Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Utah CTO takes fall for data breach - Resignation sought by Gov.
Herbert after breach exposes data on 280,000 Medicaid recipients -
The executive director of Utah's Department of Technology Services
has resigned over a data breach two months ago that exposed the
Social Security numbers and other personal data of about 280,000
- UK man to spend year in the clink for Facebook account hack -
21-year-old admitted breaking into US victim's profile - A British
man has been jailed for a year after hacking into the Facebook
account of a US citizen.
- The FBI took -- and mysteriously returned -- their server. Here's
their story - Presumed FBI agents reinstall a server seized from
MayFirst/PeopleLink. The bureau won't say why it took it or why it
returned it in such an unusual manner. Ever wonder what it's like to
have FBI agents knock on your door? Or to have them walk into your
business unannounced and walk away with your computer?
- GAO - Management Report: Opportunities for Improvement in the
Bureau of Consumer Financial Protection's Internal Controls and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- The Pirate Bay hit by DDoS attack - File-sharing website The
Pirate Bay (TPB) has been hit by a Distributed Denial of Service (DDoS)
attack. The site has been largely inaccessible for the last 24
hours, and the service is intermittent in the UK.
- Global Payments Breach Fueled Prepaid Card Fraud - Debit card
accounts stolen in a recent hacker break-in at card processor Global
Payments have been showing up in fraud incidents at retailers in Las
Vegas and elsewhere, according to officials from one bank impacted
by the fraud.
- Hacktivists take down Chicago Police Department website - On
Sunday, the Chicago Police Department (CPD) and city of Chicago's
official websites were victims of a cyber strike seemingly performed
by hacktivists affiliated with Anonymous.
- Hacked UMaine server leads to exposed personal data - Sensitive
data belonging to people who made web-based purchases at the
University of Maine's (UMaine) Orono Campus may have been stolen
after the school's server suffered a security breach.
- Anonymous hacks DoJ and dumps data online - The infamous
hacktivist collective Anonymous released a 1.7-GB archive of
sensitive information after infiltrating the U.S. Department of
Justice (DoJ) with the help of their hacking collaborators
- Unencrypted hospital laptop exposes 2k patient records - An
employee of the Boston Children's Hospital lost a laptop holding
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Security Controls - Principle 1: Banks should take
appropriate measures to authenticate the identity and authorization
of customers with whom it conducts business over the Internet. (Part
2 of 2)
The bank must determine which authentication methods to use based on
management's assessment of the risk posed by the e-banking system as
a whole or by the various sub-components. This risk analysis should
evaluate the transactional capabilities of the e-banking system
(e.g. funds transfer, bill payment, loan origination, account
aggregation etc.), the sensitivity and value of the stored e-banking
data, and the customer's ease of using the authentication method.
Robust customer identification and authentication processes are
particularly important in the cross-border e-banking context given
the additional difficulties that may arise from doing business
electronically with customers across national borders, including the
greater risk of identity impersonation and the greater difficulty in
conducting effective credit checks on potential customers.
As authentication methods continue to evolve, banks are encouraged
to monitor and adopt industry sound practice in this area such as
1) Authentication databases that provide access to e-banking
customer accounts or sensitive systems are protected from tampering
and corruption. Any such tampering should be detectable and audit
trails should be in place to document such attempts.
2) Any addition, deletion or change of an individual, agent or
system to an authentication database is duly authorized by an
3) Appropriate measures are in place to control the e-banking
system connection such that unknown third parties cannot displace
4) Authenticated e-banking sessions remain secure throughout the
full duration of the session or in the event of a security lapse the
session should require re-authentication.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 3 of 4)
Some network IDS units allow the IP addresses
associated with certain signatures to be automatically blocked.
Financial institutions that use that capability run the risk of an
attacker sending attack packets that falsely report the sending IP
addresses as that of service providers and others that the
institution needs to continue offering service, thereby creating a
denial - of - service situation. To avoid such a situation, the
institution also may implement a list of IP addresses that should
not be blocked by the IDS.
Hosts also use a signature-based method. One such method creates a
hash of key binaries, and periodically compares a newly generated
hash against the original hash. Any mismatch signals a change to the
binary, a change that could be the result of an intrusion.
Successful operation of this method involves protection of the
original binaries from change or deletion, and protection of the
host that compares the hashes. If attackers can substitute a new
hash for the original, an attack may not be identified. Similarly,
if an attacker can alter the host performing the comparison so that
it will report no change in the hash, an attack may not be
An additional host-based signature method monitors the application
program interfaces for unexpected or unwanted behavior, such as a
Web server calling a command line interface.
Attackers can defeat host-based IDS systems using loadable kernel
modules, or LKMs. A LKM is software that attaches itself to the
operating system kernel. From there, it can redirect and alter
communications and processing. With the proper LKM, an attacker can
force a comparison of hashes to always report a match and provide
the same cryptographic fingerprint of a file, even after the source
file was altered. LKMs can also hide the use of the application
program interfaces. Detection of LKMs is extremely difficult and is
typically done through another LKM.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
16. If the institution provides a short-form initial privacy notice
according to §6(d)(1), does the short-form initial notice:
a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]
b. state that the institution's full privacy notice is available
upon request; [§6(d)(2)(ii)] and
c. explain a reasonable means by which the consumer may obtain the
(Note: the institution is not required to deliver the full
privacy notice with the shortform initial notice. [§6(d)(3)])