Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
January 28, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - Swedish bank hit
by 'biggest ever' online heist - Swedish bank Nordea has told ZDNet
UK that it has been stung for between seven and eight million
Swedish krona--up to $1.1 million--in what security company McAfee
is describing as the "biggest ever" online bank heist. Over the last
15 months, Nordea customers have been targeted by e-mails containing
a tailor-made Trojan, said the bank.
FYI - RSA Catches
Financial Phishing Kit - RSA, The Security Division of EMC,
announced Jan. 10 that it has identified a new phishing kit that was
being sold and used online by hackers to target users' personal
information in real time. The phishing kit, known as a Universal
Man-in-the-Middle Phishing Kit, is meant to help online hackers
create attacks involving financial organizations by enabling the
hacker to create a fake URL through a user-friendly online
interface. The fraudulent URL communicates with the legitimate Web
site of the targeted organization in real time.
FYI - T.J. Maxx,
Marshalls Operator Reports Customer ID Thefts After Hacking Detected
- TJX Cos., operator of T.J. Maxx and Marshalls discount stores,
said Wednesday its computer systems were hacked late last year and
customer data has been stolen.
FYI - Stolen hard drive
could give patients a headache - A local doctor's office is keeping
mum on a stolen hard drive that may contain personal information on
hundreds of patients who seek care there.
FYI - New Jersey duo
arrested for changing grades with unauthorized network access - A
student and a recent graduate of a Cherry Hill, N.J. high school
have been charged with using unauthorized access privileges to
change students' grades.
FYI - Hacker cracks
University of Arizona network, may have breached employee
information - A hacker may have obtained the personal information of
University of Arizona employees, as well as details of the
institution's financial transactions.
FYI - MoneyGram says
consumer info accessed - MoneyGram International Inc., a global
payment services provider, announced Friday that a company server
with consumer information for about 79,000 bill payment customers
was unlawfully accessed over the Internet last month.
FYI - Laptop theft puts
residents at risk - A laptop computer containing files on 30,000
taxpayers was stolen from the car of an N.C. Department of Revenue
employee last month, and state officials are cautioning everyone on
the list to keep an eye on their finances for potential fraud.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
LOGGING AND DATA COLLECTION (Part 2 of 2)
When evaluating whether and what data to log, institutions
should consider the importance of the related system or information,
the importance of monitoring the access controls, the value of
logged data in restoring a compromised system, and the means to
effectively analyze the data. Generally, logs should capture source
identification information; session ID; terminal ID; and the date,
time, and the nature of the access attempt, service request, or
process. Many hardware and software products come with logging
disabled and may have inadequate log analysis and reporting
capabilities. Institutions may have to enable the logging
capabilities and then verify that logging remains enabled after
rebooting. In some cases, additional software will provide the only
means to analyze the log files effectively.
Many products such as firewall and intrusion detection software can
simplify the security monitoring by automating the analysis of the
logs and alerting the appropriate personnel of suspicious activity.
Log files are critical to the successful investigation and
prosecution of security incidents and can potentially contain
sensitive information. Intruders will often attempt to conceal any
unauthorized access by editing or deleting log files. Therefore,
institutions should strictly control and monitor access to log
files. Some considerations for securing the integrity of log files
! Encrypting log files that contain sensitive data or that are
transmitting over the network,
! Ensuring adequate storage capacity to avoid gaps in data
! Securing backup and disposal of log files,
! Logging the data to a separate, isolated computer,
! Logging the data to write - only media like a write - once/read -
many (WORM) disk or drive,
! Utilizing centralized logging, such as the UNIX "SYSLOG" utility,
! Setting logging parameters to disallow any modification to
previously written data.
The financial institution should have an effective means of tracing
a security event through their system. Synchronized time stamps on
network devices may be necessary to gather consistent logs and a
consistent audit trail. Additionally, logs should be available, when
needed, for incident detection, analysis and response.
When using logs to support personnel actions, management should
consult with counsel about whether the logs are sufficiently
reliable to support the action.
Return to the top of the
1. Determine if adequate physical security and access controls exist
over data back-ups and program libraries throughout their life
cycle, including when they are created, transmitted/taken to
storage, stored, retrieved and loaded, and destroyed.
! Review the risk assessment to identify key control points in
a data set's life cycle.
! Verify controls are in place consistent with the level of
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
38. For customers only, does the institution ensure that the
initial, annual, and revised notices may be retained or obtained
later by the customer in writing, or if the customer agrees,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.