R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 21, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


June is the 10th anniversary of the Internet Banking News.  The 520 weekend editions is a labor of love, which we enjoy bringing you.  We look forward to your continued readership and hope you will send us your suggestions to make the newsletter better during our second decade. Thanks - R. Kinney Williams, President of Yennik, Inc.

P. S. If you know someone that would like to receive the newsletter, please let us know.  There is no charge.

FYI - Federal IT security recommendations released in final NIST draft - The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. http://gcn.com/Articles/2009/06/04/Cybersecurity-NIST-final-draft-SP-800-53.aspx

Data-sniffing trojans burrow into Eastern European ATMs - Security experts have discovered a family of data-stealing trojans that have burrowed into automatic teller machines in Eastern Europe over the past 18 months. http://www.theregister.co.uk/2009/06/03/atm_trojans/

4 detained for hacking Internet servers - Chinese police have detained four suspects for online hacking activities which eventually led to temporary but widespread failure of Internet access in China on May 19, the Ministry of Public Security said. http://www.china.org.cn/china/news/2009-06/03/content_17878401.htm

Data watchdog issues new privacy guidance for businesses - Information Commissioner wants to ensure privacy controls are designed in to IT from the start. The Information Commissioner's Office (ICO) has launched a new guide to help businesses developing IT systems to consider the privacy impact on customers and employees. http://www.vnunet.com/computing/news/2243618/ico-issues-privacy-guidance

Rakuten sold online market users' personal info to vendors - Rakuten Inc., operator of popular online marketplace Rakuten Ichiba, sold users' credit card numbers, mail addresses and other private information to vendors on the market site, it has been learned.  http://mdn.mainichi.jp/mdnnews/news/20090606p2a00m0na015000c.html

Three local women sue state Department of Transportation - Three local women sued state Department of Transportation officials in federal court Thursday, alleging that the department illegally sold drivers' personal information to firms that made it available for sale on the Internet.   http://www.madison.com/wsj/home/local/453748

Safeguarding your mobile networks - Mobile security devices are one of the top ways critical data is either breached or lost today. One only has to look at some of the more recent data breach reports to learn that laptops, personal digital assistants and even thumb drives can cause huge problems for organizations. http://www.scmagazineus.com/Safeguarding-your-mobile-networks/article/138289/?DCMP=EMC-SCUS_Newswire


Virginia patients warned about hacking of state drug Web site - State officials are notifying more than a half-million Virginians that their Social Security numbers may have been contained in a prescription drug database that was targeted by a computer hacker April 30. http://hamptonroads.com/2009/06/officials-hacker-may-have-stolen-social-security-numbers

Insurance giant coughs to malware-related data breach - The US arm of insurance giant Aviva has blamed a computer virus infection for the potential disclosure of sensitive personal information. http://www.theregister.co.uk/2009/06/03/aviva_data_breach/

List of U.S. nuclear facilities inadvertently posted on website - In an inadvertent security breach, a document that detailed information on nuclear sites was posted on the Government Printing Office's (GPO) website. http://www.scmagazineus.com/List-of-US-nuclear-facilities-inadvertently-posted-on-website/article/137958/?DCMP=EMC-SCUS_Newswire

Webhost hack wipes out data for 100,000 sites - A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application. http://www.theregister.co.uk/2009/06/08/webhost_attack/

T-Mobile investigates alleged data breach -T-Mobile is investigating a claim that a massive amount of internal data has been stolen from the telecommunication operator's servers, a company spokesman said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9134090&taxonomyId=17&intsrc=kc_top

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management challenges

The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:

   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.

   Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.

  E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.

4)  The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:

! Exercise appropriate due diligence in selecting service providers,
! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.

Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.

Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and controls,
! Nondisclosure agreements covering the institution's systems and data,
! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter


2. Determine if substitute processing facilities and systems undergo similar testing as production facilities and systems.

3. Determine if appropriate access controls and physical controls have been considered and planned for the former production system and networks when processing is transferred to a substitute facility.

4. Determine if the intrusion detection and response plan considers the resource availability and facility and systems changes that may exist when substitute facilities are placed in use.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [6(c)(3)(i)]

b. non-financial companies; [6(c)(3)(ii)] and

c. others? [6(c)(3)(iii)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated