R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 15, 2011

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - FTC Settles With Companies Over Exposed Records - Beware poor website data security practices. The Federal Trade Commission on Tuesday said that payroll provider Ceridian and immigration services software provider Lookout Services had settled charges that they failed to put sufficient security measure in place to protect sensitive information relating to 65,000 people. http://www.informationweek.com/news/security/attacks/229402828

FYI - FBI Defends Cyber Investigation Capabilities - An FBI official argues that an audit finding insufficient national cybersecurity investigation skills doesn't reflect current expertise and results. http://www.informationweek.com/news/security/government/229402636

FYI - Lawmakers brace for debate over "do-not-track" bill - A new “do-not-track” bill introduced Monday in the U.S. Senate would give consumers the ability to prevent companies from collecting information about their web browsing activities. http://www.scmagazineus.com/lawmakers-brace-for-debate-over-do-not-track-bill/article/202555/?DCMP=EMC-SCUS_Newswire


FYI - Personal data of "X-Factor" hopefuls exposed - Individuals have illegally accessed Fox.com, the website of the Fox Broadcasting Co., to compromise the personal information of tens of thousands of individuals who applied to appear on Simon Cowell's new reality show. http://www.scmagazineus.com/personal-data-of-x-factor-hopefuls-exposed/article/202117/?DCMP=EMC-SCUS_Newswire

FYI - Sony mulls hack - Cash for Anonymous heads on platters - Sony execs are mulling the possibility of offering bounties for any information that leads to the arrests of hackers who breached its network. http://www.theregister.co.uk/2011/05/09/sony_hacker_bounty/

FYI - PC rental store sued for alleged Webcam spying - When you rent out your house, it's always tempting to visit your renters to check that they are happy--and to see that the walls are still in place. http://news.cnet.com/8301-17852_3-20059642-71.html

FYI - More than 30 hospital workers fired for snooping - Thirty-two employees were fired from two hospitals in Minnesota after they viewed electronic records belonging to patients who were hospitalized after overdosing at a house party. http://www.scmagazineus.com/more-than-30-hospital-workers-fired-for-snooping/article/202549/?DCMP=EMC-SCUS_Newswire

FYI - Sony delays PSN restart as third breach is discovered - As Sony works to restore its PlayStation Network (PSN) and Qriocity services – which likely will remain offline until at least the end of the month following two massive data breaches – the company has sustained a third exposure, this time involving the personal information of thousands of sweepstakes contestants. http://www.scmagazineus.com/sony-delays-psn-restart-as-third-breach-is-discovered/article/202465/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Some of the oversight activities management should consider in administering the service provider relationship are categorized and listed below. The degree of oversight activities will vary depending upon the nature of the services outsourced. Institutions should consider the extent to which the service provider conducts similar oversight activities for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties) and the extent to which the institution may need to perform oversight activities on the service provider’s significant supporting agents.

Monitor Financial Condition and Operations

• Evaluate the service provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers’ systems and controls including resource availability, security, integrity, and confidentiality.
• Follow up on any deficiencies noted in the audits and reviews of the service provider.
• Periodically review the service provider’s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution’s minimum guidelines, contract requirements, and are consistent with the current market and technological environment.
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel allocated to the institution.
• Review and monitor the service provider’s insurance policies for effective coverage.
• Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client institutions.

Some services provided to insured depository institutions by service providers are examined by the FFIEC member agencies. Regulatory examination reports, which are only available to clients/customers of the service provider, may contain information regarding a service provider’s operations. However, regulatory reports are not a substitute for a financial institution’s due diligence in oversight of the service provider.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



Biometrics (Part 2 of 2)

Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user's thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.

Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.

Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

40.  Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated