internet or facsimile, may treat the
applications as received by mail.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Protocols and Ports (Part 2 of 3)
Other common protocols in a TCP/IP network include the following
! Address resolution protocol (ARP) - Obtains the hardware address
of connected devices and matches that address with the IP address
for that device. The hardware address is the Ethernet card's
address, technically referred to as the "media access control" (MAC)
address. Ethernet systems route messages by the MAC address,
requiring a router to obtain both the IP address and the MAC address
of connected devices. Reverse ARP (RARP) also exists as a protocol.
! Internet control message protocol (ICMP) - Used to send messages
about network health between devices, provides alternate routing
information if trouble is detected, and helps to identify problems
with a routing.
! File transfer protocol (FTP) - Used to browse directories and
transfer files. Although access can be authenticated or anonymous,
FTP does not support encrypted authentication. Conducting FTP within
encrypted channels, such as a Virtual Private Network (VPN), secure
shell (SSH) or secure sockets layer (SSL) sessions can improve
! Trivial file transfer protocol (TFTP) - A file transfer protocol
with no file - browsing ability, and no support for authentication.
! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail
systems to send mail.
! Post office protocol (POP) - Commonly used to receive e-mail.
! Hypertext transport protocol (HTTP) - Used for Web browsing.
! Secure shell (SSH) - Encrypts communications sessions, typically
used for remote administration of servers.
! Secure sockets layer (SSL) - Typically used to encrypt
Webbrowsing sessions, sometimes used to secure e-mail transfers and
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
33. Except as permitted by §§13-15,
does the institution refrain from disclosing any nonpublic personal
information about a consumer to a nonaffiliated third party, other
than as described in the initial privacy notice provided to the
a. the institution has provided the consumer with a clear and
conspicuous revised notice that accurately describes the
institution's privacy policies and
b. the institution has provided the consumer with a new opt out
c. the institution has given the consumer a reasonable opportunity
to opt out of the disclosure, before disclosing any information;
d. the consumer has not opted out? [§8(a)(4)]