R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

April 10, 2011

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - NASA Servers At High Risk Of Cyber Attack - Auditors were able to pull encryption keys, passwords, and user account information over the Internet from systems that help control spacecraft and process critical data. The network NASA uses to control the International Space Station and Hubble Telescope has unpatched vulnerabilities that could be exploited over the Internet, NASA's inspector general warned in a new report. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=229400618

FYI - FBI asks public to break a code, help solve a murder - An interesting request for help has been made public yesterday by the FBI: "Cryptanalists, help solve an open murder case". http://www.net-security.org/secworld.php?id=10823

FYI - Appeals Court Strengthens Warrantless Searches at Border - The authorities may seize laptops, cameras and other digital devices at the U.S. border without a warrant, and scour through them for days hundreds of miles away, a federal appeals court ruled. http://www.wired.com/threatlevel/2011/04/border-search/

FYI - Lawsuit claims fired data center worker wiped out TV show - The creators of "Zodiac Island" say they lost an entire season of their syndicated children's television show after a former employee at their Internet service provider wiped out more than 300GB of video files. http://www.computerworld.com/s/article/9215417/Lawsuit_claims_fired_data_center_worker_wiped_out_TV_show?taxonomyId=17

FYI - T.J.Maxx hacker says feds gave him the OK - The hacker who pleaded guilty to leading one of the largest cases of credit card theft in the U.S., is asking a judge to toss out the pleas, arguing that they were part of his assignments as a paid government informant. http://msn-cnet.com.com/8301-27080_3-20051941-245.html?part=msn-cnet&subj=ns&tag=feed


FYI - A slew of banks, retailers affected by Epsilon email breach - Three days after an email service provider notified clients that its systems were compromised, affected businesses continue to emerge. http://www.scmagazineus.com/a-slew-of-banks-retailers-affected-by-epsilon-email-breach/article/199939/?DCMP=EMC-SCUS_Newswire

FYI - Bank Customers Warned After Breach at Epsilon Marketing Firm - JP Morgan Chase and the Kroger supermarket chain are warning customers that their names and e-mail addresses may have fallen into the wrong hands after someone broke into computer systems at e-mail marketing giant Epsilon. http://www.pcworld.com/businesscenter/article/224112/bank_customers_warned_after_breach_at_epsilon_marketing_firm.html#tk.nl_dnx_t_crawl

FYI - NSA to Investigate Nasdaq Hack - The National Security Agency has been called in to help investigate recent hack attacks against the company that runs the Nasdaq stock market, according to a news report. http://www.wired.com/threatlevel/2011/03/nsa-investigates-nasdaq-hack/

FYI - Mystery hack pwns Australian government - Email cache apparently flashed - Parliamentary computers of the Australian prime minister, Julia Gillard, and other ministers may have been hacked, according to Australian media reports. http://www.theregister.co.uk/2011/03/29/oz_govt_email_hack/

FYI - Failure to encrypt portable devices inexcusable, say analysts - Breaches such as the one involving BP oil spill claimants show why encrypting data on portable devices is a no-brainer - The continuing failure of many enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a potential data compromise involving a lost laptop. http://www.computerworld.com/s/article/9215369/Failure_to_encrypt_portable_devices_inexcusable_say_analysts?taxonomyId=17

FYI - Comodo hacker claims another certificate authority - The hacker who claimed credit for breaking into systems belonging to digital certificate vendor Comodo said he has compromised another certificate authority, along with two more Comodo partners, a move that could further undermine trust in the system used to secure websites on the Internet. http://www.computerworld.com/s/article/9215360/Comodo_hacker_claims_another_certificate_authority

FYI - EU parliament suspends webmail after cyber-attack - More than kids playing around - The European Parliament network has fallen under cyber-attack, leading to a suspension of webmail and other security restrictions. http://www.theregister.co.uk/2011/03/31/eu_parliament_hack/

FYI - Sensitive data goes missing from Illinois childcare agency - Maryville Academy, a Des Plaines, Ill.-based social service agency that serves abused children, revealed late last week that three computer files containing personal and medical information of thousands of children have gone missing. http://www.scmagazineus.com/sensitive-data-goes-missing-from-illinois-childcare-agency/article/199669/?DCMP=EMC-SCUS_Newswire

FYI - Former Gucci insider charged with hacking network - A former network engineer at Gucci has been charged with hacking into the company's network, deleting data and shutting down servers and networks. http://www.scmagazineus.com/former-gucci-insider-charged-with-hacking-network/article/200030/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues


The institution should generally include in the contract the types of audit reports the institution is entitled to receive (e.g., financial, internal control and security reviews). The contract can specify audit frequency, cost to the institution associated with the audits if any, as well as the rights of the institution and its agencies to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation regarding the resolution of audit
disclosed deficiencies and inspect the processing facilities and operating practices of the service provider. Management should consider, based upon the risk assessment phase, the degree to which independent internal audits completed by service provider audit staff can be used and the need for external audits and reviews (e.g., SAS 70 Type I and II reviews). (AICPA Statement of Auditing Standards 70 “Reports of Processing of Transactions by Service Organizations,” known as SAS 70 Reports, are one commonly used form of external review. Type I SAS 70 reports review the service provider’s policies and procedures. Type II SAS 70 reports provide tests of actual controls against policies and procedures.)

For services involving access to open networks, such as Internet-related services, special attention should be paid to security. The institution may wish to include contract terms requiring periodic audits to be performed by an independent party with sufficient expertise. These audits may include penetration testing, intrusion detection, and firewall configuration. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to adequately assess security without compromising the service provider’s security. It can be beneficial to both the service provider and the institution to contract for such ongoing tests on a coordinated basis given the number of institutions that may contract with the service provider and the importance of the test results to the institution.


Contractual terms should discuss the frequency and type of reports the institution will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports). Guidelines and fees for obtaining custom reports should also be discussed.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



Token Systems (2 of 2)

Weaknesses in token systems relate to theft of the token, ease in guessing any password generating algorithm within the token, ease of successfully forging any authentication credential that unlocks the token, and reverse engineering, or cloning, of the token. Each of these weaknesses can be addressed through additional control mechanisms. Token theft generally is protected against by policies that require prompt reporting and cancellation of the token's ability to allow access to the system. Additionally, the impact of token theft is reduced when the token is used in multi - factor authentication; for instance, the password from the token is paired with a password known only by the user and the system. This pairing reduces the risk posed by token loss, while increasing the strength of the authentication mechanism. Forged credentials are protected against by the same methods that protect credentials in non - token systems. Protection against reverse engineering requires physical and logical security in token design. For instance, token designers can increase the difficulty of opening a token without causing irreparable damage, or obtaining information from the token either by passive scanning or active input/output.

Token systems can also incorporate public key infrastructure, and biometrics.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated