R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 1, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
 		 Internet Privacy
 		 Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

 FYI - Alliance of IT security groups issues cyber principles for government - In a new proposal aimed at governments worldwide, an alliance of IT security groups from the United States, Europe and Japan issued a call for cooperation between government and private industry to further advance cyber security initiatives while not encumbering processes with complex regulations. http://www.scmagazine.com/alliance-of-it-security-groups-issues-cyber-principles-for-government/article/247185/?DCMP=EMC-SCUS_Newswire

 FYI - Racket drains "high roller" bank accounts in automated style - Researchers have exposed a fraud ring that uses enhanced variants of the SpyEye and Zeus toolkits to target the customers carrying high balances at smaller banks. http://www.scmagazine.com/racket-drains-high-roller-bank-accounts-in-automated-style/article/247542/?DCMP=EMC-SCUS_Newswire

FYI - Don't fear BYOD, embrace it and monitor it - Steve Jobs never set out to penetrate corporate networks with the iPad, but the sheer portability and usability of the device, coupled with the lure of free, fast and unmetered internet connectivity, make the presence of it and other employee-owned laptops, tablets and smartphones on the corporate LAN practically an inevitability. http://www.scmagazine.com/dont-fear-byod-embrace-it-and-monitor-it/article/247199/?DCMP=EMC-SCUS_Newswire

FYI - OSC sends a stern warning about reading employees’ emails - In a fiercely worded bid for whistleblowers’ rights, the Office of Special Counsel released a memo Wednesday to all executive departments and federal agencies strongly urging them to evaluate their policies on monitoring employee emails and other communications. http://www.nextgov.com/cio-briefing/2012/06/agencies-receive-stern-warning-about-reading-employees-emails/56398/?oref=ng-HPriver

FYI - TSA wants spyware to screen employees’ digital activities for leaks - The Transportation Security Administration is shopping for a computer program to snoop into the online activities of agency employees, including their keystrokes and emails, for signs of potential leaks, procurement documents reveal. http://www.nextgov.com/cio-briefing/2012/06/tsa-wants-spyware-screen-employees-digital-activities-leaks/56393/?oref=ng-HPtopstory

FYI - Japanese boffins plumb darknet for cyber attack alerts - DAEDALUS system monitors unused IP addresses - Japanese boffins at the National Institute of Information and Communications Technology (NICT) have been showing off a new real-time alert system designed to help security teams spot and visualise cyber attacks more effectively. http://www.theregister.co.uk/2012/06/20/daedalus_nict_cyber_alert_system/

FYI - Senators Float National Data Breach Law, Take Four - Data Security Bill is fourth attempt to craft a national law to supersede legislation now on the books in more than 40 states. But it's weaker than some state laws. Senate Republicans have introduced draft legislation aimed at creating a single national standard for reporting data breaches. http://www.informationweek.com/news/security/attacks/240002651

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Cyber crooks evading advanced bank security to transfer funds - Cyber criminals are using an automated system to silently loot bank accounts without having to be online at the same time, according to a new white paper from Trend Micro. http://www.scmagazine.com/cyber-crooks-evading-advanced-bank-security-to-transfer-funds/article/246227/?DCMP=EMC-SCUS_Newswire

FYI - Memorial Sloan-Kettering Cancer Center patient data compromised - For more than six years, the personal and medical data of hundreds of patients of Memorial Sloan-Kettering Cancer Center (MSKCC) in New York was posted on the internet. http://www.scmagazine.com/memorial-sloan-kettering-cancer-center-patient-data-compromised/article/246136/?DCMP=EMC-SCUS_Newswire

FYI - Feds Bust Hacker For Selling Government Supercomputer Access - Pennsylvania man allegedly offered to sell login access to two Department of Energy supercomputers, as well as remote administration capabilities, for $50,000. http://www.informationweek.com/news/security/attacks/240002474 |

 FYI - Cleveland nonprofit employment agency loses SSNs on 100k - Tens of thousands of job-seekers are at risk after a laptop belonging to a nonprofit employment agency was stolen. http://www.scmagazine.com/cleveland-nonprofit-employment-agency-loses-ssns-on-100k/article/247546/?DCMP=EMC-SCUS_Newswire

FYI - FTC sues Wyndham Hotels after three credit card breaches - The Federal Trade Commission is suing a major hotel chain and its subsidiaries for allegedly failing to secure the financial information of its guests, which led to fraudulent charges of more than $10 million and the siphoning out of hundreds of thousands of credit card numbers. http://www.scmagazine.com/ftc-sues-wyndham-hotels-after-three-credit-card-breaches/article/247538/?DCMP=EMC-SCUS_Newswire

FYI - Fraud Ring In Hacking Attack On 60 Banks - Sixty million euro has been stolen from bank accounts in a massive cyber bank raid after fraudsters raided dozens of financial institutions around the world. http://news.sky.com/story/952931/fraud-ring-in-hacking-attack-on-60-banks

FYI - Alaska agency must pay $1.7m after 500-person breach - The Alaska Department of Health and Social Services (DHSS) will shell out $1.7 million to settle violations of the HIPAA Security Rule. http://www.scmagazine.com/alaska-agency-must-pay-17m-after-500-person-breach/article/247697/?DCMP=EMC-SCUS_Newswire

FYI - FBI online sting nabs 24 trading stolen cards, crime tools - Twenty-four people, including 11 in the United States, were arrested this week for their role in an international global cyber crime ring that trafficked stolen credit card information, the FBI announced Tuesday. http://www.scmagazine.com/fbi-online-sting-nabs-24-trading-stolen-cards-crime-tools/article/247595/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 6: Banks should ensure that clear audit trails exist for all e-banking transactions.

Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintain clear audit trails if these measures are not adapted to an e-banking environment. Banks are not only challenged to ensure that effective internal control can be provided in highly automated environments, but also that the controls can be independently audited, particularly for all critical e-banking events and applications.

A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This is because much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. In making a determination as to where clear audit trails should be maintained, the following types of e-banking transactions should be considered:

1)  The opening, modification or closing of a customer's account.

2)  Any transaction with financial consequences.

3)  Any authorization granted to a customer to exceed a limit.

4)  Any granting, modification or revocation of systems access rights or privileges.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

INTRUSION RESPONSE  (Part 2 of 2)

Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response organization with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of non-technical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that their institution's policies are followed by the service provider and confidentiality of data and systems are maintained.

Institutions can assess best the adequacy of their preparations through testing.

While containment strategies between institutions can vary, they typically contain the following broad elements:

! Isolation of compromised systems, or enhanced monitoring of intruder activities;
! Search for additional compromised systems;
! Collection and preservation of evidence; and
! Communication with effected parties, the primary regulator, and law enforcement.
Restoration strategies should address the following:
! Elimination of an intruder's means of access;
! Restoration of systems, programs and data to known good state;
! Filing of a Suspicious Activity Report (Guidelines for filing are included in individual agency guidance); and
! Communication with effected parties.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [§7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [§7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [§7(a)(2)(i)(B)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated