Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Army Hospital Breach May Be Result of P2P Leak - Data loss at Walter
Reed exposed personal information on 1,000 soldiers - Peer-to-peer
(P2P) applications may have been the culprit in a security breach
that has exposed the personal information of more than 1,000
patients at Walter Reed Hospital, according to early reports.
Security firm asks for help cracking ransomware key - New
blackmailing Trojan encrypts files using high-grade 1024-bit RSA key
- A security company asked for help cracking an encryption key
central to an extortion scheme that demands money from users whose
PCs have been infected by malware.
How to Sell Security - There are two basic ways to sell something.
Either a product gives the buyer something he wants - as
satisfaction, comfort or money - or it prevents the buyer from
getting something he doesn't want: assault, fraud, burglaries or
Exploiting VoIP vulnerabilities to steal confidential data - Can you
call someone using VoIP and steal their personal data without
talking to them? Most people would have said "No" until they saw the Sipera VIPER Lab demonstration, which does exactly that.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Latest 'lost' laptop holds treasure-trove of unencrypted AT&T
payroll data - It's just another in a long line of stolen laptops
... unless you work in management at AT&T and you're worried about
your social security number falling into the hands of identity
Stolen laptop contained 32,000 farmers' financial data - About
32,000 Canadian farmers are on the alert after learning a laptop
containing their financial information has been stolen. The laptop
was stolen when a programmer working for the Canadian Canola Growers
Association took the machine off-site for routine maintenance. CCGA
general manager Rick White described the theft as a classic "smash
Hackers hijack hacking tools website - Crackers briefly hijacked
hacking tools website Metasploit on Monday. But visitors to the site
on Monday were redirected to a page announcing the site was "hacked
by sunwear ! just for fun", as recorded by Sunbelt Software.
Personal data of thousands compromised - Damac Properties has
launched an investigation into how thousands of its customers
personal details ended up for sale on eBay for 750 pounds ($1,466),
a senior company official told ArabianBusiness.com. Ten copies of a
database with personal information on over 8,000 of the Dubai-based
developer's customers were put on the website on May 28.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (10 of 12)
Test affected systems or procedures prior to implementation.
Testing is an important function in the incident response
process. It helps ensure that reconfigured systems, updated
procedures, or new technologies implemented in response to an
incident are fully effective and performing as expected. Testing can
also identify whether any adjustments are necessary prior to
implementing the updated system, process, or procedure.
During the follow-up process, an institution has the opportunity to
regroup after the incident and strengthen its control structure by
learning from the incident. A number of institutions have included
the following best practice in their IRPs.
Conduct a "lessons-learned" meeting.
1) Successful organizations can use the incident and build
from the experience. Organizations can use a lessons-learned meeting
2) discuss whether affected controls or procedures need to be
strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the
incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed
for the customer information security risk assessment and
information security program;
5) determine if updated training is necessary regarding any new
procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical
resources to be better prepared going forward.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Public Key Infrastructure (Part 2 of 3)
The certificate authority (CA), which may be the financial
institution or its service provider, plays a key role by attesting
with a digital certificate that a particular public key and the
corresponding private key belongs to a specific user or system. It
is important when issuing a digital certificate that the
registration process for initially verifying the identity of users
is adequately controlled. The CA attests to the individual user's
identity by signing the digital certificate with its own private
key, known as the root key. Each time the user establishes a
communication link with the financial institution's systems, a
digital signature is transmitted with a digital certificate. These
electronic credentials enable the institution to determine that the
digital certificate is valid, identify the individual as a user, and
confirm that transactions entered into the institution's computer
system were performed by that user.
The user's private key exists electronically and is susceptible to
being copied over a network as easily as any other electronic file.
If it is lost or compromised, the user can no longer be assured that
messages will remain private or that fraudulent or erroneous
transactions would not be performed. User AUPs and training should
emphasize the importance of safeguarding a private key and promptly
reporting its compromise.
PKI minimizes many of the vulnerabilities associated with passwords
because it does not rely on shared secrets to authenticate
customers, its electronic credentials are difficult to compromise,
and user credentials cannot be stolen from a central server. The
primary drawback of a PKI authentication system is that it is more
complicated and costly to implement than user names and passwords.
Whether the financial institution acts as its own CA or relies on a
third party, the institution should ensure its certificate issuance
and revocation policies and other controls discussed below are
Return to the top of the
10. Determine if firewall and routing controls are in place and
updated as needs warrant.
• Identify personnel responsible for defining and setting firewall
rulesets and routing controls.
• Review procedures for updating and changing rulesets and routing
• Confirm that the ruleset is based on the premise that all
traffic that is not expressly allowed is denied, and that the
firewall's capabilities for identifying and blocking traffic are
• Confirm that network mapping through the firewall is disabled.
• Confirm that NAT and split DNS are used to hide internal names
and addresses from external users. (Note: Split DNS is a method of
segregating the internal DNS from the external DNS.)
• Confirm that malicious code is effectively filtered.
• Confirm that firewalls are backed up to external media, and not
to servers on protected networks.
• Determine that firewalls and routers are subject to appropriate
and functioning host controls.
• Determine that firewalls and routers are securely administered.
• Confirm that routing tables are regularly reviewed for
appropriateness on a schedule commensurate with risk.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
37. For annual notices only, if the institution does not
employ one of the methods described in question 36, does the
institution employ one of the following reasonable means of
delivering the notice such as:
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer