R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 4, 2012

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Hacking now responsible for most of exposed records - Until last year, lost and stolen laptops were to blame for the largest percentage of breach types. Now, hacking has claimed the top spot. http://www.scmagazine.com/hacking-now-responsible-for-most-of-exposed-records/article/229479/%22?DCMP=EMC-SCUS_Newswire

FYI - Air Force Special Operations cancels iPad buy - The Air Force Special Operations Command canceled its planned acquisition of Apple iPad tablet computers last week, two days after receiving a query from Nextgov about the inclusion of Russian-developed security and documents reader software specified in procurement documents. http://www.nextgov.com/nextgov/ng_20120221_7036.php

FYI - Voluntary guidelines for Web privacy backed by Obama administration - The Obama administration on Thursday announced voluntary guidelines for Web companies to protect consumers’ privacy online, a win for Google, Facebook and other Internet giants that have fought against heavier federal mandates. http://www.washingtonpost.com/business/technology/obama-administration-backs-voluntary-guidelines-for-web-privacy/2012/02/22/gIQAFHLWUR_story.html

FYI - First IPv6 Distributed Denial of Service Internet attacks seen - You know IPv6 must finally be making it: The first IPv6 Distributed Denial of Service Internet attacks have been spotted in the wild. The clock is running out on IPv4 on the Internet, but even so the next generation of Internet traffic protocols, IPv6, is being adopted very slowly. http://www.zdnet.com/blog/networking/first-ipv6-distributed-denial-of-service-internet-attacks-seen/2039

FYI - Forcing Defendant to Decrypt Hard Drive Is Unconstitutional, Appeals Court Rules - Forcing a criminal suspect to decrypt hard drives so their contents can be used by prosecutors is a breach of the Fifth Amendment right against compelled self-incrimination, a federal appeals court ruled Thursday. http://www.wired.com/threatlevel/2012/02/laptop-decryption-unconstitutional/ 

FYI - DHS pinpoints government computers set to lose Internet access - The Obama administration employed a new governmentwide network surveillance tool and private sector assistance to search for corrupted agency computers that are at risk of going offline in less than two weeks, Homeland Security Department officials said. http://www.nextgov.com/nextgov/ng_20120227_9754.php?oref=topstory

FYI - FBI turns off 3,000 GPS trackers after Supreme Court ruling - Andrew Weissmann, general counsel for the FBI, has announced that his agency is switching off thousands of Global Positioning System-based tracking devices used for surveillance after a Supreme Court decision last month. http://arstechnica.com/tech-policy/news/2012/02/fbi-turns-off-3000-gps-trackers-after-supreme-court-ruling.ars

FYI - Deception and the art of cyber security - “Warfare is the way of deception,” said Sun Tzu, the ancient Chinese military strategist. Cyber attackers have long embraced deception by deploying tactics, such as social engineering help-desk employees to install trojans or obtain users' credentials. http://www.scmagazine.com/deception-and-the-art-of-cyber-security/article/229685/?DCMP=EMC-SCUS_Newswire


FYI - 'Iran Cyber Army' hits Azerbaijan state TV site - Hackers calling themselves the 'Iranian Cyber Army' have attacked the website of mainly Muslim neighbour Azerbaijan's state television station, the communications ministry said on Thursday. http://www.vancouversun.com/business/technology/Iran+Cyber+Army+hits+Azerbaijan+state+site/6197748/story.html

FYI - News of the World hacker named after court block lifted - A man accused of hacking into the computers of a former British Army intelligence officer on behalf of a News of the World editor has been named who is also a former British Army intelligence officer. http://www.theregister.co.uk/2012/02/21/notw_computer_hacker_named/ 

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Legal and Reputational Risk Management 

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimize operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


System Patches

Software support should incorporate a process to update and patch operating system and application software for new vulnerabilities. Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Vendors often issue software patches to correct those vulnerabilities. Financial institutions should have an effective monitoring process to identify new vulnerabilities in their hardware and software.  Monitoring involves such actions as the receipt and analysis of vendor and governmental alerts and security mailing lists. Once identified, secure installation of those patches requires a process for obtaining, testing, and installing the patch.

Patches make direct changes to the software and configuration of each system to which they are applied. They may degrade system performance. Also, patches may introduce new vulnerabilities, or reintroduce old vulnerabilities. The following considerations can help ensure patches do not compromise the security of systems:

! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the patch (1) is compatible with other software used on systems to which the patch will be applied, (2) does not alter the system's security posture in unexpected ways, such as altering log settings, and (3) corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and update the cryptographic checksums of key files as well as that system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure computing environment.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

5)  When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated