Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
July 15, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
GAO - Data Breaches Are Frequent, but Evidence of Resulting Identity
Theft Is Limited; However, the Full Extent Is Unknown.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-07-737
Highlights - http://www.gao.gov/highlights/d07737high.pdf
Lax and Lazy At Los Alamos - Officials at the nuclear-weapons
laboratory, already struggling to calm concerns over security
lapses, now have two more breaches to explain.
Researchers warn of bogus Microsoft patch spam - Users are being
warned of a new phishing scam falsely telling recipients they need
to download a Microsoft patch.
VA inspector general blames IT specialist for Birmingham data loss -
An IT specialist at a U.S. Department of Veterans Affairs (VA)
medical center in Birmingham, Ala., who in January lost an external
hard drive containing sensitive data belonging to over 1.5 million
people failed to take proper measures to protect the data.
Microsoft U.K. domain succumbs to SQL injection attack - A hacker
successfully attacked a Web page within Microsoft's U.K. domain on
Wednesday, resulting in the display of a photograph of a child
waving the flag of Saudi Arabia.
Schools Lack Cybersecurity Training As Students Grow Cybersavvy -
The School Safety Index indicates that while 95% of districts
surveyed are blocking Web sites, only 38% have a closed network that
lets them control the content students can access.
Hackers Make Off With Personal Info On Applicants At UC Davis -
Officials are investigating the possible theft and misuse of records
containing information on about 1,120 aspiring veterinarians who'd
applied to UC Davis School of Veterinary Medicine.
Indentity theft risk: BGSU notifies past, current students about
loss of personal information - Bowling Green State University is
notifying about 1,800 current and former students of accounting
professor W. David Albrecht that his computer flash drive containing
important student information has been lost.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 5 of
5) Next week
we will begin our series on the FFIEC Authentication in an
Internet Banking Environment.
PROCEDURES TO ADDRESS SPOOFING - Contact the
OCC and Law Enforcement Authorities
If a bank is the target of a spoofing incident, it should promptly
notify its OCC supervisory office and report the incident to the FBI
and appropriate state and local law enforcement authorities. Banks
can also file complaints with the Internet Fraud Complaint Center
a partnership of the FBI and the National White Collar Crime Center.
In order for law enforcement authorities to respond effectively to
spoofing attacks, they must be provided with information necessary
to identify and shut down the fraudulent Web site and to investigate
and apprehend the persons responsible for the attack. The data
discussed under the "Information Gathering" section should meet this
In addition to reporting to the bank's supervisory office and law
enforcement authorities, there are other less formal mechanisms that
a bank can use to report these incidents and help combat fraudulent
activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/),
which is a joint initiative of industry and law enforcement designed
to support apprehension of perpetrators of phishing-related crimes,
including spoofing. Members of Digital Phishnet include ISPs,
online auction services, financial institutions, and financial
service providers. The members work closely with the FBI, Secret
Service, U.S. Postal Inspection Service, Federal Trade Commission
(FTC), and several electronic crimes task forces around the country
to assist in identifying persons involved in phishing-type crimes.
Finally, banks can forward suspicious e-mails to the FTC at
firstname.lastname@example.org. For more
information on how the FTC can assist in combating phishing and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - Over
the next few weeks, we will cover the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Financial institutions are actively evaluating and implementing
wireless technology as a means to reach customers and reduce the
costs of implementing new networks. In light of this fast-developing
trend, the Federal Deposit Insurance Corporation (FDIC) is providing
financial institutions with the following information about the
risks associated with wireless technology and suggestions on
managing those risks. Please share this information with your Chief
Wireless Technology and the Risks of Implementation
Wireless networks are rapidly becoming a cost-effective
alternative for providing network connectivity to financial
institution information systems. Institutions that are installing
new networks are finding the installation costs of wireless networks
competitive compared with traditional network wiring. Performance
enhancements in wireless technology have also made the adoption of
wireless networks attractive to institutions. Wireless networks
operate at speeds that are sufficient to meet the needs of many
institutions and can be seamlessly integrated into existing
networks. Wireless networks can also be used to provide connectivity
between geographically close locations without having to install
Wireless Internet access to banking applications is also becoming
attractive to financial institutions. It offers customers the
ability to perform routine banking tasks while away from the bank
branch, automated teller machines or their own personal computers.
Wireless Internet access is a standard feature on many new cellular
phones and hand-held computers.
Many of the risks that financial institutions face when implementing
wireless technology are risks that exist in any networked
environment (see FIL-67-2000, "Security Monitoring of Computer
Networks," dated October 3, 2000, and the 1996 FFIEC
Information Systems Examination Handbook, Volume 1, Chapter 15).
However, wireless technology carries additional risks that financial
institutions should consider when designing, implementing and
operating a wireless network. Common risks include the potential:
1) Compromise of customer information and transactions over
the wireless network;
2) Disruption of wireless service from radio transmissions of
other wireless devices;
3) Intrusion into the institution's network through wireless
network connections; and
4) Obsolescence of current systems due to rapidly changing
These risks could ultimately compromise the bank's computer system,
1) Financial loss due to the execution of unauthorized
2) Disclosure of confidential customer information, resulting
in - among other things - identity theft (see FIL-39-2001,
"Guidance on Identity Theft and Pretext Calling," dated
May 9, 2001, and FIL-22-2001, "Guidelines Establishing
Standards for Safeguarding Customer Information," dated March
3) Negative media attention, resulting in harm to the
institution's reputation; and
4) Loss of customer confidence.
the top of the newsletter
IT SECURITY QUESTION:
Does the institution have
an internal auditor?
Does internal auditor audit the IT operations?
Does the institution have an external financial auditor?
Does the institution have an external IT auditor?
Does the auditor report IT auditing activities to the Board of
Directors or a committee thereof?
Does the internal auditor have any conflicting duties?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.