Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Credit card security breach hits California campus - The
University of Southern California is warning students and faculty
about a credit card security breach following the hacking of a
software system on the campus.
- Hardware Hacker Sentenced to 3 Years in Prison for Selling Rooted
Cable Modems - Cable-modem hacker has been sentenced to three years
in prison for helping users steal internet access in what the
authorities say was a $1 million scheme to defraud cable companies
- Bank Settles With Calif. Cyberheist Victim - A California escrow
firm that sued its bank last year after losing nearly $400,000 in a
2010 cyberheist has secured a settlement that covers the loss and
the company’s attorneys fees. The settlement is notable because such
cases typically favor the banks, and litigating them is often
prohibitively expensive for small- to mid-sized businesses
victimized by these crimes.
- GAO - Cyber Threats Facilitate Ability to Commit Economic
Espionage - The nation faces an evolving array of cyber-based
threats arising from a variety of sources. These sources include
criminal groups, hackers, terrorists, organization insiders, and
foreign nations engaged in crime, political activism, or espionage
and information warfare.
- U.S. Critical Infrastructure Cyberattack Reports Jump Dramatically
- A new report from ICS-CERT shows the number of reported incidents
increased from 9 to 198 between 2009 and 2011 - U.S. critical
infrastructure companies saw a dramatic increase in the number of
reported cyber-security incidents between 2009 and 2011, according
to a new report from the U.S. Industrial Control System Cyber
Emergency Response Team.
- FBI Credit Card Ring Bust Exposes PCI Challenges - Some experts
say existence of complex credit card fraud black market a sign that
PCI isn't effective.
- Russian Authorities Take Out World’s Largest Banking Botnet -
Russia’s Ministry of the Interior (MVD) announced on Friday that
their special computer crimes “Department K” division took down what
could be one of the largest botnets in the world.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- FTC Sues Wyndham Hotels Over Data Security Failures - Hotel chain
slammed for poor information security practices, leading to
attackers obtaining 600,000 credit card numbers and committing
millions of dollars in fraud.
- Alaska agency must pay $1.7m after 500-person breach - The Alaska
Department of Health and Social Services (DHSS) will shell out $1.7
million to settle violations of the HIPAA Security Rule.
- Two-month delay in notifying patients after cancer center breach -
An unencrypted laptop containing patient data was stolen April 30
from the home of a doctor working for The University of Texas M.D.
Anderson Cancer Center, but those whose data may have been
compromised were not notified until June 28.
- USC credit card data accessed in campus dining breach - The credit
card numbers of an undisclosed number of students at the University
of Southern California (USC) have been exposed.
- Chinese hackers breach Indian navy computers - Chinese hackers
allegedly plant bug via flash drives on India navy's computers,
which relayed sensitive data to China IP addresses, report notes.
- Online bank robbers face jail time for e-crimes - Two men who used
computer viruses to steal cash from online bank accounts have been
- Judge approves Stratfor lawsuit settlement over breach - Global
intelligence firm Stratfor is expected to settle a class-action
lawsuit that was brought following last year's massive data breach,
according to reports.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 7: Banks should take appropriate measures to preserve
the confidentiality of key e-banking information. Measures taken to
preserve confidentiality should be commensurate with the sensitivity
of the information being transmitted and/or stored in databases.
Confidentiality is the assurance that key information remains
private to the bank and is not viewed or used by those unauthorized
to do so. Misuse or unauthorized disclosure of data exposes a bank
to both reputation and legal risk. The advent of e-banking presents
additional security challenges for banks because it increases the
exposure that information transmitted over the public network or
stored in databases may be accessible by unauthorized or
inappropriate parties or used in ways the customer providing the
information did not intend. Additionally, increased use of service
providers may expose key bank data to other parties.
To meet these challenges concerning the preservation of
confidentiality of key e-banking information, banks need to ensure
1) All confidential bank data and records are only accessible by
duly authorized and authenticated individuals, agents or systems.
2) All confidential bank data are maintained in a secure manner and
protected from unauthorized viewing or modification during
transmission over public, private or internal networks.
3) The bank's standards and controls for data use and protection
must be met when third parties have access to the data through
4) All access to restricted data is logged and appropriate efforts
are made to ensure that access logs are resistant to tampering.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
BUSINESS CONTINUITY CONSIDERATIONS
Events that trigger the implementation of a business continuity plan
may have significant security considerations. Depending on the
event, some or all of the elements of the security environment may
change. Different people may be involved in operations, at a
different physical location, using similar but different machines
and software which may communicate over different communications
lines. Depending on the event, different tradeoffs may exist between
availability, integrity, confidentiality, and accountability, with a
different appetite for risk on the part of management.
Business continuity plans should be reviewed as an integral part of
the security process. Risk assessments should consider the changing
risks that appear in business continuity scenarios and the different
security posture that may be established. Strategies should consider
the different risk environment and the degree of risk mitigation
necessary to protect the institution in the event the continuity
plans must be implemented. The implementation should consider the
training of appropriate personnel in their security roles, and the
implementation and updating of technologies and plans for back - up
sites and communications networks. Testing these security
considerations should be integrated with the testing of business
continuity plan implementations.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
22. Does the institution provide the consumer with at least one of
the following reasonable means of opting out, or with another
a. check-off boxes prominently displayed on the relevant forms with
the opt out notice; [§7(a)(2)(ii)(A)]
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent
via electronic mail or a process at the institution's web site, if
the consumer agrees to the electronic delivery of information;
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
institution may require the consumer to use one specific means, as
long as that means is reasonable for that consumer. [§7(a)(iv)])