Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
February 25, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
REMINDER - The Internet
Banking News is emailed to you every weekend. If you do
not receive by Monday, please check your spam filter settings.
If this was not the reason, please email R. Kinney Williams at
will do our best to figure out the problem.
Daylight Savings Time Change: Risk Management Guidance -
Banks may be exposed to a variety of risks from the upcoming change
in the schedule for Daylight Savings Time.
FYI - Internet DOS
attacks spur exchange between government, private sector - Tuesday's
denial-of-service attacks against three of the Internet's root DNS
servers did not rise to the level of a major cyberincident, but it
did highlight the government's efforts to coordinate responses with
private-sector infrastructure providers.
FYI - Pa. coroner
charged with giving reporters 911 center password - A county coroner
was charged Monday with illegally giving newspaper reporters a
password to access the emergency 911 system's confidential Web site
and conspiring with the reporters to commit computer crime.
FYI - Another good
reason to stop using telnet - There is a major zero day bug
announced in solaris 10 and 11 with the telnet and login
combination. It has been verified. In my opinion NOBODY be
should running telnet open to the internet. Versions of Solaris 9
and lower do not appear to have this vulnerability.
FYI - Mobile Attacks
Jumped Fivefold in 2006, Study Says - The number of security attacks
reported by mobile phone operators in 2006 jumped fivefold over the
year before, a McAfee study reports.
FYI - Bank of America to
Launch Mobile Banking - Online customers can soon move money, pay
bills by cell phones and smart phones.
FYI - Lost Computer
Tapes Had Details on 135,000 Workers, Patients - Personal data on
about 135,000 Johns Hopkins employees and patients were lost last
month, the university announced yesterday, when a contractor did not
return backup computer tapes from the hospital and the university
FYI - Social Security
numbers found on UNL Web site - A University of Nebraska-Lincoln
employee accidentally posted the Social Security numbers of 72
students, professors and staff members on the university's public
Web site, where they remained for more than two years before UNL
officials caught the gaffe Tuesday.
FYI - Burglary leads to
ID theft concerns - More than 500 people whose personal information
was stolen from a Bay Street apartment where a state tax auditor
lives have been notified they may be susceptible to identity theft.
FYI - Thieves stole four
computer hard drives containing financial, personnel and research
files from the office of the International Monetary Fund in the
Azerbaijani capital, police and a fund official said Tuesday. The
theft happened sometime Monday morning at the fund's Baku offices,
located in the Finance Ministry's main administrative building, a
worker at the fund told The Associated Press.
FYI - FBI Loses 3 To 4
Laptops Every Month - Some of the recently lost or stolen computers
contained 'sensitive' information, but the extent of the damage from
the losses is unknown. Three to four laptops are lost or stolen from
the FBI every month, according to a report issued this month from
the Justice Department's Inspector General.
FYI - VA loses sensitive
information on 1.3 million doctors - The hard drive that went
missing from a Birmingham, Ala., Veterans Affairs Department
facility last month contained highly sensitive information on nearly
all U.S. physicians and medical data for about 535,000 VA patients,
agency officials announced over the weekend.
FYI - Hacker gets state
credit card info - Web site breach affects thousands of Hoosiers,
businesses - State technology officials sent letters Friday to 5,600
people and businesses informing them that a hacker obtained
thousands of credit card numbers from the state Web site.
FYI - Personal Identity
Data Exposure Incident - On January 5, 2007, Radford University (RU)
staff discovered a computer virus on University owned computers.
This virus has caused a potential security breach involving personal
information on a server located in the Waldron College of Health and
Human Services. We view this matter with the highest degree of
concern and immediately removed this server from the network while
adopting efforts to prevent a recurrence of the experience. During
the intervening days we have been conducting an investigation to
determine who might be affected.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (4 of 12)
Assessing security incidents and identifying the unauthorized access
to or misuse of customer information essentially involve organizing
and developing a documented risk assessment process for determining
the nature and scope of the security event. The goal is to
efficiently determine the scope and magnitude of the security
incident and identify whether customer information has been
Containing and controlling the security incident involves preventing
any further access to or misuse of customer information or customer
information systems. As there are a variety of potential threats to
customer information, organizations should anticipate the ones that
are more likely to occur and develop response and containment
procedures commensurate with the likelihood of and the potential
damage from such threats. An institution's information security risk
assessment can be useful in identifying some of these potential
threats. The containment procedures developed should focus on
responding to and minimizing potential damage from the threats
identified. Not every incident can be anticipated, but institutions
should at least develop containment procedures for reasonably
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 1 of 4)
Automated intrusion detection systems (IDS) use one of two
methodologies, signature and heuristics. An IDS can target either
network traffic or a host. The signature-based methodology is
generally used on network traffic. An IDS that uses a
signature-based methodology reads network packets and compares the
content of the packets against signatures, or unique
characteristics, of known attacks and known anomalous network
traffic. When a match is recognized between current readings and a
signature, the IDS generates an alert.
A general weakness in the signature-based detection method is that a
signature must exist for an alert to be generated. Attacks that
generate different signatures from what the institution includes in
its IDS will not be detected. This problem can be particularly acute
if the institution does not continually update its signatures to
reflect lessons learned from attacks on itself and others, as well
as developments in attack tool technologies. It can also pose
problems when the signatures only address known attacks, rather than
both known attacks and anomalous traffic. Another general weakness
is in the capacity of the IDS to read traffic. If the IDS falls
behind in reading network traffic, traffic may be allowed to bypass
the IDS. That traffic may contain attacks that would otherwise cause
the IDS to issue an alert.
Proper placement of network IDS is a strategic decision determined
by the information the institution is trying to obtain. Placement
outside the firewall will deliver IDS alarms related to all attacks,
even those that are blocked by the firewall. With this information,
an institution can develop a picture of potential adversaries and
their expertise based on the probes they issue against the network.
Because the placement is meant to gain intelligence on attackers
rather than to alert on attacks, tuning generally makes the IDS less
sensitive than if it is placed inside the firewall. An IDS outside
the firewall will generally alert on the greatest number of
unsuccessful attacks. IDS monitoring behind the firewall is meant to
detect and alert on hostile intrusions. Multiple IDS units can be
used, with placement determined by the expected attack paths to
sensitive data. Generally speaking, the closer the IDS is to
sensitive data, the more important the tuning, monitoring, and
response to IDS alerts. The National Institute of Standards and
Technology (NIST) recommends network intrusion detection systems "at
any location where network traffic from external entities is allowed
to enter controlled or private networks."
Return to the top of the
INTRUSION DETECTION AND RESPONSE
2. Determine if the IDSs identified as necessary in the risk
assessment process are properly installed and configured.
3. Determine whether an appropriate firewall ruleset and routing
controls are in place and updated as needs warrant.
! Identify personnel responsible for defining and setting
firewall rulesets and routing controls.
! Review procedures for updating and changing rulesets and
! Determine that appropriate filtering occurs for spoofed
addresses, both within the network and at external connections,
covering network entry and exit.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will
help ensure compliance with the privacy regulations.
42. Does the institution provide the consumer with a
reasonable opportunity to opt out such as by:
a. mailing the notices required by §10 and allowing the
consumer to respond by toll-free telephone number, return mail, or
other reasonable means (see question 22) within 30 days from the
date mailed; [§10(a)(3)(i)]
b. where the consumer opens an on-line account with the
institution and agrees to receive the notices required by §10
electronically, allowing the consumer to opt out by any reasonable
means (see question 22) within 30 days from consumer acknowledgement
of receipt of the notice in conjunction with opening the account;
c. for isolated transactions, providing the notices required
by §10 at the time of the transaction and requesting that the
consumer decide, as a necessary part of the transaction, whether to
opt out before the completion of the transaction? [§10(a)(3)(iii)]
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.