Does Your Financial Institution need an
affordable cybersecurity Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our cybersecurity audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b)
as well as the penetration
study complies with the FFIEC Cybersecurity Assessment Tool
regarding resilience testing.
The cybersecurity penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world cybersecurity weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
- Beware of keystroke loggers disguised as USB phone chargers, FBI
warns- Private industry notification comes 15 months after debut of
KeySweeper. The author of the FBI advisory contacted Ars to say the
point he wanted to convey is that threat stems not from KeySweeper
itself, but from similar types of devices that could easily contain
- Up to a dozen banks are reportedly investigating potential SWIFT
breaches - The incidents are part of a larger trend of
cybercriminals targeting financial institutions directly instead of
- Workplace security awareness programs lacking in efficacy, says
study - Just because a company offers a cybersecurity awareness and
training program to its employees doesn't mean it's necessarily
doing enough to change workers' dangerous online behaviors,
according to a new report.
- CEO sacked after aircraft company grounded by whaling attack -
Following a successful whaling attack in January which cost FACC €40
million, the company has sacked both its CFO and CEO.
- Feinstein-Burr's bonkers backdoor crypto law is dead in the water
- US senators' bill won't make it to the floor of Congress - A
proposed piece of US legislation that would have required American
tech companies to cripple the encryption in their products is dead
in the water.
- Senate bill tasks FAA to oversee sharing of cyber threat
information - The Federal Aviation Administration could find itself
with more oversight of the cybersecurity threats facing industry if
a senator’s information-sharing bill makes it through committee.
- Don't connect your charging cell to a computer or you may get
hacked! - Connecting your mobile device to a computer using a USB
cable could make you vulnerable to hackers.
- Massive drop in cyberattacks on banks, Lloyds - Lloyds Banking
Group, a London-based financial institution, claimed it's seen a
substantial reduction in the number of cyberattacks it was hit with
- Appeals court: No warrant needed to access cell location data - A
U.S. appeals court overturned a ruling from last year that law
enforcement authorities must obtain a warrant to access a suspect's
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- FOURTH bank hit by SWIFT hackers - A fourth bank, this time in the
Philippines, has been attacked by hackers targeting the SWIFT
inter-bank transfer system.
- 65M Tumblr accounts for sale after 2013 breach - More than 65
million Tumblr accounts from a 2013 breach were spotted for sale on
the dark web.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures/Notices (Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
- Public Key Infrastructure (Part 1 of 3)
Public key infrastructure (PKI), if properly implemented and
maintained, may provide a strong means of authentication. By
combining a variety of hardware components, system software,
policies, practices, and standards, PKI can provide for
authentication, data integrity, defenses against customer
repudiation, and confidentiality. The system is based on public key
cryptography in which each user has a key pair - a unique electronic
value called a public key and a mathematically related private key.
The public key is made available to those who need to verify the
The private key is stored on the user's computer or a separate
device such as a smart card. When the key pair is created with
strong encryption algorithms and input variables, the probability of
deriving the private key from the public key is extremely remote.
The private key must be stored in encrypted text and protected with
a password or PIN to avoid compromise or disclosure. The private key
is used to create an electronic identifier called a digital
signature that uniquely identifies the holder of the private key and
can only be authenticated with the corresponding public key.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
continue the series on the National Institute of Standards and
Technology (NIST) Handbook.
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
A computer security contingency is an event with the potential to
disrupt computer operations, thereby disrupting critical mission and
business functions. Such an event could be a power outage, hardware
failure, fire, or storm. If the event is very destructive, it is
often called a disaster.
To avert potential contingencies and disasters or minimize the
damage they cause organizations can take steps early to control the
event. Generally called contingency planning, this activity is
closely related to incident handling, which primarily addresses
malicious technical threats such as hackers and viruses.
Contingency planning involves more than planning for a move offsite
after a disaster destroys a data center. It also addresses how to
keep an organization's critical functions operating in the event of
disruptions, both large and small. This broader perspective on
contingency planning is based on the distribution of computer
support throughout an organization.
This chapter presents the contingency planning process in six
1) Identifying the mission- or business-critical functions.
2) Identifying the resources that support the critical functions.
3) Anticipating potential contingencies or disasters.
4) Selecting contingency planning strategies.
5) Implementing the contingency strategies.
6) Testing and revising the strategy.
Contingency planning directly supports an organization's goal of
continued operations. Organizations practice contingency planning
because it makes good business sense.