Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
July 29, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Employees Pose Biggest Security Risk - Put simply, the end user is
the biggest issue when it comes to IT security, says Mark Loveless,
white-hat hacker who goes by the handle "Simple Nomad."
M&T Bank fixes glitch that delayed updating account balances - A
computer glitch Friday at regional bank M&T Bank Corp. that delayed
funds posted to customers' accounts at the close of business
Thursday has been fixed.
Secret Service Busts Four Fraudsters With Ties To T.J. Maxx Attack -
The South Florida bust resulted in the recovery of about 200,000
stolen credit card account numbers used in fraud losses roughly
calculated to be more than $75 million.
Salary premiums for security certifications increasing, study shows
- Foote Partners report data bucks trend seen in other IT areas -
For all the continuing debate about the real value of IT
certification programs, the premiums that companies are willing to
pay for certified information security professionals is actually
Security lab may face $3.3m fine for data leak - Classified files,
computer storage devices found in trailer-park drug raid - The
Energy Department proposed $3.3 million in fines Friday against
managers of the Los Alamos nuclear weapons lab because of a security
breakdown in which classified documents were found in a trailer-park
drug raid. The civil penalties, the bulk of them levied against the
University of California, the longtime former manager of the lab,
were the largest such fines the department has ever imposed.
E-health Records Privacy Rules Needed - Patients currently don't
have any way to keep their personal information from being shared
with third parties.
Feds scramble to meet data breach deadline - Deadline for federal
agencies' policies for dealing with data breaches approaches and
it's not yet clear whether everyone will be done in time. With only
two months left before government agencies must figure out how to
deal with data breaches and data theft, federal bureaucrats are
scrambling to meet the looming deadline.
Texas state Web site leaks sensitive information - State and local
governments are struggling to remove personal information online so
it cannot be misused by criminals.
FYI - iPhone may be disrupting network - Apple Inc.'s flashy new
iPhones may be jamming parts of the wireless network at Duke
University, where technology officials worked with the company
Wednesday to fix problems before classes begin next month.
Disney alerts movie-club members to privacy breach - A Wisconsin man
is arrested in connection with an attempt to sell credit-card
information. Credit-card information for an undisclosed number of
Disney Movie Club members worldwide was reportedly offered for sale
-- illegally -- by an employee of a sales account-processing company
who was then arrested by federal agents.
MSD worker fired in security breach - The Metropolitan St. Louis
Sewer District has fired an employee after executives learned the
employee had downloaded Social Security numbers of about 1,600
current or former district employees to a home computer. The Social
Security numbers were part of a computer file the district uses to
make sure workers get the proper pay.
Google in Colorado safe cracking caper - It's true. Google can help
with anything. Minutes before they opened several locked safes at a
"family fun center" in Colorado Springs, a team of masked bandits
sat down at a nearby PC and Googled "safe-cracking." "They brought
up a site called 'How to Open Safes,'" Colorado Springs detective
Chuck Ackerman told The Register.
Missing TSA computer drive not protected - The Transportation
Security Administration did not follow White House instructions to
protect sensitive information on a computer hard drive containing
bank and payroll data for 100,000 employees that was discovered
missing, the agency acknowledged to Congress.
Former Boeing employee charged in data theft - Seattle police have
charged a former Boeing employee with 16 counts of computer trespass
for the alleged theft of 320,000 files, as well as leaking them to a
Seattle-area daily newspaper.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 2 of 3)
Risks Associated With E-Mail and Internet-Related Fraudulent
Internet-related fraudulent schemes present a substantial risk to
the reputation of any financial institution that is impersonated or
spoofed. Financial institution customers and potential customers may
mistakenly perceive that weak information security resulted in
security breaches that allowed someone to obtain confidential
information from the financial institution. Potential negative
publicity regarding an institution's business practices may cause a
decline in the institution's customer base, a loss in confidence or
In addition, customers who fall prey to e-mail and Internet-related
fraudulent schemes face real and immediate risk. Criminals will
normally act quickly to gain unauthorized access to financial
accounts, commit identity theft, or engage in other illegal acts
before the victim realizes the fraud has occurred and takes action
to stop it.
Educating Financial Institution Customers About E-Mail and
Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating
customers about prevalent e-mail and Internet-related fraudulent
schemes, such as phishing, and how to avoid them. This may be
accomplished by providing customers with clear and bold statement
stuffers and posting notices on Web sites that convey the following
! A financial institution's Web page should never be accessed
from a link provided by a third party. It should only be accessed by
typing the Web site name, or URL address, into the Web browser or by
using a "book mark" that directs the Web browser to the financial
institution's Web site.
! A financial institution should not be sending e-mail
messages that request confidential information, such as account
numbers, passwords, or PINs. Financial institution customers should
be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site
certificates and describe how the customer can authenticate the
institution's Web pages by checking the properties on a secure Web
To explain the red flags and risks of phishing and identity theft,
financial institutions can refer customers to or use resources
distributed by the Federal Trade Commission (FTC), including the
following FTC brochures:
! "How Not to Get Hooked by the 'Phishing' Scam," published in
July 2003, which is available at:
! "ID Theft: When Bad Things Happen to Your Good Name,"
published in September 2002, which is available at:
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
PART I. Risks Associated with Wireless Internal Networks
Financial institutions are evaluating wireless networks as an
alternative to the traditional cable to the desktop network.
Currently, wireless networks can provide speeds of up to 11Mbps
between the workstation and the wireless access device without the
need for cabling individual workstations. Wireless networks also
offer added mobility allowing users to travel through the facility
without losing their network connection. Wireless networks are also
being used to provide connectivity between geographically close
locations as an alternative to installing dedicated
Wireless differs from traditional hard-wired networking in that it
provides connectivity to the network by broadcasting radio signals
through the airways. Wireless networks operate using a set of FCC
licensed frequencies to communicate between workstations and
wireless access points. By installing wireless access points, an
institution can expand its network to include workstations within
broadcast range of the network access point.
The most prevalent class of wireless networks currently available is
based on the IEEE 802.11b wireless standard. The standard is
supported by a variety of vendors for both network cards and
wireless network access points. The wireless transmissions can be
encrypted using "Wired Equivalent Privacy" (WEP)
encryption. WEP is intended to provide confidentiality and integrity
of data and a degree of access control over the network. By design,
WEP encrypts traffic between an access point and the client.
However, this encryption method has fundamental weaknesses that make
it vulnerable. WEP is vulnerable to the following types of
1) Decrypting information based on statistical analysis;
2) Injecting new traffic from unauthorized mobile stations
based on known plain text;
3) Decrypting traffic based on tricking the access point;
4) Dictionary-building attacks that, after analyzing about a
day's worth of traffic, allow real-time automated decryption of all
traffic (a dictionary-building attack creates a translation table
that can be used to convert encrypted information into plain text
without executing the decryption routine); and
5) Attacks based on documented weaknesses in the RC4
encryption algorithm that allow an attacker to rapidly determine the
encryption key used to encrypt the user's session).
the top of the newsletter
IT SECURITY QUESTION:
a. Are there automated journals and audit trails that document
access to and modification of images?
b. Are there controls to ensure stored images cannot be altered,
erased or lost?
c. Have procedures been established to prevent the destruction of
original documents before it is determined that the images are
d. Are there procedures to address traditional controls (such as
date stamps, control numbers, and review signatures)?
e. Are there controls to prevent faulty images, improper indexing,
and incomplete or forged documents from being entered into the
f. Is a backup copy of the image medium stored off-site?
g. Is there a periodic evaluation of legal issues?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
Next week we will start covering the examination objectives.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.