R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 12, 2012

CONTENT Internet Compliance Information Systems Security
IT Security
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


Spending less than 5 minutes a week along with a cup of coffee
,
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - FDIC - Payment Processor Relationships Revised Guidance - Attached is revised guidance describing potential risks associated with relationships with third-party entities that process payments for telemarketers, online businesses, and other merchants (collectively "merchants"). These relationships can pose increased risk to institutions and require careful due diligence and monitoring.
http://www.fdic.gov/news/news/financial/2012/fil12003.html
http://krebsonsecurity.com/2011/08/huge-decline-in-fake-av-following-credit-card-processing-shakeup/

FYI - Mining social networks - Criminals are finding social media websites like Facebook, which contain a vast array of personal assets, to be a treasure trove of information that they can use to launch further attacks. http://www.scmagazine.com/boundless-information-mining-social-networks/article/223531/?DCMP=EMC-SCUS_Newswire

FYI - Romanian cops cuff suspected serial hacker - Alleged Royal Navy, Pentagon invader gets keelhauled - Romanian police have arrested a man suspected of breaking into the websites of NASA and the Pentagon in a series of high-profile hack attacks. http://www.theregister.co.uk/2012/02/01/tinkode_nasa_hack_suspect_cuffed/

FYI - Don't let Wi-Fi hotspots get the best of you - According to a report from the Wireless Broadband Alliance and analyst firm Informa Telecoms & Media, the number of public Wi-Fi hotspots globally is exploding. http://www.scmagazine.com/dont-let-wi-fi-hotspots-get-the-best-of-you/article/226476/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - VeriSign admits multiple hacks in 2010, keeps details under wraps - Claims its DNS network wasn't breached, but mum on whether SSL certificates were compromised - VeriSign, the company responsible for guiding most of the world's Internet users to the correct websites and once the largest encryption certificate issuing authority, has acknowledged that it was successfully hacked several times in 2010. http://www.computerworld.com/s/article/9223936/VeriSign_admits_multiple_hacks_in_2010_keeps_details_under_wraps?taxonomyId=17

FYI - Anonymous raids law firm over its defense of Marine - Anonymous stayed busy on Friday with the dump of 300 GB of emails and other communications, lifted from the law firm representing a U.S. Marine who recently escaped jail time for his role in a 2005 massacre. http://www.scmagazine.com/anonymous-raids-law-firm-over-its-defense-of-marine/article/226294/\

FYI - Patient data at U of M hospital breached - A thief broke into a doctor's car and stole a briefcase containing a flash drive that held personal data on patients of the University of Miami (UM) Miller School of Medicine. http://www.scmagazine.com/patient-data-at-u-of-m-hospital-breached/article/225555/?DCMP=EMC-SCUS_Newswire

FYI - Virus Hits Part Of U.S. Commerce Dept. - Economic Development Administration has disabled its website and email while attack is investigated. A virus has caused the Department of Commerce's Economic Development Administration (EDA) to disable its email and Internet access indefinitely while the nature and origin of the attack is investigated. http://www.informationweek.com/news/government/security/232600258

FYI - Hackers apparently hit Swedish government site - A group linked to the hacker network Anonymous on Saturday said it had attacked the Swedish government's website, bringing it down for periods of time by overloading it with traffic. http://www.usatoday.com/news/world/story/2012-02-04/hacker-anonymous-swedish-government/52962142/1

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Over the next few weeks, we will cover some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Executive Summary

Continuing technological innovation and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carries risks as well as benefits. 

The Basel Committee on Banking Supervision expects such risks to be recognized, addressed and managed by banking institutions in a prudent manner according to the fundamental characteristics and challenges of e-banking services. These characteristics include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third parties that provide the necessary information technology. While not creating inherently new risks, the Committee noted that these characteristics increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks, thereby influencing the overall risk profile of banking. 

Based on these conclusions, the Committee considers that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.


Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-  
We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Source Code Review and Testing

Application and operating system source code can have numerous vulnerabilities due to programming errors or misconfiguration. Where possible, financial institutions should use software that has been subjected to independent security reviews of the source code especially for Internet facing systems. Software can contain erroneous or intentional code that introduces covert channels, backdoors, and other security risks into systems and applications. These hidden access points can often provide unauthorized access to systems or data that circumvents built-in access controls and logging. The source code reviews should be repeated after the creation of potentially significant changes.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Initial Privacy Notice

2)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in 14 or 15? [4(a)(2)]?

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated