Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
March 4, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
NCUA Letter to Credit Unions 07-CU-03 - Reminds credit unions
of the upcoming change in the schedule for Daylight Saving.
Daylight Savings Time Change: Risk Management Guidance - Banks may
be exposed to a variety of risks from the upcoming change in the
schedule for Daylight Savings Time.
FYI - Bank Customers
Worldwide - An attack this week that targeted online customers of at
least 50 financial institutions in the U.S., Europe and Asia-Pacific
has been shut down, a security expert said Thursday. The attack was
notable for the extra effort put into it by the hackers, who
constructed a separate look-alike Web site for each financial
institution they targeted.
U.K. company fined over laptop theft - Financial institution failed
to operate effective security measures to protect customers from
data theft, government watchdog agency says. Nationwide Building
Society, a U.K. financial services provider, has been fined $1.9
million after a laptop containing sensitive customer data was stolen
from an employee.
GAO - Federal Deposit Insurance Corporation: Human Capital and Risk
Assessment Programs Appear Sound, but Evaluations of Their
Effectiveness Should Be Improved.
Highlights - http://www.gao.gov/highlights/d07255high.pdf
UK firms ignoring disaster recovery - A third of mid-sized companies
have no plans at all, research claims - One in three mid-sized
companies in the UK does not have a disaster recovery plan in place
for their website, according to recent research.
Cyber crime strikes Irish businesses - The first research into cyber
crime in Ireland shows the problem is widespread and can have
economic repercussions for companies. Like nature, the IT industry
hates a vacuum. In the absence of hard facts on cyber crime in
Ireland we've had a mix of responsible awareness raising, best-guess
estimates from international data and all manner of hype or
NIST releases info security documents - The National Institute of
Standards and Technology has published two new interagency reports
designed to help auditors, inspectors general and senior management
understand and evaluate information security programs.
Credit Card Hacking Hits Citibank Korea - Some 20 Citibank Korea
customers have had their credit card information stolen, and it was
used illegally on online shopping malls to purchase products worth
some 50 million won, the bank said Thursday.
Laptop Stolen With 22,000 Kaiser Patients' Data - In yet another
instance of laptop theft potentially endangering personal data,
Kaiser Permanente is in the process of notifying as many as 22,000
patients of a possible breach of their private medical information.
Spyware-aided hackers arrested in Turkey for online bank robbery -
Turkish police have arrested 17 people who allegedly hacked into
internet banking accounts and stole $300,000. The men are accused of
collaborating with three Russian cybercriminals, who are believed to
have provided them with usernames and passwords stolen from
computers they infected with spyware, Turkish authorities said.
Ex-student faces felony charge in Clay case - Personal, other data
downloaded to iPod - A former Clay High School student was charged
yesterday with a felony after police said he hacked into school
personnel and student files, downloading sensitive information onto
GED Records Notification - The Iowa Department of Education is
currently investigating an unauthorized access to no more than 600
GED (General Educational Development) records that were contained in
a protected department web application.
I-Team Investigation: DMV Security Risk - Anyone who wants a
driver's license must hand over their personal information as a
requirement at the Department of Motor Vehicles. And when you hand
over your personal information to the DMV, you expect it to be safe
and secure. But an audit conducted by the state shows that DMV
computer systems have serious flaws that could jeopardize your
privacy. The I-Team has been looking into the problem and found many
of these problems are not new, some go back as far as 2002.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (5 of 12)
An institution should notify its primary Federal regulator as soon
as it becomes aware of the unauthorized access to or misuse of
sensitive customer information or customer information systems.
Notifying the regulatory agency will help it determine the potential
for broader ramifications of the incident, especially if the
incident involves a service provider, as well as assess the
effectiveness of the institution's IRP.
Institutions should develop procedures for notifying law enforcement
agencies and filing SARs in accordance with their primary Federal
regulator's requirements. Law enforcement agencies may serve
as an additional resource in handling and documenting the incident.
Institutions should also establish procedures for filing SARs in a
timely manner because regulations impose relatively quick filing
deadlines. The SAR form itself may serve as a resource in the
reporting process, as it contains specific instructions and
thresholds for when to file a report. The SAR form instructions also
clarify what constitutes a "computer intrusion" for filing purposes.
Defining procedures for notifying law enforcement agencies and
filing SARs can streamline these notification and reporting
Institutions should also address customer notification procedures in
their IRP. When an institution becomes aware of an incident
involving unauthorized access to sensitive customer information, the
institution should conduct a reasonable investigation to determine
the likelihood that such information has been or will be misused. If
the institution determines that sensitive customer information has
been misused or that misuse of such information is reasonably
possible, it should notify the affected customer(s) as soon as
possible. Developing standardized procedures for notifying customers
will assist in making timely and thorough notification. As a
resource in developing these procedures, institutions should
reference the April 2005 interpretive guidance, which specifically
addresses when customer notification is necessary, the recommended
content of the notification, and the acceptable forms of
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
"Tuning" refers to the creation of signatures that can
distinguish between normal network traffic and potentially malicious
traffic. Proper tuning of these IDS units is essential to reliable
detection of both known attacks and newly developed attacks. Tuning
of some signature - based units for any particular network may take
an extended period of time, and involve extensive analysis of
expected traffic. If an IDS is not properly tuned, the volume of
alerts it generates may degrade the intrusion identification and
Signatures may take several forms. The simplest form is the URL
submitted to a Web server, where certain references, such as cmd.exe,
are indicators of an attack. The nature of traffic to and from a
server can also serve as a signature. An example is the length of a
session and amount of traffic passed. A signature method meant to
focus on sophisticated attackers is protocol analysis, when the
contents of a packet or session are analyzed for activity that
violates standards or expected behavior. That method can catch, for
instance, indicators that servers are being attacked using Internet
control message protocol (ICMP).
Switched networks pose a problem for network IDS. Switches
ordinarily do not broadcast traffic to all ports, and a network IDS
may need to see all traffic to be effective. When switches do not
have a port that receives all traffic, the financial institution may
have to alter their network to include a hub or other device to
allow the IDS to monitor traffic.
Encrypted network traffic will drastically reduce the effectiveness
of a network IDS. Since a network IDS only reads traffic and does
not decrypt the traffic, encrypted traffic will avoid detection.
Return to the top of the
INTRUSION DETECTION AND RESPONSE
4. Determine whether logs of security-related events are sufficient
to assign accountability for intrusion detection system activities,
as well as support intrusion forensics and IDS.
5. Determine if logs of security-related events are appropriately
secured against unauthorized access, change, and deletion for an
adequate time period, and that reporting to those logs is adequately
6. Determine if an appropriate process exists to authorize employee
access to intrusion detection systems and that authentication and
authorization controls limit access to and control the access of
Return to the top of
INTERNET PRIVACY We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
43. Does the institution allow the consumer to select certain
nonpublic personal information or certain nonaffiliated third
parties with respect to which the consumer wishes to opt out? [§10(c)]
(Note: an institution may allow partial opt outs
in addition to, but may not allow them instead of, a comprehensive
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.