Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
March 11, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Mass. bill wants stores to pay more in data breaches - Small banks
fed up with footing the bill for other companies' security leaks
support the effort. But what does it mean for consumers? Businesses
would have to reimburse banks for costs stemming from data security
breaches, under a Massachusetts bill that could be mimicked by other
states and in Congress.
TJX breach more severe than originally thought, says retailer -
Hackers infiltrated network systems at TJX Companies -- potentially
accessing the personal details of millions of shoppers -- for a
longer period than the discount clothing retailer initially thought.
Mass-pharming attack targeting 50 banks is shut down - Fifty
financial institutions in the United States, Europe and the
Asia-Pacific region were hit with a well crafted pharming attack
Japan's 'cyber crime' rate rise 40% - Japanese police pledged to
improve their technology to battle cyber crime, which shot up 40%
last year as fraudsters become increasingly sly, an AFP report said.
The AFP report, quoting Japan's National Police Agency, said police
investigated 4,425 cases of online crime last year, an increase from
3,161 a year earlier and about 3.3 times more than five years ago.
SEC sues firm for hacking company news releases - U.S. regulators
sued an overseas company and its owner on Monday, alleging they
hacked into computer systems to get corporate news releases early
and traded on that information, making a profit of $2.7 million.
Trojan phishing attack claims multiple victims - Security watchers
have discovered a string of malicious websites that install Trojan
code, allowing hackers to compromise end-user banking credentials
for more than 50 financial institutions and ecommerce websites.
Lawmakers Working to Limit RFID Door Cards - RFID door cards raise
security concerns, legislation in the works. There's already an RFID
security brouhaha brewing in Washington, and if some people have
their way, it won't be the last legal fight waged in the nation's
capital over use of the wireless technology.
Hackers hit Georgia Tech and steal personal info - The personal
information of about 3,000 current and former Georgia Tech employees
may have been compromised by unauthorized access to a Georgia Tech
computer account by unknown sources outside the university, Georgia
Tech reported Feb. 21.
Laptop with patients' personal information stolen - Seton computer
contains information on 7,800 uninsured patients. The theft of a
laptop computer from an Austin office last week has led the Seton
hospital system to warn about 7,800 uninsured patients to watch for
signs of identity theft.
Stop & Shop reports credit data was stolen - Card readers reveal
tampering - Quincy-based Stop & Shop has bolted down card readers at
all 385 of its supermarkets in New England, New York, and New Jersey
to prevent them from being removed and tampered with. With help from
US Secret Service agents, Stop & Shop Supermarket Cos. executives
scrambled yesterday to determine how many consumers may have had
their credit and debit card data stolen by high-tech thieves who
apparently broke into checkout-line card readers and planted the
equivalent of bugs to steal information.
Former Fruit of the Loom workers' identities compromised - A
security breach with a Fruit of the Loom database has left former
Rabun Apparel Inc., employees on edge. Word spread rapidly across
the North Georgia Technical College campus Tuesday morning about how
easily one could access the 1,006 names and Social Security numbers
of former employees.
Security alert as thousands told bank details have been stolen -
THOUSANDS of county council staff are at risk of identity theft
after their highly confidential bank and national insurance details
were stolen. A lap top computer containing the personal information
of up to 19,000 staff - complete with names and addresses - was
taken in a street robbery.
Mysterious Computer Theft Hits Mystery Shopping Company - Speedmark,
a marketing services firm that employs "mystery shoppers" to observe
employee behavior for client companies, was hit with a data breach
when thieves stole computers containing some shoppers' personal data
from the company's Woodlands, Texas office.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (6 of 12)
Practices-Going Beyond the Minimum
Each bank has the opportunity to go beyond the minimum requirements
and incorporate industry best practices into its IRP. As each bank
tailors its IRP to match its administrative, technical, and
organizational complexity, it may find some of the following best
practices relevant to its operating environment. The practices
addressed below are not all inclusive, nor are they regulatory
requirements. Rather, they are representative of some of the more
effective practices and procedures some institutions have
implemented. For organizational purposes, the best practices have
been categorized into the various stages of incident response:
preparation, detection, containment, recovery, and follow-up.
Preparing for a potential security compromise of customer
information is a proactive risk management practice. The overall
effectiveness and efficiency of an organization's response is
related to how well it has organized and prepared for potential
incidents. Two of the more effective practices noted in many IRPs
are addressed below.
Establish an incident response team.
A key practice in preparing for a potential incident is
establishing a team that is specifically responsible for responding
to security incidents. Organizing a team that includes individuals
from various departments or functions of the bank (such as
operations, networking, lending, human resources, accounting,
marketing, and audit) may better position the bank to respond to a
given incident. Once the team is established, members can be
assigned roles and responsibilities to ensure incident handling and
reporting is comprehensive and efficient. A common responsibility
that banks have assigned to the incident response team is developing
a notification or call list, which includes contact information for
employees, vendors, service providers, law enforcement, bank
regulators, insurance companies, and other appropriate contacts. A
comprehensive notification list can serve as a valuable resource
when responding to an incident.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 3 of 4)
Some network IDS units allow the IP addresses associated with
certain signatures to be automatically blocked. Financial
institutions that use that capability run the risk of an attacker
sending attack packets that falsely report the sending IP addresses
as that of service providers and others that the institution needs
to continue offering service, thereby creating a denial - of -
service situation. To avoid such a situation, the institution also
may implement a list of IP addresses that should not be blocked by
Hosts also use a signature-based method. One such method creates a
hash of key binaries, and periodically compares a newly generated
hash against the original hash. Any mismatch signals a change to the
binary, a change that could be the result of an intrusion.
Successful operation of this method involves protection of the
original binaries from change or deletion, and protection of the
host that compares the hashes. If attackers can substitute a new
hash for the original, an attack may not be identified. Similarly,
if an attacker can alter the host performing the comparison so that
it will report no change in the hash, an attack may not be
An additional host-based signature method monitors the application
program interfaces for unexpected or unwanted behavior, such as a
Web server calling a command line interface.
Attackers can defeat host-based IDS systems using loadable kernel
modules, or LKMs. A LKM is software that attaches itself to the
operating system kernel. From there, it can redirect and alter
communications and processing. With the proper LKM, an attacker can
force a comparison of hashes to always report a match and provide
the same cryptographic fingerprint of a file, even after the source
file was altered. LKMs can also hide the use of the application
program interfaces. Detection of LKMs is extremely difficult and is
typically done through another LKM.
Return to the top of the
INTRUSION DETECTION AND RESPONSE
7. Determine if appropriate detection capabilities exist related to:
! System resource usage and anomalies,
! Active host and network intrusion detection systems,
! User related anomalies,
! Operating and tool configuration anomalies,
! File and data integrity problems, and
! Vulnerability testing.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
institution receives information from a nonaffiliated financial
institution under an exception in §14 or §15, does the institution
refrain from using or disclosing the information except:
a. to disclose the information to the affiliates of the
financial institution from which it received the information; [§11(a)(1)(i)]
b. to disclose the information to its own affiliates, which
are in turn limited by the same disclosure and use restrictions as
the recipient institution; [§11(a)(1)(ii)] and
c. to disclose and use the information pursuant to an
exception in §14 or §15 in the ordinary course of business to
carry out the activity covered by the exception under which the
information was received? [§11(a)(1)(iii)]
(Note: the disclosure or use described in section c of
this question need not be directly related to the activity covered
by the applicable exception. For instance, an institution receiving
information for fraud-prevention purposes could provide the
information to its auditors. But "in the ordinary course of
business" does not include marketing. [§11(a)(2)])
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.