R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 24, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Hackers more aggressive in attacking customer accounts - A survey of large financial institutions shows they faced more attacks by hackers to take over customer banking accounts last year than in the two previous years, and about a third of these attacks succeeded. http://www.computerworld.com/s/article/9228139/Banks_Hackers_more_aggressive_in_attacking_customer_accounts?taxonomyId=17

FYI - LinkedIn sued over exposure of poorly secured passwords - A class-action lawsuit has been filed against LinkedIn over the June 6 data breach that resulted in the theft of nearly 6.5 million passwords. http://www.scmagazine.com/linkedin-sued-over-exposure-of-poorly-secured-passwords/article/246625/?DCMP=EMC-SCUS_Newswire

FYI - Germany confirms existence of operational cyberwarfare unit - German authorities confirmed Tuesday in a parliamentary document that their military possesses a top secret cyberwarfare unit which is already operational, but gave no details of how big it is or what kind of attacks it could conduct. http://www.stripes.com/news/germany-confirms-existence-of-operational-cyberwarfare-unit-1.179655

FYI - New Grad Looking For a Job? Pentagon Contractors Post Openings For Black-Hat Hackers - http://www.forbes.com/sites/andygreenberg/2012/06/15/new-grad-looking-for-a-job-pentagon-contractors-post-openings-for-black-hat-hackers-2/

FYI - Policy would require agencies to scan for network threats every 72 hours and begin patching holes - The Homeland Security Department later this month will present to federal computer contractors and remote cloud suppliers standards for finding and fixing cyber threats within 72 hours, DHS officials announced on Thursday. http://www.nextgov.com/cloud-computing/2012/06/policy-would-require-agencies-patch-cybersecurity-holes-within-72-hours-discovery/56271/

FYI - N.H. insurance firm had no idea it was working with breached vendor - A now-defunct, third-party vendor for Primex, which provides insurance to schools and governments in New Hampshire, lost an external hard drive and backup tape containing the personal information of thousands of people. http://www.scmagazine.com/nh-insurance-firm-had-no-idea-it-was-working-with-breached-vendor/article/245965/?DCMP=EMC-SCUS_Newswire

FYI - The real impact of the leaked password attacks - The recent attacks that leaked millions of passwords from LinkedIn and eHarmony accounts is almost becoming a daily news event for those of us who monitor the security field. http://www.scmagazine.com/the-real-impact-of-the-leaked-password-attacks/article/245950/?DCMP=EMC-SCUS_Newswire

FYI - Insider threat: The game has changed - Give me a couple of minutes and I'll slip through your virtual private network (VPN), bypass your firewall, blind your intrusion prevention system and negate your disk encryption. http://www.scmagazine.com/insider-threat-the-game-has-changed/article/245759/?DCMP=EMC-SCUS_Newswire

FYI - Post-hack, companies fire back with their own attacks - According to a new report, some companies that have fallen victim to hacking attacks have gone as far as hiring security firms to hack back. U.S. companies are being targeted by hackers at an alarming rate. And according to a new report, they're tired of doing nothing in retaliation. http://news.cnet.com/8301-1009_3-57455030-83/post-hack-companies-fire-back-with-their-own-attacks/

FYI - SMB cloud security spending to continue growth - Security spending among small and midsize businesses (SMBs) is expected to grow over the next four years, especially in the area of cloud implementations. http://www.scmagazine.com/smb-cloud-security-spending-to-continue-growth/article/246622/?DCMP=EMC-SCUS_Newswire


FYI - UK LulzSec suspect charged with hacking in US - A British man suspected of being part of the Lulz Security hacking group has been formally charged in the US. http://www.bbc.co.uk/news/technology-18439217

FYI - Merchant information may have been stolen from Global Payments - Hackers might have stolen the personal information of individuals who applied for a merchant account with card payment processor Global Payments. http://www.computerworld.com/s/article/9228041/Merchant_information_may_have_been_stolen_from_Global_Payments?taxonomyId=17

