R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

April 21, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - China, U.S. agree to work together on cyber security - China and the United States plan to erect a cyber security working group in light of continued worries over the former's alleged cyber espionage activities, according to reports. http://www.scmagazine.com/china-us-agree-to-work-together-on-cyber-security/article/288948/?DCMP=EMC-SCUS_Newswire

FYI - Hay Maker Seeks Cyberheist Bale Out - An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime. http://krebsonsecurity.com/2013/04/hay-maker-seeks-cyberheist-bale-out/

FYI - U.S. Air Force designates six cybertools as weapons - Six cybertools have been designated as weapons by the U.S. Air Force, allowing the programs to better compete for increasingly scarce Pentagon funding, an Air Force official said on Monday. http://news.cnet.com/8301-1009_3-57578567-83/u.s-air-force-designates-six-cybertools-as-weapons/

FYI - Privacy protections booted from CISPA data-sharing bill - A controversial data-sharing bill won the approval of a key congressional committee today without privacy amendments, raising concerns that the National Security Agency and other spy agencies will gain broad access to Americans' personal information. http://news.cnet.com/8301-13578_3-57579012-38/privacy-protections-booted-from-cispa-data-sharing-bill/

FYI - How South Korea Traced Hacker To Pyongyang - A hacker's technical blunder allowed South Korean investigators to trace back recent attacks against the country's banks and broadcasters to an IP address located in North Korea's capital, Pyongyang. http://www.informationweek.com/security/attacks/how-south-korea-traced-hacker-to-pyongya/240152702

FYI - Judge rules hospital can ask ISP for help in ID'ing alleged hackers - A New Jersey hospital can now pursue a subpoena that would require an internet service provider (ISP) to hand over information potentially identifying at least one person accused of hacking into its email server. http://www.scmagazine.com/judge-rules-hospital-can-ask-isp-for-help-in-iding-alleged-hackers/article/288294/

FYI - NYC students, hackers train for cybersecurity jobs - Every week, a group of teenagers and 20-somethings dressed in hoodies gets together in a tiny room on a college campus and plug in their laptops. They turn up pulsing electronic funk music, order pizza and begin furiously hacking into computer networks. http://www.miamiherald.com/2013/04/11/v-fullstory/3338774/nyc-students-hackers-train-for.html

FYI - GAO - Information Technology: Consistently Applying Best Practices Could Help IRS Improve the Reliability of Reported Cost and Schedule Information.  http://www.gao.gov/products/GAO-13-401


FYI - Researcher hacks aircraft controls with Android smartphone - A presentation at the Hack In The Box security summit in Amsterdam has demonstrated that it's possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code. http://www.theregister.co.uk/2013/04/11/hacking_aircraft_with_android_handset/

FYI - No, That German Hacker Probably Can't Hijack an Airplane with Software - An alarming dispatch from the Hack In The Box security conference in Amsterdam arrived on Wednesday: a hacker says he's found a way to take over airplane controls. http://www.theatlanticwire.com/technology/2013/04/no-german-hacker-probably-cant-hijack-airplane-software/64158/

FYI - Gaming Company Certificates Stolen and Used to Attack Activists, Others - A rash of breaches at companies that develop online videogames has resulted in digital certificates being stolen from the companies and used in attacks targeting other industries and political activists. http://www.wired.com/threatlevel/2013/04/gaming-company-certs-stolen/

FYI - Man traces stolen laptop to Iran, blogs photos of new owners - A stolen MacBook apparently goes on an epic journey from London to Iran, sending back goofy images of the new owners to the theft victim. A riveting story, unless it's a publicity stunt. http://news.cnet.com/8301-1009_3-57579119-83/man-traces-stolen-laptop-to-iran-blogs-photos-of-new-owners/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - Wide-scale attack against WordPress blogs reported - Hackers may be building a more powerful botnet for subsequent, larger attacks - Unidentified hackers are said to have have launched a large-scale attack against WordPress blogs and any hosts using weak passwords are urged to update them immediately. http://www.computerworld.com/s/article/9238377/Wide_scale_attack_against_WordPress_blogs_reported?taxonomyId=17

FYI - Schnucks supermarket chain struggled to find breach that exposed 2.4M cards - Company's experience highlights growing sophistication of attacks, analysts say - The Schnucks supermarket chain struggled for two weeks to find the source of a breach after being alerted to a possible leak of credit card info by its card processing company. During that time, Schnucks apparently continued exposing the debit and credit card data of people who shopped at its stores.

FYI - Review: Lessons Learned Could Enhance Continuing Reviews and Activities under Amended Consent Orders, GAO-13-550T, April 17.   http://www.gao.gov/products/GAO-13-550T 

FYI - "Syrian Electronic Army" defaces NPR website, Twitter accounts - The main website of NPR and its blog devoted to breaking news were hacked Monday night. Members of the "Syrian Electronic Army (SEA)" took credit for the hijackings. http://www.scmagazine.com/syrian-electronic-army-defaces-npr-website-twitter-accounts/article/289036/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Security and Confidentiality

The contract should address the service provider’s responsibility for security and confidentiality of the institution’s resources (e.g., information, hardware). The agreement should prohibit the service provider and its agents from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s customers, the institution should notify the service provider to assess the applicability of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when material intrusions occur, the effect on the institution, and corrective action to respond to the intrusion.


Consideration should be given to contract provisions addressing control over operations such as:

• Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and the institution’s approval rights
regarding material changes to services, systems, controls, key project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial functions, such as payments
processing and any extensions of credit on behalf of the institution.
• Insurance coverage to be maintained by the service provider.

Return to the top of the newsletter
We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Intrusion Response Policies and Procedures.

Management should establish, document, and review the policies and procedures that guide the bank's response to information system intrusions. The review should take place at least annually, with more frequent reviews if the risk exposure warrants them. 

Policies and procedures should address the following:

1. The priority and sequence of actions to respond to an intrusion. Actions should address the containment and elimination of an intrusion and system restoration. Among other issues, containment actions include a determination of which business processes must remain operational, which systems may be disconnected as a precaution, and how to address authentication compromises (e.g., revealed passwords) across multiple systems.

2. Gathering and retaining intrusion information, as discussed below.

3. The employee's authority to act, whether by request or by pre-approval, and the process for escalating the intrusion response to progressively higher degrees of intensity and senior management involvement.

4. Availability of necessary resources to respond to intrusions. Management should ensure that contact information is available for those that are responsible for responding to intrusions.

5. System restoration tools and techniques, including the elimination of the intruder's means of entry and back doors, and the restoration of data and systems to the pre-intrusion state.

6. Notification and reporting to operators of other affected systems, users, regulators, incident response organizations, and law enforcement. Guidelines for filing a Suspicious Activity Report for suspected computer related crimes are discussed below, and in OCC Advisory Letter 97-9, "Reporting Computer Related Crimes" (November 19, 1997). 

7. Periodic testing, as discussed below.

8. Staff training resources and requirements.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree."  Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1)  Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2)  Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3)  Frequency and effectiveness of monitoring procedures;

4)  Adequacy and regularity of the institution's training program;

5)  Suitability of the compliance audit program for ensuring that: 

     a)  the procedures address all regulatory provisions as applicable; 
     b)  the work is accurate and comprehensive with respect to the institution's information sharing practices; 
     c)  the frequency is appropriate; 
     d)  conclusions are appropriately reached and presented to responsible parties; 
     e)  steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6)  Knowledge level of management and personnel.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated