Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - This is our ninth
anniversary publishing the newsletters. We want to
thank all our subscribers for reading our newsletters. We
enjoy brining them to you. If you have any suggestions to
improve the newsletters, please email R. Kinney Williams at
FYI - Information Security:
Application Security - This bulletin reminds national banks and
their technology service providers that application security is an
important component of their information security program.
Brute-force SSH Attacks on the Rise - There has been a significant
amount of brute force scanning reported by some of our readers and
on other mailing lists. And there does appear to be a bit of a spike
reflected in the port 22/tcp sources in the past week in the Dshield
Comcast Restricted Bandwidth To BitTorrent Users 24/7, Study Charges
- Casting doubt on previous assertions from cable giant Comcast
about its traffic management policies, the Max Planck Institute
today released a study showing that the U.S. company has engaged in
routine blocking or throttling of BitTorrent files at all hours of
the day -- not just in periods of "peak congestion" as the company
Federal agencies' FISMA grade up slightly - Federal agencies
continued showed slight improvement in 2007 in their ability to
protect sensitive data, scoring a "C," up from a "C-minus" in 2006,
according to the annual Federal Information Security Management Act
(FISMA) report card released Tuesday.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
One million euro stolen in bank card fraud - Around one million euro
has been stolen from 300 bank accounts in one of the largest
incidents of bank card fraud ever in Ireland.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (7 of 12)
Define what constitutes an incident.
An initial step in the development of a response program is
to define what constitutes an incident. This step is important as it
sharpens the organization's focus and delineates the types of events
that would trigger the use of the IRP. Moreover, identifying
potential security incidents can also make the possible threats seem
more tangible, and thus better enable organizations to design
specific incident-handling procedures for each identified threat.
The ability to detect that an incident is occurring or has occurred
is an important component of the incident response process. This is
considerably more important with respect to technical threats, since
these can be more difficult to identify without the proper technical
solutions in place. If an institution is not positioned to quickly
identify incidents, the overall effectiveness of the IRP may be
affected. Following are two detection-related best practices
included in some institutions' IRPs.
Identify indicators of unauthorized system access.
Most banks implement some form of technical solution, such
as an intrusion detection system or a firewall, to assist in the
identification of unauthorized system access. Activity reports from
these and other technical solutions (such as network and application
security reports) serve as inputs for the monitoring process and for
the IRP in general. Identifying potential indicators of unauthorized
system access within these activity or security reports can assist
in the detection process.
Involve legal counsel.
Because many states have enacted laws governing
notification requirements for customer information security
compromises, institutions have found it prudent to involve the
institution's legal counsel when a compromise of customer
information has been detected. Legal guidance may also be warranted
in properly documenting and handling the incident.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Token Systems (1 of 2)
Token systems typically authenticate the token and assume that the
user who was issued the token is the one requesting access. One
example is a token that generates dynamic passwords every X seconds.
When prompted for a password, the user enters the password generated
by the token. The token's password - generating system is
identical and synchronized to that in the system, allowing the
system to recognize the password as valid. The strength of this
system of authentication rests in the frequent changing of the
password and the inability of an attacker to guess the seed and
password at any point in time.
Another example of a token system uses a challenge/response
mechanism. In this case, the user identifies him/herself to the
system, and the system returns a code to enter into the password -
generating token. The token and the system use identical logic and
initial starting points to separately calculate a new password. The
user enters that password into the system. If the system's
calculated password matches that entered by the user, the user is
authenticated. The strengths of this system are the frequency of
password change and the difficulty in guessing the challenge, seed,
Other token methods involve multi - factor authentication, or the
use of more than one authentication method. For instance, an ATM
card is a token. The magnetic strip on the back of the card contains
a code that is recognized in the authentication process. However,
the user is not authenticated until he or she also provides a PIN,
or shared secret. This method is two - factor, using both something
the user has and something the user knows. Two - factor
authentication is generally stronger than single - factor
authentication. This method can allow the institution to
authenticate the user as well as the token.
Return to the top of the
7. Determine whether network users are
authenticated, and that the type and nature of the authentication
(user and machine) is supported by the risk assessment.
Access should only be provided where specific authorization
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
34. Does the institution deliver a
revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a
nonaffiliated third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of
nonaffiliated third party; [§8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer
to a nonaffiliated third party, if that former customer has not had
the opportunity to exercise an opt out right regarding that
(Note: a revised
notice is not required if the institution adequately described the
nonaffiliated third party or information to be disclosed in the
prior privacy notice. [§8(b)(2)])