FYI - FTC Fines Spokeo $800K for Peddling False Employee Background Check Info - Spokeo, an online data broker, has agreed to pay an $800,000 fine to the Federal Communications Commission to settle charges it peddled inaccurate information about job applicants and violated consumer protection laws. http://www.wired.com/threatlevel/2012/06/spokeo-fined-800k/

FYI - Feds Bust Credit Card Fraud Ring - A Dutch man accused of running an underground website devoted to the buying and selling of debit and credit card data appeared in a Seattle federal courtroom Monday, where he plead not guilty to a 14-count indictment accusing him of crimes such as access device fraud, bank fraud, and aggravated identity theft. http://www.informationweek.com/news/security/attacks/240001930

FYI - iTunes vulnerability may enable remote code execution - Researchers have unveiled a flaw in iTunes that could allow cyber criminals to execute remote code on target machines. http://www.scmagazine.com/itunes-vulnerability-may-enable-remote-code-execution/article/246207/?DCMP=EMC-SCUS_Newswire

FYI - Laptop with public employee data stolen in New Mexico - The personal data of members, former members and beneficiaries of the Public Employees Retirement Association (PERA) in Santa Fe, N.M. may be at risk after a laptop was stolen from a car. http://www.scmagazine.com/laptop-with-public-employee-data-stolen-in-new-mexico/article/246427/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 5: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.

Data integrity refers to the assurance that information that is in-transit or in storage is not altered without authorization. Failure to maintain the data integrity of transactions, records and information can expose banks to financial losses as well as to substantial legal and reputational risk.

The inherent nature of straight-through processes for e-banking may make programming errors or fraudulent activities more difficult to detect at an early stage. Therefore, it is important that banks implement straight-through processing in a manner that ensures safety and soundness and data integrity.

As e-banking is transacted over public networks, transactions are exposed to the added threat of data corruption, fraud and the tampering of records. Accordingly, banks should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-banking transactions, records and information that is either transmitted over Internet, resident on internal bank databases, or transmitted/stored by third-party service providers on behalf of the bank. Common practices used to maintain data integrity within an e-banking environment include the following:

1)  E-banking transactions should be conducted in a manner that makes them highly resistant to tampering throughout the entire process.

2)  E-banking records should be stored, accessed and modified in a manner that makes them highly resistant to tampering.

3)  E-banking transaction and record-keeping processes should be designed in a manner as to make it virtually impossible to circumvent detection of unauthorized changes.

4)  Adequate change control policies, including monitoring and testing procedures, should be in place to protect against any e-banking system changes that may erroneously or unintentionally compromise controls or data reliability.

5)  Any tampering with e-banking transactions or records should be detected by transaction processing, monitoring and record keeping functions.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


  (Part 1 of 2)

Intrusion detection by itself does not mitigate risks of an intrusion. Risk mitigation only occurs through an effective and timely response. The goal of the response is to minimize damage to the institution and its customers through containment of the intrusion, and restoration of systems.

The response primarily involves people rather then technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.

Preparation determines the success of any intrusion response. Preparation involves defining the policies and procedures that guide the response, assigning responsibilities to individuals and providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:

! How to balance concerns regarding availability, confidentiality, and integrity, for devices and data of different sensitivities. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. An institution may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response activities, and how to ensure the proper personnel are available and notified.
! How to control the frequently powerful intrusion identification and response tools.
! When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators, customers, and law enforcement. This consideration drives certain monitoring decisions, decisions regarding evidence-gathering and preservation, and communications considerations.
! Which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisionswithin the organization.
! How and what to communicate outside the organization, whether to law enforcement, customers, service providers, potential victims, and others. This consideration drives the communication strategy, and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions taken.
! What criteria must be met before compromised services, equipment and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve the institution's security.
! How and when to prepare and file a Suspicious Activities Report (SAR).

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

20. Does the opt out notice state:

a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party;

b. that the consumer has the right to opt out of that disclosure; [7(a)(1)(ii)] and

c. a reasonable means by which the consumer may opt out? [7(a)(1)(iii)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated