Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Hackers having less success in draining bank accounts - Financially
minded cyber criminals are attempting to hijack corporate bank
accounts at increasing rates, but they are finding less luck in
actually getting money out of them, according to a Financial
Services Information Sharing and Analysis Center (FS-ISAC) study
- Music site joins LinkedIn, eHarmony as victim of password theft -
In the span of about 24 hours, three major websites have requested
that their users change their passwords following apparent heists of
millions of credentials.
O2 and Be Broadband are latest to block The Pirate Bay - O2 is set
to block its customers from accessing file-sharing site The Pirate
Bay from 0001 BST on Friday, the internet service provider has said.
NHS fights record £325k ICO fine after clap records appear on eBay -
An NHS Trust is disputing a record fine the Information
Commissioner's Office has levelled on it for leaving tons of data on
patients and staff on hard drives that were sold on eBay instead of
DOE publishes electric grid cybersecurity model - After five months
of development, the Energy Department published May 31 the
Electricity Subsector Cybersecurity Capability Maturity Model.
The unforeseen risks of the cloud - While it has revolutionized
collaboration, the cloud can also bring with it potentially serious
security ramifications, like intellectual property theft or data
European data chiefs warns of Big Brother implications with smart
meter roll out - The European data protection supervisor (EDPS) has
warned that the deployment of smart meters across member states
threatens to create an intrusive system of mass monitoring unless
robust safeguards are introduced.
The IT staff of the future will speak business, not just technology
- Until recently, organizations had two major operational and
technical forces to deal with: networking and security.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Potential leak of 6.5+ million LinkedIn password hashes - Reports
originally surfaced in Norway overnight that about 6.5 million
unsalted SHA-1 password hashes had been posted to a Russian site
with a request for assistance in cracking them.
Auto dealer, debt collector settle with FTC over data breaches - The
Federal Trade Commission has settled with two companies over
allegations that they leaked sensitive data of individuals via
Fourteen busted on online banking theft charges - Fourteen people
from South Florida have been charged in connection to a bank fraud
ring in which the accounts of unsuspecting customers were accessed
to transfer money.
University of North Florida gets breached again, data on 23K
students at risk - For the second time in two years, hackers gained
access to a University of North Florida (UNF) server holding the
confidential information of students.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 4: Banks should ensure that proper authorization
controls and access privileges are in place for e-banking systems,
databases and applications.
In order to maintain segregation of duties, banks need to strictly
control authorization and access privileges. Failure to provide
adequate authorization control could allow individuals to alter
their authority, circumvent segregation and gain access to e-banking
systems, databases or applications to which they are not privileged.
In e-banking systems, the authorizations and access rights can be
established in either a centralized or distributed manner within a
bank and are generally stored in databases. The protection of those
databases from tampering or corruption is therefore essential for
effective authorization control.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Operational anomalies may be evidence of a broad number of issues,
one of which is potential intrusion. Anomalies that act as
intrusion-warning indicators fall into two categories, those
apparent in system processing, and those apparent outside the
System processing anomalies are evident in system logs and system
behavior. Good identification involves pre-establishing which system
processing data streams will be monitored for anomalies, defining
which anomalies constitute an indicator of an intrusion, and the
frequency of the monitoring. For example, remote access logs can be
reviewed daily for access during unusual times. Other logs can be
reviewed on other regular cycles for other unusual behaviors. System
behavior covers a broad range of issues, from CPU utilization to
network traffic protocols, quantity and destinations. One example of
a processing anomaly is CPU utilization approaching 100% when the
scheduled jobs typically require much less. Anomalous behavior,
however, may not signal an intrusion.
Outside the system, detection is typically based on system output,
such as unusual Automated Clearing House transactions or bill
payment transactions. Those unusual transactions may be flagged as a
part of ordinary transaction reviews, or customers and other system
users may report them. Customers and other users should be advised
as to where and how to report anomalies. The anomalous output,
however, may not signal an intrusion.
Central reporting and analysis of all IDS output, honeypot
monitoring, and anomalous system behavior assists in the intrusion
identification process. Any intrusion reporting should use
out-of-band communications mechanisms to protect the alert from
being intercepted or compromised by an intruder.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Opt Out Notice
19. If the institution discloses nonpublic personal information
about a consumer to a nonaffiliated third party, and the exceptions
under §§13-15 do not apply, does the institution provide the
consumer with a clear and conspicuous opt out notice that accurately
explains the right to opt out? [§7(a)(1)]