Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
IDs from hotel computers - A Colombian engineer pleaded guilty in
federal court to illegally hacking into hotel computers in Miami,
Las Vegas and other cities to steal credit card numbers and other
personal information to pocket more than $400,000 to finance his
Fully patched PCs are a rare breed - A small minority of users - as
few as one in 20 - is running fully-patched Windows PCs. Just five
per cent of newly-registered users of an online security inspection
service Secunia came out with a clean bill of health, while more
than 40 per cent have at least 11 insecure applications installed.
New mass hack strikes sites, confounds researchers - May be linked
to November 2007 break-in at U.K. hosting firm - A massive hack of
legitimate Web sites has been spreading malware to visitors' PCs,
using a new tactic that has made detection "extraordinarily
difficult," security experts said today.
Barclays chairman has identity stolen - Thief gets away with £10,000
- Marcus Agius, the chairman of Barclays Bank, has had £10,000
stolen by an identity thief.
Rootkit targeting Master Boot Record in the wild - A rootkit
attacking Master Boot Record (MBR) -- a vector used more than a
decade ago on MS-DOS operating systems -- on various Windows
operating systems is spreading in the wild, according to
Silentbanker trojan dupes bank customers into sending money - A
researcher has warned that the Silentbanker trojan apparently is
able to circumvent two-factor authorization and inject itself into
the middle of ongoing banking transactions, duping bank customers
into sending money to attackers while the customer proceeds with
what looks like a valid transaction.
sites - A "massive attack" related to the November break-in of an
several hundred e-commerce websites, particularly in the United
Kingdom, according to Trend Micro.
House Oversight panel slams TSA for lax website security - A
Congressional committee has slammed the Transportation Security
Administration (TSA) for giving a no-bid contract to a website
developer that failed to implement cybersecurity procedures to
protect the personal information of travelers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hacker posts hundreds of credit card numbers - News First
Investigates has uncovered what looks like a major internet breach.
We found a list of hundreds of credit card numbers and personal
information on a website hosted by Google.
Polish teen derails tram after hacking train network - A Polish
teenager allegedly turned the tram system in the city of Lodz into
his own personal train set, triggering chaos and derailing four
vehicles in the process. Twelve people were injured in one of the
Security guard relaxed as Metro data thieves struck - Two laptop
computers containing 337,000 Nashville voters' Social Security
numbers were stolen as the building's security guard listened to
Christmas music, ordered food and visited the break room, failing to
make his hourly rounds.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
Action Summary -Financial institutions must maintain an ongoing
information security risk assessment program that effectively
1) Gathers data
regarding the information and technology assets of the organization,
threats to those assets, vulnerabilities, existing security controls
and processes, and the current security standards and requirements;
2) Analyzes the
probability and impact associated with the known threats and
vulnerabilities to its assets; and
3) Prioritizes the risks present due to threats and vulnerabilities
to determine the appropriate level of training, controls, and
testing necessary for effective mitigation.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
6. Determine that, where appropriate and
feasible, programs do not run with greater access to other resources
than necessary. Programs
to consider include application programs, network administration
programs (e.g., DNS), and other programs.
7. Compare the access control rules establishment and assignment
processes to the access control policy for consistency.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
12. Does the institution make the following disclosures regarding
service providers and joint marketers to whom it discloses nonpublic
personal information under §13:
a. as applicable, the
same categories and examples of nonpublic personal information
disclosed as described in paragraphs (a)(2) and (c)(2) of section
six (6) (see questions 8b and 10); and [§6(c)(4)(i)]
b. that the third party is a service provider that performs
marketing on the institution's behalf or on behalf of the
institution and another financial institution; [§6(c)(4)(ii)(A)] or
c. that the third party is a financial institution with which the
institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]