Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
March 18, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
The following Audit and Evaluation Reports were recently
posted to the Federal Deposit Insurance Corporation's (FDIC) Office
of Inspector General (OIG) Web site:
1) Information Technology Examination Coverage of Financial
Institutions' Oversight of Technology Service Providers.
2) Interagency Agreement With the General Services Administration
for the Infrastructure Services Contract.
3) The FDIC's Compliance with Section 522 of the Consolidated
Appropriations Act, 2005.
4) The Division of Supervision and Consumer Protection's Information
Technology-Risk Management Program.
5) FDIC's Supervision of Financial Institutions' OFAC Compliance
FYI - Laptop Security, Part One:
Preventing Laptop Theft:
Laptop Security, Part Two: Protecting Information on a Stolen
FYI - Scanners makes depositing
checks more simple - It used to be that if a small bank wanted to
grow, it had to acquire another bank or open new branches. Now, a
little black box may help small banks compete with larger banks,
FYI - Texas counties illegally
posting Social Security numbers online, AG says - County, district
clerks are pushing for legislation to make the practice legal.
FYI - Phishing Sites Explode on the Web - Online
criminals are thriving even in the face of new automated defenses.
FYI - Hack Attack Forces Texas
A&M To Change 96,000 Passwords - Students, faculty, and staff are
required to change their passwords after a hacker tried to break
into files containing encrypted passwords to university accounts.
FYI - Tokyo University of
Science has lost personal information on about 8,800 students and
graduates, including their names, addresses and scores, university
FYI - Laptop Computers Stolen
From Hospital Parking Lot - Thieves have swiped laptop computers
from a hospital parking lot in the Hill Country. The two computers
are missing from Burnet. But it's the information on them that's
FYI - Hackers swipe seed company's customers' data - The
Web site of Johnny's Selected Seeds has been hacked by an intruder,
resulting in the theft of thousands of private records and credit
card numbers, a company official said. Bruce Harrington, the
company's director of sales and marketing, said 11,500 credit card
accounts were stolen electronically in February.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (7 of 12)
Define what constitutes an incident.
An initial step in the development of a response program is
to define what constitutes an incident. This step is important as it
sharpens the organization's focus and delineates the types of events
that would trigger the use of the IRP. Moreover, identifying
potential security incidents can also make the possible threats seem
more tangible, and thus better enable organizations to design
specific incident-handling procedures for each identified threat.
The ability to detect that an incident is occurring or has occurred
is an important component of the incident response process. This is
considerably more important with respect to technical threats, since
these can be more difficult to identify without the proper technical
solutions in place. If an institution is not positioned to quickly
identify incidents, the overall effectiveness of the IRP may be
affected. Following are two detection-related best practices
included in some institutions' IRPs.
Identify indicators of unauthorized system access.
Most banks implement some form of technical solution, such
as an intrusion detection system or a firewall, to assist in the
identification of unauthorized system access. Activity reports from
these and other technical solutions (such as network and application
security reports) serve as inputs for the monitoring process and for
the IRP in general. Identifying potential indicators of unauthorized
system access within these activity or security reports can assist
in the detection process.
Involve legal counsel.
Because many states have enacted laws governing
notification requirements for customer information security
compromises, institutions have found it prudent to involve the
institution's legal counsel when a compromise of customer
information has been detected. Legal guidance may also be warranted
in properly documenting and handling the incident.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 4 of 4)
Some host-based IDS units address the difficulty of
performing intrusion detection on encrypted traffic. Those units
position their sensors between the decryption of the IP packet and
the execution of any commands by the host. This host-based intrusion
detection method is particularly appropriate for Internet banking
servers and other servers that communicate over an encrypted
channel. LKMs, however, can defeat these host-based IDS units.
Host-based intrusion detection systems are recommended by the NIST
for all mission-critical systems, even those that should not allow
The heuristic, or behavior, method creates a statistical profile of
normal activity on the host or network. Boundaries for activity are
established based on that profile. When current activity exceeds the
boundaries, an alert is generated. Weaknesses in this system involve
the ability of the system to accurately model activity, the
relationship between valid activity in the period being modeled and
valid activity in future periods, and the potential for malicious
activity to take place while the modeling is performed. This method
is best employed in environments with predictable, stable activity.
Both signature-based and heuristic detection methods result in false
positives (alerts where no attack exists), and false negatives (no
alert when an attack does take place). While false negatives are
obviously a concern, false positives can also hinder detection. When
security personnel are overwhelmed with the number of false
positives, they may look at the IDS reports with less vigor,
allowing real attacks to be reported by the IDS but not researched
or acted upon. Additionally, they may tune the IDS to reduce the
number of false positives, which may increase the number of false
negatives. Risk-based testing is necessary to ensure the detection
capability is adequate.
the top of the newsletter
IT SECURITY QUESTION:
INTRUSION DETECTION AND RESPONSE
8. Determine whether an incident response team:
! Contains appropriate membership,
! Is available at all times,
! Has appropriate training to investigate and report findings,
! Has access to back-up data and systems, an inventory of all
approved hardware and software, and monitored access to systems (as
! Has appropriate authority and timely access to decision
makers for actions that require higher approvals.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
45. If the institution receives information from a
nonaffiliated financial institution other than under an exception in
§14 or §15, does the institution refrain from disclosing the
a. to the affiliates of the financial institution from which
it received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the
same disclosure restrictions as the recipient institution;
c. to any other person, if the disclosure would be lawful if
made directly to that person by the institution from which the
recipient institution received the information? [§11(b)(1)(iii)]
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.