R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 17, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - This past week, I was taking some time to be with family and friends.  I will be back in the office Tuesday February 19.  

FYI - DoD Faces Cyber Expert Talent Shortage - The Pentagon may want thousands of new cyber experts added to its work force, but experts said the agency lacks any credible means of training that many recruits, and there aren’t enough already trained to meet the need. http://www.defensenews.com/apps/pbcs.dll/article?AID=2013302060013

FYI - PCI council clarifies merchant's cloud security obligations - The group charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is now tackling merchants' security and compliance concerns around cloud usage. http://www.scmagazine.com/pci-council-clarifies-merchants-cloud-security-obligations/article/279595/?DCMP=EMC-SCUS_Newswire

FYI - FCC vs. GAO: Haste = waste, or he who hesitates is lost? - The Federal Communications Commission was dinged in a recent audit for cutting corners while upgrading network security in response to a breach. http://gcn.com/blogs/cybereye/2013/02/gao-fcc-enhanced-security-network-audit.aspx

FYI - DHS Watchdog OKs ‘Suspicionless’ Seizure of Electronic Devices Along Border - The Department of Homeland Security’s civil rights watchdog has concluded that travelers along the nation’s borders may have their electronics seized and the contents of those devices examined for any reason whatsoever - all in the name of national security. http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/

FYI - Feds Update Cybersecurity Compliance Handbook - The federal government has nearly finalized its first major overhaul to the primary handbook to federal cybersecurity standards in nearly four years, and its most significant update since the initial release of that handbook in 2005. http://www.informationweek.com/government/security/feds-update-cybersecurity-compliance-han/240148126


FYI - Fed confirms but downplays Anonymous Super Bowl banker hack - The US Federal Reserve has admitted that its systems were hacked during Sunday's Super Bowl, a breach that led to the leaking of personal data on hundreds of US banking executives.

FYI - Anonymous reveals ample Fed access, FBI opens criminal investigationAnonymous published a file revealing significant access to the Federal Reserve's internal files and servers; amid accusations of inaction and non-transparency the FBI has opened a criminal investigation into Sunday's bank hack. http://www.zdnet.com/anonymous-reveals-ample-fed-access-fbi-opens-criminal-investigation-7000011073/

FYI - ID theft/fraud ring netted $200 million and counting, feds allege - In an indictment that reads like an instruction manual for nearly every type of identity theft and credit card fraud yet invented, prosecutors alleged on Tuesday that more than a dozen crooks ran roughshod over America's credit system for six years, stealing hundreds of millions of dollars and living like kings. http://redtape.nbcnews.com/_news/2013/02/06/16870609-id-theftfraud-ring-netted-200-million-and-counting-feds-allege?lite

FYI - Barracuda Issues Security Update, Apologizes To Customers - Barracuda Networks Monday issued a product update designed to address some of the security vulnerabilities that have been identified in some of its appliances, as well as a mea culpa for building hardcoded, undocumented backdoors into its products. http://www.informationweek.com/security/vulnerabilities/barracuda-issues-security-update-apologi/240148096

FYI - Hackers hijack Bit9 to target its customers with malware - Hackers have breached the security company Bit9 and accessed its code-signing certificates, enabling intruders to digitally sign malware to appear as legitimate files, the vendor announced Friday. http://www.scmagazine.com/hackers-hijack-bit9-to-target-its-customers-with-malware/article/279777/?DCMP=EMC-SCUS_Newswire

FYI - Hackers said to hit Bush family, exposing sensitive information - The Smoking Gun has reported that correspondence from both former President Bushes was among that compromised by unknown hackers. http://news.cnet.com/8301-1009_3-57568480-83/hackers-said-to-hit-bush-family-exposing-sensitive-information/?tag=nl.e757&s_cid=e757&ttag=e757

Return to the top of the newsletter

Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)

Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:

!  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
!  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
!  Increasing suspicious activity monitoring and employing additional identity verification controls;
!  Offering customers assistance when fraud is detected in connection with customer accounts;
!  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
!  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.

Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:

!  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
!  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
!  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
!  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
!  Monitoring for fraudulent Web sites using variations of the financial institution's name;
!  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
!  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.


E-mail and Internet-related fraudulent schemes present a substantial risk to financial institutions and their customers. Financial institutions should consider developing programs to educate customers about e-mail and Internet-related fraudulent schemes and how to avoid them, consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes, and implement appropriate information security controls to help mitigate the risks associated with e-mail and Internet-related fraudulent schemes.

Return to the top of the newsletter
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Product Certification and Security Scanning Products

Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.

Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1)  an initial notice of its privacy policies;

2)  an opt out notice (including, among other things, a reasonable means to opt out); and

3)  a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated