Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
August 5, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - Man sues Pfizer
over data on Net - A Baton Rouge man who once worked for Pfizer Inc.
is suing the nation's largest pharmaceutical company over its
unauthorized release of personal data. An internal investigation
found the breach occurred about three weeks earlier when a
worker's spouse used a company laptop computer to install
unauthorized software and access a file-sharing network.
GAO - Cybercrime: Public and Private Entities Face Challenges in
Addressing Cyber Threats.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-705
Highlights - http://www.gao.gov/highlights/d07705high.pdf
GAO - Information Technology: Treasury Needs to Strengthen Its
Investment Board Operations and Oversight.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-865
OMB, DHS outline data security best practices - The Office of
Management and Budget and the Homeland Security Department today
explained 10 common mistakes agencies make when securing data and
personal information and offered a host of best practices to correct
DOT data held for ransom - Pay up to see data on your hard drive,
cybercrooks tell Transportation Department, others - The
Transportation Department, as well as Booz Allen Hamilton,
Hewlett-Packard, Nortel Networks and Unisys have all recently had
data on some desktop computers encrypted and held for ransom,
charges a British Internet security provider.
FYI - Standard
configuration to give agencies a real test - Network administrators
must figure out how to blend security, legacy apps - Once the
National Institute of Standards and Technology, Microsoft and other
federal and private-sector experts finish developing the test image
for the standard Windows desktop configuration for XP and Vista,
agencies will face their toughest test - literally.
FYI - Computer Crimes
Charged In College Cash-For-Grades Scheme - The former director of
the computer center for Touro College has been charged with computer
tampering and computer trespass. Ten people, including the former
director of admissions and the former director of the computer
center at a Manhattan college, were indicted as being part of a
scheme that involved forging transcripts and altering grades.
USB encryption vendor suffers computer breach - A technology firm
that recently entered the data security market reported this week
that thieves infiltrated a company computer nearly two years ago,
illegally accessing some 27,000 customer credit card files.
Data goofs preceded theft - State seeks accountability in
inspector's report - Gov. Ted Strickland hopes to figure out why
there was no follow up to a memo regarding data theft.E-mail
exchanges among state officials about the theft of a computer backup
tape containing sensitive personal information are clear: That
material was not supposed to be on the tape.
FYI - Hacker accesses
personal information from U-M databases - The University of Michigan
has notified 5,500 current and former students that a hacker gained
access to personal information on two School of Education databases.
FYI - Report by Ohio's
inspector general spreads blame for theft of state data - An
investigative report released this afternoon assigns "shared blame"
for a series of decisions that led to the theft of a state computer
device containing the personal information of more than 1 million
FYI - Breach forces M&T
to reissue cards - Visa cards compromised at third-party retailer -
Thousands of M&T Bank Visa cardholders have been issued new cards
because of a security breach at a major retailer.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 3 of 3)
Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes. Enhancements may include:
! Incorporating notification procedures to alert customers of
known e-mail and Internet-related fraudulent schemes and to caution
them against responding;
! Establishing a process to notify Internet service providers,
domain name-issuing companies, and law enforcement to shut down
fraudulent Web sites and other Internet resources that may be used
to facilitate phishing or other e-mail and Internet-related
! Increasing suspicious activity monitoring and employing
additional identity verification controls;
! Offering customers assistance when fraud is detected in
connection with customer accounts;
! Notifying the proper authorities when e-mail and
Internet-related fraudulent schemes are detected, including promptly
notifying their FDIC Regional Office and the appropriate law
enforcement agencies; and
! Filing a Suspicious Activity Report when incidents of e-mail
and Internet-related fraudulent schemes are suspected.
Steps Financial Institutions Can Take to Mitigate Risks
Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and
Internet-related fraudulent schemes, financial institutions should
implement appropriate information security controls as described in
the Federal Financial Institutions Examination Council's (FFIEC)
"Information Security Booklet." Specific actions that should
be considered to prevent and deter e-mail and Internet-related
fraudulent schemes include:
! Improving authentication methods and procedures to protect
against the risk of user ID and password theft from customers
through e-mail and other frauds;
! Reviewing and, if necessary, enhancing practices for
protecting confidential customer data;
! Maintaining current Web site certificates and describing how
customers can authenticate the financial institution's Web pages by
checking the properties on a secure Web page;
! Monitoring accounts individually or in aggregate for unusual
account activity such as address or phone number changes, a large or
high volume of transfers, and unusual customer service requests;
! Monitoring for fraudulent Web sites using variations of the
financial institution's name;
! Establishing a toll-free number for customers to verify
requests for confidential information or to report suspicious e-mail
! Training customer service staff to refer customer concerns
regarding suspicious e-mail request activity to security staff.
E-mail and Internet-related fraudulent schemes present a
substantial risk to financial institutions and their customers.
Financial institutions should consider developing programs to
educate customers about e-mail and Internet-related fraudulent
schemes and how to avoid them, consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes, and implement appropriate information security controls to
help mitigate the risks associated with e-mail and Internet-related
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Using "Wired Equivalent Privacy" (WEP) by itself to
provide wireless network security may lead a financial institution
to a false sense of security. Information traveling over the network
appears secure because it is encrypted. This appearance of security,
however, can be defeated in a relatively short time.
Through these types of attacks, unauthorized personnel could gain
access to the financial institution's data and systems. For example,
an attacker with a laptop computer and a wireless network card could
eavesdrop on the bank's network, obtain private customer
information, obtain access to bank systems and initiate unauthorized
transactions against customer accounts.
Another risk in implementing wireless networks is the potential
disruption of wireless service caused by radio transmissions of
other devices. For example, the frequency range used for 802.11b
equipment is also shared by microwave ovens, cordless phones and
other radio-wave-emitting equipment that can potentially interfere
with transmissions and lower network performance. Also, as wireless
workstations are added within a relatively small area, they will
begin to compete with each other for wireless bandwidth, decreasing
the overall performance of the wireless network.
Risk Mitigation Components -- Wireless Internal Networks
A key step in mitigating security risks related to the use of
wireless technologies is to create policies, standards and
procedures that establish minimum levels of security. Financial
institutions should adopt standards that require end-to-end
encryption for wireless communications based on proven encryption
methods. Also, as wireless technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless network devices.
For wireless internal networks, financial institutions should adopt
standards that require strong encryption of the data stream through
technologies such as the IP Security Protocol (IPSEC). These methods
effectively establish a virtual private network between the wireless
workstation and other components of the network. Even though the
underlying WEP encryption may be broken, an attacker would be faced
with having to defeat an industry-proven security standard.
Financial institutions should also consider the proximity of their
wireless networks to publicly available places. A wireless network
that does not extend beyond the confines of the financial
institution's office space carries with it far less risk than one
that extends into neighboring buildings. Before bringing a wireless
network online, the financial institution should perform a limited
pilot to test the effective range of the wireless network and
consider positioning devices in places where they will not broadcast
beyond the office space. The institution should also be mindful that
each workstation with a wireless card is a transmitter. Confidential
customer information may be obtained by listening in on the
workstation side of the conversation, even though the listener may
be out of range of the access device.
The financial institution should consider having regular independent
security testing performed on its wireless network environment.
Specific testing goals would include the verification of appropriate
security settings, the effectiveness of the wireless security
implementation and the identification of rogue wireless devices that
do not conform to the institution's stated standards. The security
testing should be performed by an organization that is technically
qualified to perform wireless testing and demonstrates appropriate
the top of the newsletter
IT SECURITY QUESTION:
Building physical access controls:
a. Is the building locked after hours?
b. Do locks restrict the interior access?
c. Is there a security guard?
d. Is there a 24 hours camera surveillance system?
e. Is there a burglar alarm system to a remote location?
f. Is there a fire alarm system to a remote location?
g. Does each employee have a different deactivation code for the
h. Are fire extinguishers regularly inspected?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
1. To assess the quality of a financial institution's compliance
management policies and procedures for implementing the privacy
regulation, specifically ensuring consistency between what the
financial institution tells consumers in its notices about its
policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial
institution's internal controls and procedures for monitoring the
institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the
privacy regulation, specifically in meeting the following
a) Providing to customers notices of its privacy policies and
practices that are timely, accurate, clear and conspicuous, and
delivered so that each customer can reasonably be expected to
receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated
third parties, other than under an exception, after first meeting
the applicable requirements for giving consumers notice and the
right to opt out;
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information
received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in
4. To initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are deficient.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.