R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 23, 2010

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


Are you ready for your IT examination?
 
The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination.   For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI
-
ATM hacking spree foiled by tip from ex-con - A North Carolina man's scheme to steal as much as $350,000 during an automatic teller machine hacking spree was thwarted by an ex-convict, who turned the man in to authorities, federal prosecutors allege. http://www.theregister.co.uk/2010/05/04/atm_hacking_spree_foiled/

FYI -
Web cam report blasts Lower Merion school district - Inconsistent policies. Shoddy record-keeping. Misstep after misstep. "Overzealous" use of technology "without any apparent regard for privacy considerations."
Atricle - http://www.philly.com/inquirer/education/20100504_Web_cam_report_blasts_Lower_Merion_school_district.html?viewAll=y
Investigation Report - http://www.lmsd.org/documents/news/100503_ballard_spahr_report.pdf

FYI -
Mandatory data breach notification on the horizon, says ICO - The Information Commissioners Office (ICO) plans to use its new powers to enforce data protection in the UK, says the deputy information commissioner. http://www.computerweekly.com/Articles/2010/04/27/241061/Mandatory-data-breach-notification-on-the-horizon-says.htm

FYI -
Outsourced managed security: What should you outsource? Should we be surprised that roughly one in five managed security service programs fail? http://www.scmagazineus.com/outsourced-managed-security-what-should-you-outsource/article/169593/?DCMP=EMC-SCUS_Newswire

FYI -
Wash. Supreme Court rules Internet filters OK - Case sparked by 2006 lawsuit filed by the American Civil Liberties Union - Public libraries' use of Internet filters to block content does not run afoul of the state constitution, the Washington state Supreme Court. http://www.msnbc.msn.com/id/37001589/ns/us_news/

FYI -
The impact of virtualization on network security - Affordable network storage has driven server virtualization adoption over the past few years, and most organizations today have a virtual machine (VM) somewhere in their environment. http://www.scmagazineus.com/avenging-host-the-impact-of-virtualization-on-network-security/article/169844/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
Mass Injection Attack Hits WordPress Blogs across Multiple Hosters - The malicious code hides from Google's crawler - Hundreds of WordPress blogs hosted on shared servers were compromised over the weekend and had malicious code injected into their pages. A detailed analysis of the affected sites uncovered instructions to hide the attack from Google's web crawler. http://news.softpedia.com/news/Mass-Injection-Attack-Hits-WordPress-Blogs-Across-Multiple-Hosters-141694.shtml

FYI -
Court gives preliminary OK to $4M consumer settlement in Heartland case - Payment processor agrees to reimburse consumers for costs associated with 2009 breach - A federal court in Texas has given preliminary approval to a $4 million settlement of a consumer class-action lawsuit against Heartland Payment Systems Inc. over the massive data breach the payment processor disclosed in January 2009. http://www.computerworld.com/s/article/9176431/Court_gives_preliminary_OK_to_4M_consumer_settlement_in_Heartland_case?taxonomyId=84

FYI -
Privacy watchdog looks into NHS data breach - The loss of a data stick containing information on psychiatric patients in Scotland is to be investigated by UK privacy watchdog the Information Commissioner's Office. http://www.zdnet.co.uk/news/security-threats/2010/05/06/privacy-watchdog-looks-into-nhs-data-breach-40088863/

FYI -
Widespread attacks continue against WordPress sites - Intruders in recent weeks have hacked a large number of websites created through the WordPress blogging platform to spread malware, with another major campaign launched, security researchers said. http://www.scmagazineus.com/widespread-attacks-continue-against-wordpress-sites/article/169956/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE -
 Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 3 of 3)

Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:

!  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;
!  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;
!  Increasing suspicious activity monitoring and employing additional identity verification controls;
!  Offering customers assistance when fraud is detected in connection with customer accounts;
!  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and
!  Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.

Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet."  Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:

!  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;
!  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;
!  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;
!  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;
!  Monitoring for fraudulent Web sites using variations of the financial institution's name;
!  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and
!  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.

Conclusion

E-mail and Internet-related fraudulent schemes present a substantial risk to financial institutions and their customers. Financial institutions should consider developing programs to educate customers about e-mail and Internet-related fraudulent schemes and how to avoid them, consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes, and implement appropriate information security controls to help mitigate the risks associated with e-mail and Internet-related fraudulent schemes.


Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans. 

Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.

The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.

The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A)  For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information; 

     2)  Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and 

     3)  Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors). 

B)  For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information;

     2)  Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3)  Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.


Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated