R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 30, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

The Federal Financial Institutions Examination Council released an updated Business Continuity Planning Booklet, which replaces the version issued in March 2003. The Business Continuity Planning Booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook. 
Press Release: www.occ.treas.gov/ftp/bulletin/2008-6.html 
Press Release: www.ots.treas.gov/docs/7/778011.html 
Press Release : www.ffiec.gov/press/pr031908.htm 
Press Release: www.ncua.gov/news/press_releases/2008/MR08-0319.htm 
Press Release: www.federalreserve.gov/boarddocs/srletters/2008/SR0803.htm 

FYI - Password-stealing hackers infect thousands of Web pages - McAfee is warning of a widespread Web attack aimed at gamers that has infected more than 10,000 Web pages - Hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days. http://www.computerworld.com.au/index.php/id;257178610

FYI - Pacemakers Vulnerable To Hacking - Three medical schools demonstrate the wireless dangers that can disturb an implantable cardioverter defibrillator like the Medtronic Maximo DR. Implantable medical devices like pacemakers seem secure, buried within one's body. But a team of researchers have demonstrated that's not the case.

FYI - Four UK men accused of AU$475m bank heist - Four British men -- including a man believed to be a lord -- have been accused of trying to steal around AU$475.47 million by hacking into a Japanese bank's computer system, the Serious Organised Crime Agency (SOCA) said over the weekend. http://www.zdnet.com.au/news/software/soa/Four-UK-men-accused-of-AU-475m-bank-heist/0,130061733,339286878,00.htm

FYI - Breach of Britney Spears patient data highlights health care security shortfalls - Reports this week that the UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records of pop star Britney Spears is a sign that training and regulations may not be working in some hospitals, experts told SCMagazineUS.com. http://www.scmagazineus.com/Breach-of-Britney-Spears-patient-data-highlights-health-care-security-shortfalls/article/108141/?DCMP=EMC-SCUS_Newswire

FYI - Experts try to make sense of Hannaford data breach - As the dust settles from one of the largest data breaches since TJX, few fresh details emerged one day after Hannaford Bros. supermarket chain revealed that intruders stole some 4.2 million credit and debit card numbers from its computer systems. http://www.scmagazineus.com/Experts-try-to-make-sense-of-Hannaford-data-breach/article/108134/?DCMP=EMC-SCUS_Newswire


FYI - Harvard grad students hit in computer intrusion - Approximately 10,000 may have been affected - Harvard University's Graduate School of Arts and Sciences (GSAS) is notifying about 10,000 people that their personal information may have been compromised as a result of a computer intrusion that was discovered in February. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9068221&intsrc=hm_list

FYI - Police suffer memory loss - A POLICE memory stick containing confidential information about offenders known to the police has been found by a member of the public. http://www.thecomet.net/content/comet/news/story.aspx?brand=CMTOnline&category=News&tBrand=herts24&tCategory=newscomnew&itemid=WEED13%20Mar%202008%2010%3A22%3A10%3A867

FYI - HealthNow data goes missing as laptop vanishes - HealthNow members may be at risk - HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee's laptop computer went missing with confidential information several months ago. http://www.buffalonews.com/145/story/296415.html

FYI - Breach Exposes 4.2M Credit, Debit Cards - East Coast Data Breach Exposes 4.2 Million Accounts, Causes 1,800 Known Cases of Fraud - A security breach at an East Coast supermarket chain exposed more than 4 million card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced.

Return to the top of the newsletter

Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  


Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.

Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:

1)  Implementing through ordinary means, such as system administration procedures and acceptable - use policies;

2)  Enforcing policy through security tools and sanctions;

3)  Delineating the areas of responsibility for users, administrators, and managers;

4)  Communicating in a clear, understandable manner to all concerned;

5)  Obtaining employee certification that they have read and understood the policy;

6)  Providing flexibility to address changes in the environment; and

7)  Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter


10. Determine whether PKI (Public Key Infrastructure)-based authentication mechanisms

Securely issue and update keys,

Securely unlock the secret key,

Provide for expiration of keys at an appropriate time period,

Ensure the certificate is valid before acceptance,

Update the list of revoked certificates at an appropriate frequency,

Employ appropriate measures to protect private and root keys, and

Appropriately log use of the root key.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [7(a)(2)(i)(B)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated