R. Kinney Williams
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
July 13, 2008
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
More than 10,000 laptops lost each week at airports - They're most
often lost at security checkpoints, the Ponemon Institute says -
Keep laptops close at airports, because they have a startling
tendency to disappear in the blink of an eye, according to a new
Bags to help laptops pass air security - For years at airport
security checkpoints, passengers have heard the refrain, almost a
dirge: "Laptops must be removed from their cases and placed on the
customers' data? Don't talk to its security and compliance officers.
Instead, try its marketing department. A study released by the
privacy-focused Ponemon Institute and funded by e-mail marketing
firm Strongmail reveals a disturbing disconnect in companies between
the executives tasked with protecting customer data and marketing
departments, which use the data for advertising purposes or share it
with third parties.
Woman accused of hacking Houston organ bank indicted - On Tuesday,
the FBI announced the indictment of a former technology director
accused of hacking into the system at a Houston organ bank and
deleting patient files.
Report: Montgomery Ward fails to alert victims of breach - Mongomery
Ward, an old-line merchant now operating as an internet retailer,
suffered a breach of some 51,000 customer credit card numbers, and
failed to report it to customers, according to reports.
Researchers reveal VoIP vulnerabilities - VoIPshield Laboratories
has alerted companies that market voice over IP systems of new
security vulnerabilities. The VoIP vulnerabilities, if successfully
exploited, could affect brand reputation, internal productivity, and
competitive advantage, researchers said.
Bowie IT employee resigns amid city network security breach -
'Password sniffer' detected during routine sweep - A computer
support specialist has resigned from Bowie city staff after a
password recording program that was accessing one of the city's
servers was found on his work computer, city officials said.
Deadline arrives for latest PCI standard requirement - The Payment
Card Industry Data Security Standard (PCI DSS), as of Monday, states
that web application security testing be upgraded from a best
practice to a requirement.
Five steps to securing mobile data for HIPAA compliance - Workforce
mobility presents new challenges to health care IT groups
responsible for HIPAA (Health Insurance Portability and
Accountability Act) security compliance.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Pacific island knocked off internet by DDoS attack - A Pacific
island state has been knocked off the internet by a cyber attack.
The attack on the Marshall Islands, which began on Tuesday and is
still plaguing the country, took the form of a denial of service
attack on the country's sole ISP.
Hannaford data breach fallout continues - The fall out from the
Hannaford data breach that began last year continues. Approximately
7,000 individuals who have Ocean National Bank ATM/Debit Cards are
having them replaced because there has been recent illegal activity
on them reported.
Turkish criminal hackers hijack ICANN sites - On Thursday, the
domains used by ICANN, the Internet Corporation for Assigned Names
and Numbers, and IANA, the Internet Assigned Numbers Authority, were
hijacked. A Turkish hacking group known as NetDevilz claimed
responsibility. There is no word on how the hijack was accomplished.
SSA lists thousands of live persons as dead - The Social Security
Administration inadvertently compromised the personal information of
more than 20,000 people by listing them in the Death Master File (DMF)
while they were still alive, the agency's inspector general has
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents
(Part 1 of 5)
Web-site spoofing is a method of creating fraudulent Web sites that
look similar, if not identical, to an actual site, such as that of a
bank. Customers are typically directed to these spoofed Web
sites through phishing schemes or pharming techniques. Once at
the spoofed Web site, the customers are enticed to enter information
such as their Internet banking username and password, credit card
information, or other information that could enable a criminal to
use the customers' accounts to commit fraud or steal the customers'
identities. Spoofing exposes a bank to strategic, operational,
and reputational risks; jeopardizes the privacy of bank customers;
and exposes banks and their customers to the risk of financial
PROCEDURES TO ADDRESS SPOOFING
Banks can mitigate the risks of Web-site spoofing by implementing
the identification and response procedures discussed in this
bulletin. A bank also can help minimize the impact of a
spoofing incident by assigning certain bank employees responsibility
for responding to such incidents and training them in the steps
necessary to respond effectively. If a bank's Internet
activities are outsourced, the bank can address spoofing risks by
ensuring that its contracts with its technology service providers
stipulate appropriate procedures for detecting and reporting
spoofing incidents, and that the service provider's process for
responding to such incidents is integrated with the bank's own
Banks can improve the effectiveness of their response procedures by
establishing contacts with the Federal Bureau of Investigation (FBI)
and local law enforcement authorities in advance of any spoofing
incident. These contacts should involve the appropriate
departments and officials responsible for investigating computer
security incidents. Effective procedures should also include
appropriate time frames to seek law enforcement involvement, taking
note of the nature and type of information and resources that may be
available to the bank, as well as the ability of law enforcement
authorities to act rapidly to protect the bank and its customers.
Additionally, banks can use customer education programs to mitigate
some of the risks associated with spoofing attacks. Education
efforts can include statement stuffers and Web-site alerts
explaining various Internet-related scams, including the use of
fraudulent e-mails and Web-sites in phishing attacks. In
addition, because the attacks can exploit vulnerabilities in Web
browsers and/or operating systems, banks should consider reminding
their customers of the importance of safe computing practices.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Biometrics (Part 2 of 2)
Weaknesses in biometric systems relate to the ability of an attacker
to submit false physical characteristics, or to take advantage of
system flaws to make the system erroneously report a match between
the characteristic submitted and the one stored in the system. In
the first situation, an attacker might submit to a thumbprint
recognition system a copy of a valid user's thumbprint. The
control against this attack involves ensuring a live thumb was used
for the submission. That can be done by physically controlling the
thumb reader, for instance having a guard at the reader to make sure
no tampering or fake thumbs are used. In remote entry situations,
logical liveness tests can be performed to verify that the submitted
data is from a live subject.
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning. Degrees of
freedom relate to measurable differences between biometric readings,
with more degrees of freedom indicating a more unique biometric.
Facial recognition systems, for instance, may have only nine degrees
of freedom while other biometric systems have over one hundred.
Similar faces may be used to fool the system into improperly
authenticating an individual. Similar irises, however, are difficult
to find and even more difficult to fool a system into improperly
Attacks against system tuning also exist. Any biometric system has
rates at which it will falsely accept a reading and falsely reject a
reading. The two rates are inseparable; for any given system
improving one worsens the other. Systems that are tuned to maximize
user convenience typically have low rates of false rejection and
high rates of false acceptance. Those systems may be more open to
Return to the top of the
13. Determine if logs of security-related events
are appropriately secured against unauthorized access, change, and
deletion for an adequate time period, and that reporting to those
logs is adequately protected.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
40. Does the institution provide at least one initial, annual,
and revised notice, as applicable, to joint consumers? [§9(g)]
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.