R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 21, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - S. Korea banks to segment network, establish data backup - Financial regulator to instruct local banks to separate their network systems into two, for internal and external usage, and is pushing to set up a consolidated backup center, as part of measures to beef up defenses against cyberattacks. http://www.zdnet.com/s-korea-banks-to-segment-network-establish-data-backup-7000017927/

FYI - India's BlackBerry monitoring system 'ready for use' - Smartphone maker has successfully developed a lawful interception system allowing the Indian government to track e-mail and intercept Web browsing in real-time. http://www.zdnet.com/in/indias-blackberry-monitoring-system-ready-for-use-7000017937/

FYI - DEF CON To Feds: We Need Some Time Apart - One of the more time-honored traditions at DEF CON - the massive hacker convention held each year in Las Vegas - is “Spot-the-Fed,” a playful and mostly harmless contest to out undercover government agents who attend the show. http://krebsonsecurity.com/2013/07/def-con-to-feds-stay-home-this-year/

FYI - DoJ Limits Seizure Of Reporters' Data - The U.S. Department of Justice on Friday published new guidelines intended to limit government access to journalists' records, unless the records at issue belong to a journalist facing a criminal investigation. http://www.informationweek.com/government/policy/doj-limits-seizure-of-reporters-data/240158225

FYI - California data breach study indicates lack of encryption - A recent study by the California attorney general indicates that 2.5 million residents of the Golden State had their personal information exposed in the 131 online data breaches reported to her office in 2012. http://www.scmagazine.com/california-data-breach-study-indicates-lack-of-encryption/article/302866/

FYI - Sony abandons appeal over PSN security-breach fine - Sony has dropped its appeal against a £250,000 penalty imposed after its PlayStation Network was hacked in 2011. http://www.bbc.co.uk/news/technology-23313535

FYI - Hospital fined £200,000 after hard drive full of patient data bought on eBay - The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a “shocking” lapse allowed a member of the public to buy a hard drive containing the records of 3,000 patients that had supposedly been sent for secure destruction. http://news.techworld.com/security/3457470/hospital-fined-200000-after-hard-drive-full-of-patient-data-bought-on-ebay/

FYI - WellPoint settles following government investigation in wake of breach - After being ordered to pay $100,000 to the state of Indiana after a major breach of customer data, an Indianapolis-based health insurer faces another costly payout - a $1.7 million settlement with the U.S. Department of Health and Human Services (HHS).

FYI - Health insurance credentials fetch high prices in the online black market - Here's to your health...your health insurance credentials, that is. An information security service provider has uncovered in a new report that buyers are dropping big bucks for health insurance documents that are being hawked on the internet underground with the goal of using them to commit fraud. http://www.scmagazine.com//health-insurance-credentials-fetch-high-prices-in-the-online-black-market/article/303302/?DCMP=EMC-SCUS_Newswire


FYI - Credit card breach strikes Roy's Restaurants in Hawaii - The computer network of Roy's Restaurants was compromised by malware, exposing the credit card data of its customers. http://www.scmagazine.com/credit-card-breach-strikes-roys-restaurants-in-hawaii/article/302592/?DCMP=EMC-SCUS_Newswire

FYI - U.K. Ministry of Defence hit by cyberattack, data stolen - The U.K. government department was victim of a cyber-espionage attack that saw sensitive data stolen by unnamed hackers, a parliamentary report discloses. http://www.zdnet.com/u-k-ministry-of-defence-hit-by-cyberattack-data-stolen-7000017831/

FYI - Commerce Trashes $170,000 Worth of Tech to Disinfect Imaginary Viruses - After detecting malicious software in system components at Commerce Department headquarters, federal officials in 2012 disconnected the Economic Development Administration's computer infrastructure. http://www.nextgov.com/cio-briefing/2013/07/commerce-trashes-170000-worth-tech-disinfect-imaginary-viruses/66248/?oref=ng-channelriver

FYI - Class-action filed against convenience store over breach - A man in Northport, Ala. is suing a convenience store chain that experienced a credit card breach this spring. http://www.scmagazine.com//class-action-filed-against-convenience-store-over-breach/article/302783/?DCMP=EMC-SCUS_Newswire

FYI - Hospital patient records turn up in Dallas park after contractors fails to destroy them - Hundreds of thousands of patients may have had personal information exposed after medical records from Texas Health Harris Methodist Hospital Fort Worth turned up in a Dallas park in May. http://www.scmagazine.com//hospital-patient-records-turn-up-in-dallas-park-after-contractors-fails-to-destroy-them/article/302998/?DCMP=EMC-SCUS_Newswire

FYI - Six employees fired at LA hospital for accessing patient records - Six employees were fired after more than a dozen confidential patient files, including those belonging to at least one celebrity, were accessed at Cedars-Sinai Medical Center in Los Angeles. http://www.scmagazine.com/six-employees-fired-at-la-hospital-for-accessing-patient-records/article/303310/?DCMP=EMC-SCUS_Newswire

FYI - Hacker group says it acquired databases of global phone directory Truecaller -
More than a million Truecaller accounts were compromised in a recent hack. http://www.scmagazine.com/hacker-group-says-it-acquired-databases-of-global-phone-directory-truecaller/article/303472/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 5 of 10)



Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1)  due diligence with respect to third parties to which the financial institution is considering links; and

2)  written agreements with significant third parties.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.

Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.

The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.

The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.

Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

3)  Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated