Yennik, Inc.
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 18, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit

The following Audit and Evaluation Reports were recently posted to the Federal Deposit Insurance Corporation's (FDIC) Office of Inspector General (OIG) Web site:
1) Information Technology Examination Coverage of Financial Institutions' Oversight of Technology Service Providers.
2) Interagency Agreement With the General Services Administration for the Infrastructure Services Contract.
3) The FDIC's Compliance with Section 522 of the Consolidated Appropriations Act, 2005.
4) The Division of Supervision and Consumer Protection's Information Technology-Risk Management Program.
5) FDIC's Supervision of Financial Institutions' OFAC Compliance Programs.

FYI - Laptop Security, Part One: Preventing Laptop Theft:
Laptop Security, Part Two: Protecting Information on a Stolen Laptop.

FYI - Scanners makes depositing checks more simple - It used to be that if a small bank wanted to grow, it had to acquire another bank or open new branches. Now, a little black box may help small banks compete with larger banks, analysts say.

FYI - Texas counties illegally posting Social Security numbers online, AG says - County, district clerks are pushing for legislation to make the practice legal.

- Phishing Sites Explode on the Web - Online criminals are thriving even in the face of new automated defenses.,129288/article.html?tk=nl_wbxnws


FYI - Hack Attack Forces Texas A&M To Change 96,000 Passwords - Students, faculty, and staff are required to change their passwords after a hacker tried to break into files containing encrypted passwords to university accounts.

FYI - Tokyo University of Science has lost personal information on about 8,800 students and graduates, including their names, addresses and scores, university officials said.

FYI - Laptop Computers Stolen From Hospital Parking Lot - Thieves have swiped laptop computers from a hospital parking lot in the Hill Country. The two computers are missing from Burnet. But it's the information on them that's important.

- Hackers swipe seed company's customers' data - The Web site of Johnny's Selected Seeds has been hacked by an intruder, resulting in the theft of thousands of private records and credit card numbers, a company official said. Bruce Harrington, the company's director of sales and marketing, said 11,500 credit card accounts were stolen electronically in February.

Return to the top of the newsletter

We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (7 of 12)

Define what constitutes an incident.

An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.


The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.

Identify indicators of unauthorized system access.

Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Involve legal counsel.

Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


Automated Intrusion Detection Systems
(IDS) (Part 4 of 4)

Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.

Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.

The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.

Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter


8. Determine whether an incident response team:

!  Contains appropriate membership,
!  Is available at all times,
!  Has appropriate training to investigate and report findings,
!  Has access to back-up data and systems, an inventory of all approved hardware and software, and monitored access to systems (as appropriate), and
!  Has appropriate authority and timely access to decision makers for actions that require higher approvals.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

45.  If the institution receives information from a nonaffiliated financial institution other than under an exception in 14 or 15, does the institution refrain from disclosing the information except:

a.  to the affiliates of the financial institution from which it received the information; [11(b)(1)(i)]

b.  to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [11(b)(1)(ii)] and

c.  to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [11(b)(1)(iii)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated