R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 17, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Hackers having less success in draining bank accounts - Financially minded cyber criminals are attempting to hijack corporate bank accounts at increasing rates, but they are finding less luck in actually getting money out of them, according to a Financial Services Information Sharing and Analysis Center (FS-ISAC) study released Thursday. http://www.scmagazine.com/hackers-having-less-success-in-draining-bank-accounts/article/245775/?DCMP=EMC-SCUS_Newswire

FYI - Music site joins LinkedIn, eHarmony as victim of password theft - In the span of about 24 hours, three major websites have requested that their users change their passwords following apparent heists of millions of credentials. http://www.scmagazine.com/music-site-joins-linkedin-eharmony-as-victim-of-password-theft/article/244828/?DCMP=EMC-SCUS_Newswire

FYI - O2 and Be Broadband are latest to block The Pirate Bay - O2 is set to block its customers from accessing file-sharing site The Pirate Bay from 0001 BST on Friday, the internet service provider has said. http://www.bbc.co.uk/news/technology-18358483

FYI - NHS fights record 325k ICO fine after clap records appear on eBay - An NHS Trust is disputing a record fine the Information Commissioner's Office has levelled on it for leaving tons of data on patients and staff on hard drives that were sold on eBay instead of being destroyed. http://www.theregister.co.uk/2012/06/06/nhs_trust_disputes_ico_fine/

FYI - DOE publishes electric grid cybersecurity model - After five months of development, the Energy Department published May 31 the Electricity Subsector Cybersecurity Capability Maturity Model. http://www.fiercegovernmentit.com/story/doe-publishes-electric-grid-cybersecurity-model/2012-06-04

FYI - The unforeseen risks of the cloud - While it has revolutionized collaboration, the cloud can also bring with it potentially serious security ramifications, like intellectual property theft or data breaches. http://www.scmagazine.com/the-unforeseen-risks-of-the-cloud/article/244422/?DCMP=EMC-SCUS_Newswire

FYI - European data chiefs warns of Big Brother implications with smart meter roll out - The European data protection supervisor (EDPS) has warned that the deployment of smart meters across member states threatens to create an intrusive system of mass monitoring unless robust safeguards are introduced. http://www.v3.co.uk/v3-uk/news/2183404/european-chiefs-warns-brother-implications-smart-meter-roll

FYI - The IT staff of the future will speak business, not just technology - Until recently, organizations had two major operational and technical forces to deal with: networking and security. http://www.scmagazine.com/the-it-staff-of-the-future-will-speak-business-not-just-technology/article/245401/?DCMP=EMC-SCUS_Newswire


FYI - Potential leak of 6.5+ million LinkedIn password hashes - Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them. https://isc.sans.edu/diary.html?storyid=13390

FYI - Auto dealer, debt collector settle with FTC over data breaches - The Federal Trade Commission has settled with two companies over allegations that they leaked sensitive data of individuals via file-sharing networks. http://www.scmagazine.com/auto-dealer-debt-collector-settle-with-ftc-over-data-breaches/article/244994/?DCMP=EMC-SCUS_Newswire

FYI - Fourteen busted on online banking theft charges - Fourteen people from South Florida have been charged in connection to a bank fraud ring in which the accounts of unsuspecting customers were accessed to transfer money. http://www.scmagazine.com/fourteen-busted-on-online-banking-theft-charges/article/245246/?DCMP=EMC-SCUS_Newswire

FYI - University of North Florida gets breached again, data on 23K students at risk - For the second time in two years, hackers gained access to a University of North Florida (UNF) server holding the confidential information of students. http://www.scmagazine.com/university-of-north-florida-gets-breached-again-data-on-23k-students-at-risk/article/245238/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 4: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.

In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.

In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Operational Anomalies

Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under 13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [7(a)(1)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated