Does Your Financial Institution need an
affordable cybersecurity Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our cybersecurity audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b)
as well as the penetration
test complies with the FFIEC Cybersecurity Assessment Tool
regarding resilience testing.
The cybersecurity penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world cybersecurity weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- The White House wants to build a single, unified strategy for
strengthening the cybersecurity workforce at every agency across
government. - The White House reorganization plan would force
agencies to assess the strength of their cyber workforce and quickly
fill the gaps they find.
Tesla Alleges an Employee Stole Gigabytes of Trade Secrets - The
company has filed a lawsuit against former employee Martin Tripp for
allegedly hacking confidential information and sending it to
Dealing with the insider threat on your network - The insider threat
is real and happens on a too-often basis. Just recently,
California's Department of Fish and Wildlife (CDFW) issued an
internal memo warning that a former employee downloaded worker and
vendor records to a personal device without authorization and took
the records outside of the state's network.
The Supreme Court Just Greatly Strengthened Digital Privacy - In a
highly anticipated decision released Friday, the US Supreme Court
updated Fourth Amendment protections for the digital era. In a 5-4
ruling, the court decided in Carpenter v. United States that the
government generally needs a warrant in order to access cell site
location information, which is automatically generated whenever a
mobile phone connects to a cell tower and is stored by wireless
carriers for years.
Bill Could Give Californians Unprecedented Control Over Data -
Lawmakers in California have introduced a sweeping privacy bill to
the state legislature that would give Californians unprecedented
control over their data and rein in the power of their Silicon
Hackers weaponised secure USB drives to target air-gapped networks -
A cyber-espionage group is targeting a specific type of secure USB
drive created by a South Korean defence company in a bid to gain
access to its air-gapped networks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 270,000 Med Associates records possibly compromised in data breach
- Healthcare claims services provider Med Associates is notifying
its patients that the facility suffered a data breach in March
potentially exposing PII, including medical diagnosis and payment
Hackers get into PDQ's hen house, swipe credit card data - The
fast-food chain PDQ is telling its customers their payment card
information may have been compromised due to a point-of-sale data
Comcast API on Xfinity site exposed customer data - Comcast shut
down an API on its Xfinity website after it was discovered to reveal
home addresses, account numbers and additional customer data without
permission to others sharing the same network as the customer or
using an app on the network.
Hackers exploit FastBooking flaw to steal customer data from
hundreds of hotels - Hackers exploited a web app vulnerability on a
FastBooking server to install malware and pilfer data – such as
names, email addresses, booking information and payment card data –
on guests at hundreds of hotels.
Ticketmaster UK customers hit in third-party breach - Ticketmaster
UK is alerting its customers to a third-party security incident that
may have compromised their information.
Superion's Click2Gov breaches affects thousands of municipal
customers across several states - The payment information of tens of
thousands of local government customers across the country were
exposed after hackers leveraged a vulnerability in Superion's
Click2Gov function in the payment server used for online utilities
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify
that periodic statements for open-end credit accounts may be
provided electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day rule,"
requiring mailing or delivery of the statement not later than 14
days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
the top of the newsletter
FFIEC IT SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
Management should ensure that information system networks are
tested regularly. The nature, extent, and frequency of tests should
be proportionate to the risks of intrusions from external and
internal sources. Management should select qualified and reputable
individuals to perform the tests and ensure that tests do not
inadvertently damage information systems or reveal confidential
information to unauthorized individuals. Management should oversee
the tests, review test results, and respond to deficiencies in a
timely manner. In accordance with OCC's "Technology Risk Management:
PC Banking," management should ensure that an objective, qualified
source conducts a penetration test of Internet banking systems at
least once a year or more frequently when appropriate.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 16 -
TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
16.4.2 Maintaining Authentication 16.5 Interdependencies
There are many interdependencies among I&A and other controls.
Several of them have been discussed in the chapter.
Logical Access Controls. Access controls are needed to
protect the authentication database. I&A is often the basis for
access controls. Dial-back modems and firewalls, discussed in
Chapter 17, can help prevent hackers from trying to log-in.
Audit. I&A is necessary if an audit log is going to be used
for individual accountability.
Cryptography. Cryptography provides two basic services to
I&A: it protects the confidentiality of authentication data, and it
provides protocols for proving knowledge and/or possession of a
token without having to transmit data that could be replayed to gain
access to a computer system.
16.6 Cost Considerations
In general, passwords are the least expensive authentication
technique and generally the least secure. They are already embedded
in many systems. Memory tokens are less expensive than smart tokens,
but have less functionality. Smart tokens with a human interface do
not require readers, but are more inconvenient to use. Biometrics
tends to be the most expensive.
For I&A systems, the cost of administration is often
underestimated. Just because a system comes with a password system
does not mean that using it is free. For example, there is
significant overhead to administering the I&A system.