R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 22, 2011

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - White House Releases Cybersecurity Plans - The Obama administration's legislative proposal includes critical infrastructure protection, breach notification, privacy requirements, and overhauls for internal government cybersecurity. http://www.informationweek.com/news/government/security/229500148

FYI - ACS:Law fined for data breach - ACS:Law has been fined by the Information Commissioner's Office for failing to follow data protection law. The one-man law firm, which has since ceased trading, won infamy for using IP numbers to accuse people of illegal file-sharing. Victims received a letter offering to settle the claims rather than go to court. But ACS:Law never took anyone to court, and some judges doubted whether it ever had the legal basis to do so. http://www.theregister.co.uk/2011/05/10/acslaw_ico_fine/
FYI - Senators call on SEC to mandate more breach reporting - Prompted by recent breaches of intellectual property belonging to U.S. corporations, federal lawmakers want the Securities and Exchange Commission (SEC) to clarify guidance around the obligation to publicly disclose these incidents to shareholders. http://www.scmagazineus.com/senators-call-on-sec-to-mandate-more-breach-reporting/article/202689/?DCMP=EMC-SCUS_Newswire

FYI - FCC unveils cyber defense website for small businesses - The Federal Communications Commission (FCC) on Monday announced the launch of a new website designed to help small businesses protect against cyberattack. http://www.scmagazineus.com/fcc-unveils-cyber-defense-website-for-small-businesses/article/203061/?DCMP=EMC-SCUS_Newswire


FYI - Breach at Michaels Stores Extends Nationwide - Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals. http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/

FYI - Man sentenced to 3 years for ATM hack scheme - Attempted heist worth $200,000 - A North Carolina man has been sentenced to three years in prison after admitting he planned to pocket as much as $200,000 by hacking into automatic teller machines. http://www.theregister.co.uk/2011/05/09/atm_hacker_sentenced/

FYI - Teenage duo sentenced over credit card Ghostmarket - 'I will never get a job in IT,' laments hacker - Two UK teenagers received sentences for repeated hack attacks that stole credit card data and took one online webhost offline. http://www.theregister.co.uk/2011/05/16/hacker_duo_sentenced/

FYI - Anonymous Splinter Group Implicated in Game Company Hack - The Web sites for computer game giant Eidos Interactive and one of its biggest titles - Deus Ex - were defaced and plundered on Wednesday in what appears to have been an attack from a splinter cell of the hacktivist group Anonymous. http://krebsonsecurity.com/2011/05/anonymous-splinter-group-implicated-in-game-company-hack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Assess Quality of Service and Support

• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



Single Sign - On

Several single sign - on protocols are in use. Those protocols allow clients to authenticate themselves once to obtain access to a range of services. An advantage of single sign - on systems is that users do not have to remember or possess multiple authentication mechanisms, potentially allowing for more complex authentication methods and fewer user - created weaknesses. Disadvantages include the broad system authorizations potentially tied to any given successful authentication, the centralization of authenticators in the single sign - on server, and potential weaknesses in the single sign - on technologies.

When single sign - on systems allow access for a single login to multiple instances of sensitive data or systems, financial institutions should employ robust authentication techniques, such as multi - factor, PKI, and biometric techniques. Financial institutions should also employ additional controls to protect the authentication server and detect attacks against the server and server communications.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a.  it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b.  it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c.  it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d.  the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated