R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 1, 2010

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

- The ISACA Information Security and Risk Management Conference is being held September 13-15, 2010 in Las Vegas, Nevada. This is a great conference that I highly recommend.  For more information and to register, please go to http://www.isaca.org/isrmc.  I will the there and look forward to meeting you.

Social Media: Business Benefits and Security, Governance and Assurance Perspectives - Initiated as a consumer-oriented technology, social media is increasingly being leveraged as a powerful, low-cost tool for enterprises to drive business objectives such as enhanced customer interaction, greater brand recognition and more effective employee recruitment. http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Social-Media-Business-Benefits-and-Security-Governance-and-Assurance-Perspectives.aspx

Banking trojans as a weapon of mass destruction - According to FinCEN, between between January 1 and June 30, 2009, depository institution (banking) suspicious activity reports characterized as computer intrusion increased 75 percent, compared to the corresponding six-month reporting period in 2008. http://www.scmagazineus.com/banking-trojans-as-a-weapon-of-mass-destruction/article/174762/?DCMP=EMC-SCUS_Newswire

A hidden world, growing beyond control - The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work. http://projects.washingtonpost.com/top-secret-america/articles/a-hidden-world-growing-beyond-control/print/

German webcam hack suspect cuffed - An alleged suspect has been arrested in Germany over allegations that he used malware to hack into webcams and spy on people.  http://www.theregister.co.uk/2010/07/19/german_webcam_perv_arrest/

Colorado warns of major corporate ID theft scam - Colorado's Secretary of State and other officials are warning the state's 800,000 or so registered businesses to watch out for scammers who have been forging business identities to make fraudulent purchases from several big-box retailers in recent months. http://www.computerworld.com/s/article/9179251/Colorado_warns_of_major_corporate_ID_theft_scam?taxonomyId=82

GAO - Challenges In Federal Agencies' Use of Web 2.0 Technologies.
Release - http://www.gao.gov/new.items/d10872t.pdf
Highlights - http://www.gao.gov/highlights/d10872thigh.pdf

Social engineering, No school like old school - Using a pretext call to obtain a subject's cell phone records or bank account debit card credit card transactions provided compelling background data for divorces, established "whodunit" in corporate counter-intelligence and helped me sort out SODDI stories when it mattered in high-end fraud and burglary cases. http://www.scmagazineus.com/social-engineering-part-1-no-school-like-old-school-crushing-your-pretext-calling-risks/article/174765/?DCMP=EMC-SCUS_Newswire


Mozilla yanks password-stealing Firefox add-on - Mozilla warned users that a password-stealing add-on slipped into Firefox's extension gallery more than a month ago had been downloaded nearly 2,000 times before it was detected. http://www.computerworld.com/s/article/9179167/Mozilla_yanks_password_stealing_Firefox_add_on?taxonomyId=85

Thieves swipe thousands of laptops from Special Ops contractor in Hillsborough - On March 6, as many as seven people broke into iGov Technologies at 9211 Palm River Road and stole 3,000 laptops and other electronics, according to a search warrant.

Bluetooth at heart of gas station credit-card scam in Southeast - Thieves are stealing credit-card numbers through skimmers they secretly installed inside pumps at gas stations throughout the Southeast, using Bluetooth wireless to transmit stolen card numbers, according to law enforcement officials. http://www.computerworld.com/s/article/9179136/Bluetooth_at_heart_of_gas_station_credit_card_scam_in_Southeast_?taxonomyId=85

Employee at Maryland state agency posts client information online - The personal information of clients of the Maryland Department of Human Resources (DHR) recently was posted on a third-party website, where it remained for nearly three months. http://www.scmagazineus.com/employee-at-maryland-state-agency-posts-client-information-online/article/174993/?DCMP=EMC-SCUS_Newswire

Sensitive database compromised at Buena Vista University - A sensitive database belonging to Buena Vista University in Iowa was compromised, exposing the information of students and staff. http://www.scmagazineus.com/sensitive-database-compromised-at-buena-vista-university/article/174988/?DCMP=EMC-SCUS_Newswire

Hospital files with personal, medical data on 800,000 gone - A data management firm has lost hospital records, containing a wide array of personal information, that belonged to hundreds of thousands of people.

Return to the top of the newsletter

We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  


Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

To ensure the security of information systems and data, financial institutions should have a sound information security program that identifies, measures, monitors, and manages potential risk exposure. Fundamental to an effective information security program is ongoing risk assessment of threats and vulnerabilities surrounding networked and/or Internet systems. Institutions should consider the various measures available to support and enhance information security programs. The appendix to this paper describes certain vulnerability assessment tools and intrusion detection methods that can be useful in preventing and identifying attempted external break-ins or internal misuse of information systems. Institutions should also consider plans for responding to an information security incident.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a.  Are clear and conspicuous (3(b), 4(a), 5(a)(1)); 

b.  Accurately reflect the policies and practices used by the institution (4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (6, 13).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (4(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (9).

c.  For customers only, review the timeliness of delivery (4(d), 4(e), and 5(a)), means of delivery of annual notice 9(c)), and accessibility of or ability to retain the notice (9(e)).


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated