R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 12, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - CoNetrix released a new, complimentary online tool called tandem Compliance Calendar to help financial institutions effectively manage regulatory requirements and schedule important tasks such as audits, training, operations and compliance. This free solution is part of their tandem software suite designed to help financial institutions with their security and compliance needs.  http://www.conetrix.com/ComplianceCalendar 

FYI - Homeland Security pushes pay boost for cyber pros - The Homeland Security Department made a final pitch to Congress to equalize pay packages for DHS cyber professionals and their higher-paid Pentagon counterparts, as cybersecurity legislation looked likely to stall for the third consecutive year. http://www.nextgov.com/cybersecurity/2012/08/homeland-security-pushes-pay-boost-cyber-pros/57194/?oref=ng-HPtopstory

FYI - India: We DO have the BlackBerry encryption keys - Indian government officials have apparently claimed that Research in Motion has handed over the skeleton keys used to encrypt BlackBerry communications – once again ignoring the fact that such keys don't exist. http://www.theregister.co.uk/2012/08/02/rim_keys_india/

FYI - Air Force prepares to open cyberwarfare simulation center to outside users - The Air Force is slated to open a virtual cyberwarfare program to more military commands, educational institutions and other federal agencies, contracting papers indicate. http://www.nextgov.com/cybersecurity/2012/08/air-force-prepares-open-cyberwarfare-simulation-center-outside-users/57165/?oref=ng-HPriver

FYI - White House reportedly considers cyber executive order - After Senate Republicans last week blocked the passage of a cyber security bill, the White House is considering reviving the legislation through an executive order, according to a report this weekend. http://www.scmagazine.com/white-house-reportedly-considers-cyber-executive-order/article/253502/?DCMP=EMC-SCUS_Newswire

FYI - Proposed Privacy Law Demands Court Warrants for Cloud Data - Two Democratic congressmen are proposing sweeping changes to a U.S. privacy law that for the first time would require the government to obtain a probable-cause warrant to access data stored in the cloud. http://www.wired.com/threatlevel/2012/08/ecpa-warrant-reform/

FYI - Password security can improve, but the hackers will still get in - In June, millions of password hashes were disclosed from LinkedIn, eHarmony and Last.fm. And in July, more than 400,000 usernames and passwords were stolen from Yahoo, while the social networking site Formspring, clothing company Billabong, and gaming site Gamigo all suffered similar breaches. http://www.scmagazine.com/password-security-can-improve-but-the-hackers-will-still-get-in/article/253931/?DCMP=EMC-SCUS_Newswire

FYI - Gauss trojan targets Lebanese banks, likely U.S. creation - Researchers have come across another sophisticated piece of Middle Eastern-targeted espionage malware, which, at the very least, is capable of stealing bank login details, and, at the most extreme, is another Stuxnet. http://www.scmagazine.com/gauss-trojan-targets-lebanese-banks-likely-us-creation/article/254096/?DCMP=EMC-SCUS_Newswire


FYI - Knight Capital Shows How Financial Services Firms Have Become Widow Makers - Knight Capital experienced an electronic trading malfunction that caused havoc in the trading of stocks ranging from RadioShack to Dupont. Now, Knight says its losses from the trading debacle are $440 million. http://www.forbes.com/sites/nathanvardi/2012/08/02/knight-capital-shows-how-financial-services-firms-have-become-widow-makers/

FYI - Employee password reuse behind Dropbox spam outbreak - The spam outbreak that last month flooded the inboxes of Dropbox customers has been traced back to a hacked employee account, company representatives said late Tuesday. http://www.scmagazine.com/employee-password-reuse-behind-dropbox-spam-outbreak/article/253004/

FYI - Metropolitan Police ransomware pretender ensnares 1,100 computers - The Metropolitan Police's Central e-Crime Unit (PCeU) has uncovered a ransomware scam attempting to extort money from unsuspecting members of the public by impersonating it. http://www.v3.co.uk/v3-uk/news/2196036/metropolitan-police-ransomware-pretender-ensnares-1-100-computers

FYI - Data breach costs LinkedIn up to $1 million - Due to one of the year's largest reported data breaches, business networking site LinkedIn has announced that it already has taken up to a $1 million hit. http://www.scmagazine.com/data-breach-costs-linkedin-up-to-1-million/article/253386/?DCMP=EMC-SCUS_Newswire

FYI - Yahoo faces lawsuit following data breach - As is the norm following a high-profile breach, Yahoo is facing a lawsuit following its disclosure last month that hackers stole 450,000 unencrypted email addresses and passwords of its members.


FYI - Thumb drive with data on 14k hospital patients stolen - A USB drive with data on thousands of patients of Oregon Health & Science University (OHSU) in Portland was stolen from the home of an employee on July 4 or 5. http://www.scmagazine.com/thumb-drive-with-data-on-14k-hospital-patients-stolen/article/253230/?DCMP=EMC-SCUS_Newswire

FYI - Hackers breach Environment Protection Agency database - Thousands of U.S. Environmental Protection Agency (EPA) employees had their personal information exposed through a database breach.

FYI - Patient data outage exposes risks of electronic medical records - 'Human error' is blamed for a five-hour computer outage last week. It highlights the risks of a nationwide switch to electronic medical records. http://www.latimes.com/business/la-fi-hospital-data-outage-20120803,0,5302779.story

FYI - Reuters suffers double hack - Call it a “psy-ops” attack, if you like: Reuters has suffered the embarrassment of having two platforms infiltrated and used to spread propaganda messages supporting the Syrian regime. http://www.theregister.co.uk/2012/08/05/reuters_hacked/

FYI - How Apple let a hacker remotely wipe an iPhone, iPad, MacBook - Gizmodo's Twitter account was recently hacked, after a former employee's iCloud account was breached, and all his Apple devices (iPhone, iPad, MacBook Air) were remotely wiped. It turns out the hacker didn't even have to get the password: he just tricked Apple's tech support. http://www.zdnet.com/how-apple-let-a-hacker-remotely-wipe-an-iphone-ipad-macbook-7000002141/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Security Control Practices for E-Banking

1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.

2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.

3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.

4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.

5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:

a)  Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
b)  Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
c)  Penetration testing of internal and external networks.

6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.


Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.

Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.

Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically?


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated