Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
March 25, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - VA to control, restrict use of mobile storage
devices - In the next month, the Veterans Affairs Department will
let employees plug into its network only those mobile storage
devices issued by the CIO's office.
Microsoft - HOWTO: Use Group Policy to disable USB, CD-ROM,
Floppy Disk and LS-120 drivers:
FYI - Some Companies Lose Data
Six Times a Year - TJX's massive data loss is just the tip of the
iceberg. Almost seven out of 10 companies-68 percent-are losing
sensitive data or having it stolen out from under them six times a
year, according to new research from the IT Policy Compliance Group.
An additional 20 percent are losing sensitive data a whopping 22
times or more per year.
FYI - Hanging on the telephone -
Vulnerable Irish businesses are falling victim to a rising spate of
telecoms fraud that is costing them €75m a year and growing at a
rate of 15pc annually. The thorny subject of telecoms fraud on Irish
businesses is one that is not highlighted enough in this country,
admits detective inspector Paul Gillen.
FYI - SEC halts trading of 35
stocks for pump-and-dump scams - The Securities and Exchange
Commission (SEC) today halted trading on shares of 35 companies
believed to be involved in recent pump-and-dump spam campaigns.
FYI - Outsourcer to pay over
laptop theft - IT services firm Serco has apologised and agreed to
pay costs after one of its laptops, containing sensitive data on
more than 16,000 Worcestershire council staff, was stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE - We continue
the series regarding FDIC Supervisory Insights regarding
Programs. (8 of 12)
During the containment phase, the institution should generally
implement its predefined procedures for responding to the specific
incident (note that containment procedures are a required minimum
component). Additional containment-related procedures some banks
have successfully incorporated into their IRPs are discussed below.
Establish notification escalation procedures.
If senior management is not already part of the incident
response team, banks may want to consider developing procedures for
notifying these individuals when the situation warrants. Providing
the appropriate executive staff and senior department managers with
information about how containment actions will affect business
operations or systems and including these individuals in the
decision-making process can help minimize undesirable business
disruptions. Institutions that have experienced incidents have
generally found that the management escalation process (and
resultant communication flow) was not only beneficial during the
containment phase, but also proved valuable during the later phases
of the incident response process.
Document details, conversations, and actions.
Retaining documentation is an important component of the
incident response process. Documentation can come in a variety of
forms, including technical reports generated, actions taken, costs
incurred, notifications provided, and conversations held. This
information may be useful to external consultants and law
enforcement for investigative and legal purposes, as well as to
senior management for filing potential insurance claims and for
preparing an executive summary of the events for the board of
directors or shareholders. In addition, documentation can assist
management in responding to questions from its primary Federal
regulator. It may be helpful during the incident response process to
centralize this documentation for organizational purposes.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A honeypot is a network device that the institution uses to
attract attackers to a harmless and monitored area of the network.
Honeypots have three key advantages over network and host IDS
systems. Since the honeypot's only function is to be attacked, any
network traffic to or from the honeypot potentially signals an
intrusion. Monitoring that traffic is simpler than monitoring all
traffic passing a network IDS. Honeypots also collect very little
data, and all of that data is highly relevant. Network IDS systems
gather vast amounts of traffic which must be analyzed, sometimes
manually, to generate a complete picture of an attack. Finally,
unlike IDS, a honeypot does not pass packets without inspection when
under a heavy traffic load.
Honeypots have two key disadvantages. They are ineffective unless
they are attacked. Consequently, organizations that use honeypots
for detection usually make the honeypot look attractive to an
attacker. Attractiveness may be in the name of the device, its
apparent capabilities, or in its connectivity. Since honeypots are
ineffective unless they are attacked, they are typically used to
supplement other intrusion detection capabilities.
Honeypots also introduce the risk of being compromised without
triggering an alarm, then becoming staging grounds for attacks on
other devices. The level of risk is dependent on the degree of
monitoring, capabilities of the honeypot, and its connectivity. For
instance, a honeypot that is not rigorously monitored, that has
excellent connectivity to the rest of the institution's network, and
that has varied and easy - to - compromise services presents a high
risk to the confidentiality, integrity, and availability of the
institution's systems and data. On the other hand, a honeypot that
is rigorously monitored and whose sole capability is to log
connections and issue bogus responses to the attacker, while
signaling outside the system to the administrator, demonstrates much
the top of the newsletter
IT SECURITY QUESTION:
INTRUSION DETECTION AND RESPONSE
9. Evaluate the selection of systems to monitor and objectives for
10. Determine whether the data and data streams to monitor are
established and consistent with the risk assessment.
11. Determine whether users are appropriately notified regarding
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Does the institution refrain from disclosing, directly or
through affiliates, account numbers or similar forms of access
numbers or access codes for a consumer's credit card account,
deposit account, or transaction account to any nonaffiliated third
party (other than to a consumer reporting agency) for telemarketing,
direct mail or electronic mail marketing to the consumer, except:
a. to the institution's agents or service providers solely to
market the institution's own products or services, as long as the
agent or service provider is not authorized to directly initiate
charges to the account; [§12(b)(1)] or
b. to a participant in a private label credit card program or
an affinity or similar program where the participants in the program
are identified to the customer when the customer enters into the
(Note: an "account number or similar form of access number
or access code" does not include numbers in encrypted form, so long
as the institution does not provide the recipient with a means of
decryption. [§12(c)(1)] A transaction account does not include an
account to which third parties cannot initiate charges. [§12(c)(2)])
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.