R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 14, 2010

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


What if you could continuously review your IT operations throughout the year as recommended by regulators and IT auditors for less than 10 dollars a week?
You can - by relying on The Weekly IT Security Review by Yennik, Inc.  Readers have been asking us for a method that would allow them to continuously review their IT operations throughout the year.  We have responded by using our expertise to develop The Weekly IT Security Review.  Designed especially for IT professionals, this new offering from Yennik, Inc. provides a weekly review of information systems security issues.  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI -
FYI - Participants in the Alaska Public Employees' Retirement System and the Teachers' Retirement System, who were active or inactive employees, including retirees, in 2003 and 2004. If you are affected by this breach, you will be mailed a notice shortly with more detailed information about the breach, and instructions on how to sign up for free services pursuant to the settlement reached with PwC. http://doa.alaska.gov/drb/pdf/price-waterhouse-security-breach-factsheet.pdf

FYI -
Anatomy Of A Targeted, Persistent Attack - New report provides an inside look at real attacks that infiltrated, camped out, and stole intellectual property and proprietary information -- and their links to China. http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=222600139

FYI -
Bank of America Web site goes down Friday - Bank of America was investigating an outage on Friday that affected an unknown number of customers but had ruled out a cyberattack, a representative said. http://news.cnet.com/8301-27080_3-10444474-245.html

FYI -
Alleged cable modem hacker arrested - A Massachusetts man has been charged with selling hacked cable modems that were reconfigured to allow free, untraceable internet service, according to a news release from the U.S. Department of Justice. http://www.scmagazineus.com/alleged-cable-modem-hacker-arrested/article/162795/

FYI -
Global critical infrastructure under attack, study finds - Global critical infrastructure networks are being pummeled with repeated cyberattacks from foreign nation-states and other adversaries, including terrorist organizations and organized crime groups, a report released. http://www.scmagazineus.com/global-critical-infrastructure-under-attack-study-finds/article/162645/

FYI -
Health Net Sued Over Data Breach - The Connecticut attorney general has sued Health Net, claiming the insurance company failed to adequately protect the medical records of 446,000 customers whose private data was contained in a computer disk drive that was found to be missing last spring. http://www.informationweek.com/news/healthcare/security-privacy/showArticle.jhtml?articleID=222600681

FYI -
U.S. Navy establishes new Cyber Command - The U.S Navy has joined the Air Force and Marines with the formation of a new command charged with overseeing cyberspace operations. http://www.scmagazineus.com/us-navy-establishes-new-cyber-command/article/162979/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
National Archives Warns Former Clinton Staff, Visitors of Major Data Breach - Personal information for 250,000 Clinton administration staff and White House visitors sent to the National Archives was compromised after a computer hard drive containing confidential material disappeared nearly a year ago, RollCall.com reported.
http://www.foxnews.com/politics/2010/01/27/national-archives-warns-clinton-staff-visitors-major-data-breach/?test=latestnews
http://www.wired.com/threatlevel/2010/01/national-archives-data-breach/

FYI -
Bank sues victim of $800,000 cybertheft - In twist, Texas bank sues business customer, claiming cybertheft not its fault - A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises. http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft?taxonomyId=17&pageNumber=1

FYI -
BlueCross computer theft already costs $7 million - What was initially assumed to be just a glitch in some soon-to-be-discarded computer equipment last fall has grown into one of Chattanooga's most expensive property crimes of the year. http://www.timesfreepress.com/news/2010/jan/26/bluecross-computer-theft-already-costs-7-million/

FYI -
Hackers pluck 8,300 customer logins from bank server - Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system. http://www.theregister.co.uk/2010/01/12/bank_server_breached/

FYI -
Laptop containing UCSF medical school patient information stolen - A laptop containing sensitive patient information was recently stolen from an employee of the University of California, San Francisco (UCSF) School of Medici/ne. http://www.scmagazineus.com/laptop-containing-ucsf-medical-school-patient-information-stolen/article/162788/

FYI -
Hackers deface 49 U.S. House websites - Hackers defaced 49 websites belonging to U.S. House of Representatives' members and committees soon after President Obama delivered his State of the Union address on Wednesday night. http://www.scmagazineus.com/hackers-deface-49-us-house-websites/article/162576/

FYI -
US gaming commission confirms 80,000 personal details exposed after outside attack on server - Around 80,000 Iowa employee names, birth dates and social security numbers have been exposed after a server was hacked. http://www.scmagazineuk.com/us-gaming-commission-confirms-80000-personal-details-exposed-after-outside-attack-on-server/article/162775/

FYI -
Students at Potomac school hack into computers; grades feared changed - Students at a Potomac high school hacked into the school's computer system and changed class grades, according to sources briefed by the school's principal, and officials are investigating how widespread the damage might be. http://www.washingtonpost.com/wp-dyn/content/article/2010/01/28/AR2010012803494.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - W
e continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (6 of 12)

Best Practices-Going Beyond the Minimum

Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.


Preparation


Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.

Establish an incident response team.

A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls 

A primary concern in controlling system access is the safeguarding of user IDs and passwords.  The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism. 

The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder. 


Security Flaws and Bugs / Active Content Languages 

Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications. 

Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.
  

Viruses / Malicious Programs 


Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49.  If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a.  required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [14(b)(1)] or

b.  required, or is a usual, appropriate, or acceptable method to:[14(b)(2)]

  1.  carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [14(b)(2)(i)]
  2.  administer or service benefits or claims; [14(b)(2)(ii)]
  3.  confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [14(b)(2)(iii)]
  4.  accrue or recognize incentives or bonuses; [14(b)(2)(iv)]
  5.  underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [14(b)(2)(v)] or
  6.  in connection with:
      i.  the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [14(b)(2)(vi)(A)]
      ii.  the transfer of receivables, accounts or interests therein; [14(b)(2)(vi)(B)] or
      iii.  the audit of debit, credit, or other payment information? [14(b)(2)(vi)(C)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated