R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 4, 2014

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Government Employees Cause Nearly 60% of Public Sector Cyber Incidents - About 58 percent of cyber incidents reported in the public sector were caused by government employees, according to an annual data breach report compiled by Verizon. http://www.nextgov.com/cybersecurity/2014/04/government-employees-cause-nearly-60-public-sector-cyber-incidents/82933/

FYI - Bank of England to helm pen-testing effort for UK's finance sector - The Bank of England, which helped oversee a cyber readiness exercise last year for London's finance sector, now plans to lead a large-scale penetration testing effort, according to reports. http://www.scmagazine.com/report-bank-of-england-to-helm-pen-testing-effort-for-uks-finance-sector/article/343946/

FYI - Data Breach report dishes recommendations for authentication changes - For enterprises building a large part of their authentication strategy on passwords, this year's Verizon Data Breach Investigations Report has a clear message: Cut it out! http://www.zdnet.com/data-breach-report-dishes-recommendations-for-authentication-changes-7000028717/

FYI - Feds warn health care sector of looming cyber attacks - The FBI has sent a private industry notification (PIN) to health care providers warning them that the security systems they have in place are behind those of other sectors, making them prime targets for cyber attacks. http://www.scmagazine.com/feds-warn-health-care-sector-of-looming-cyber-attacks/article/344026/

FYI - It’s Insanely Easy to Hack Hospital Equipment - When Scott Erven was given free rein to roam through all of the medical equipment used at a large chain of Midwest health care facilities, he knew he would find security problems–but he wasn’t prepared for just how bad it would be. http://www.wired.com/2014/04/hospital-equipment-vulnerable/

FYI - Secretary of State website breach cost Oregonians $176,662 - Taxpayers in Oregon were on the hook for about $176,662 to cover costs associated with a February breach of the Secretary of State's website, according to a story in The Oregonian. http://www.scmagazine.com/secretary-of-state-website-breach-cost-oregonians-176662/article/344950/


FYI - Japan airport staff dash to replace passcodes after security cock-up - Haneda employee drops key codes ahead of Obama visit - The dangers of writing passwords down on paper were laid bare in the Japanese airport of Haneda this week after a member of staff managed to lose a note containing key security codes ahead of US president Barack Obama’s arrival today. http://www.theregister.co.uk/2014/04/23/tokyo_haneda_passcode_loss_obama/

FYI - AOL imposes stricter email rules to stem spoofing attack - AOL instructs mailbox providers to reject any email allegedly associated with an AOL domain that didn't originate from an AOL server.

FYI - Tufts Health Plan data stolen, 8,830 members impacted - Massachusetts-based Tufts Health Plan is notifying roughly 8,830 current and former Tufts Medicare Preferred members that their personal information - including Social Security numbers - was stolen. http://www.scmagazine.com/tufts-health-plan-data-stolen-8830-members-impacted/article/344185/

FYI - Data on nearly 10K Snelling Staffing employees made available online - The personal information - including Social Security numbers - of almost 10,000 current and former employees of Texas-based Snelling Staffing was made available on the internet by a former employee that made an error when setting up a cloud-based server at home. http://www.scmagazine.com/data-on-nearly-10k-snelling-staffing-employees-made-available-online/article/344562/

FYI - 200 million records stolen in Q1 breaches - Nearly 200 million records - or 93,000 records per hour - were stolen between January and March of 2014, an increase of 233 percent over the same quarter last year, according to the recently released SafeNet Breach Level Index. http://www.scmagazine.com/index-200-million-records-stolen-in-q1-breaches/article/344845/

Return to the top of the newsletter

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Host-Versus Network-Based Vulnerability Assessment Tools

As in intrusion detection systems, which are discussed later in this appendix, there are generally two types of vulnerability assessment tools: host-based and network-based.  Another category is sometimes used for products that assess vulnerabilities of specific applications (application-based) on a host.  A host is generally a single computer or workstation that can be connected to a computer network.  Host-based tools assess the vulnerabilities of specific hosts.  They usually reside on servers, but can be placed on specific desktop computers, routers, or even firewalls. 

Network-based vulnerability assessment tools generally reside on the network, specifically analyzing the network to determine if it is vulnerable to known attacks.  Both host- and network-based products offer valuable features, and the risk assessment process should help an institution determine which is best for its needs.  Information systems personnel should understand the types of tools available, how they operate, where they are located, and the output generated from the tools.

Host-based vulnerability assessment tools are effective at identifying security risks that result from internal misuse or hackers using a compromised system.  They can detect holes that would allow access to a system such as unauthorized modems, easily guessed passwords, and unchanged vendor default passwords.  The tools can detect system vulnerabilities such as poor virus protection capabilities; identify hosts that are configured improperly; and provide basic information such as user log-on hours, password/account expiration settings, and users with dial-in access.  The tools may also provide a periodic check to confirm that various security policies are being followed.  For instance, they can check user permissions to access files and directories, and identify files and directories without ownership.

Network-based vulnerability assessment tools are more effective than host-based at detecting network attacks such as denial of service and Internet Protocol (IP) spoofing.  Network tools can detect unauthorized systems on a network or insecure connections to business partners.  Running a host-based scan does not consume network overhead, but can consume processing time and available storage on the host.  Conversely, frequently running a network-based scan as part of daily operations increases network traffic during the scan.  This may cause inadvertent network problems such as router crashes.

Return to the top of the newsletter
e continue our series on the FFIEC interagency Information Security Booklet.  


Additional operating system access controls include the following actions:

! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
! Ensure effective authentication methods are used to restrict system access to both users and applications.
! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
! Restrict operating system access to specific terminals in physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
! Segregate operating system access, where possible, to limit full or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time of access.
! Update operating systems with security patches and using appropriate change control mechanisms.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b.  the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated