Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- White House offers incentives for critical infrastructure
companies participating in cyber security program - The White House
has released a tentative list of incentives that it hopes will stir
the private sector to voluntary adopt the “Cyber Security Framework”
– a set of “core practices” to be implemented next year that aims to
help the nation mitigate attacks on critical infrastructure.
- Ukrainian Carder in $5 Million Ring Sentenced to 14-Plus Years in
Prison - A Ukrainian carder who operated a gang that authorities
dubbed the Western Express Cybercrime Group has been sentenced to
between 14 and 40 years in state prison following a 10-week trial in
- Student attempting to rig election wins one year in jail - Former
California State University San Marcos undergrad tried to earn
himself the role of student body president by rigging the election,
but instead earned himself a year behind bars.
- City of London calls halt to smartphone tracking bins - The City
of London Corporation has asked a company to stop using recycling
bins to track the smartphones of passers-by.
- TSP Board Switches Tech Contractors - The board that oversees the
Thrift Savings Plan has tapped Science Applications International
Corporation to manage TSP technology and record keeping over
incumbent vendor Serco Inc., with a contract valued at up to $227
million for the next six years.
- White House Unveils CIO Council 2.0 - The White House released a
plan on Friday to significantly streamline its top council of
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Chinese Hacking Team Caught Taking Over Decoy Water Plant - A
hacking group accused of being operated by the Chinese army now
seems to be going after industrial control systems.
- $1.5 million Cyberheist Ruins Escrow Firm - A $1.5 million
cyberheist against a California escrow firm earlier this year has
forced the company to close and lay off its entire staff. Meanwhile,
the firm’s remaining money is in the hands of a court-appointed
state receiver who is preparing for a lawsuit against the victim’s
bank to recover the stolen funds.
- "Hand of Thief" trojan sniffs out banking credentials of Linux
users - Not long after the Windows-targeting banking trojan KINS hit
the market, saboteurs have introduced new financial malware capable
of infecting Linux users.
- Hacker battles encryption, nabs card info from online retailer -
Smartphone Experts, a Florida-based online retailer of smartphone
accessories, was the victim of a hack in July that compromised
customer card information.
- The Chinese hacker group that hit the N.Y. Times is back with
updated tools - The Chinese hacker group that broke into the
computer network of The New York Times and other high-profile
organizations, including defense contractors, has launched new
attacks following a few months of inactivity.
- New York Times website back online after brief outage - The
website for The New York Times has returned online after being down
for nearly two hours.
- Lost flash drive compromises data for thousands of students - More
than 20,000 students across 36 schools in the Boston Public School
(BPS) system had their data compromised when the district's ID card
vendor Plastic Card Systems lost a flash drive containing the
- Deja vu all over again? DOE to workers: We've been hacked - For
the second time this year, the Energy Department tells employees
their personal information may have been exposed in a cyberattack.
- Attention, parents: Baby monitor hacked; default password to
blame? - The device was reportedly controlled by the hacker, who
also had off-color remarks to make to the sleeping child.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 9 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
Customer Service Complaints
Financial institutions should have plans to respond to customer
complaints, including those regarding the appropriateness or quality
of content, services, or products provided or the privacy and
security policies of the third-party site. The plan also should
address how the financial institution will address complaints
regarding any failures of linked third parties to provide agreed
upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the
activities of linked third parties as a part of its risk management
strategy. Monitoring policies and procedures should include periodic
content review and testing to ensure that links function properly,
and to verify that the levels of services provided by third parties
are in accordance with contracts and agreements. Website
content is dynamic, and third parties may change the presentation or
content of a website in a way that results in risk to the financial
institution's reputation. Periodic review and testing will reduce
this risk exposure. The frequency of review should be commensurate
with the degree of risk presented by the linked site.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY STRATEGY (1 of 2)
Action Summary - Financial institutions should develop a strategy
that defines control objectives and establishes an implementation
plan. The security strategy should include
1) Cost comparisons of different strategic approaches
appropriate to the institution's environment and complexity,
2) Layered controls that establish multiple control points
between threats and organization assets, and
3) Policies that guide officers and employees in implementing
the security program.
An information security strategy is a plan to mitigate risks while
complying with legal, statutory, contractual, and internally
developed requirements. Typical steps to building a strategy include
the definition of control objectives, the identification and
assessment of approaches to meet the objectives, the selection of
controls, the establishment of benchmarks and metrics, and the
preparation of implementation and testing plans.
The selection of controls is typically grounded in a cost comparison
of different strategic approaches to risk mitigation. The cost
comparison typically contrasts the costs of various approaches with
the perceived gains a financial institution could realize in terms
increased confidentiality, availability, or integrity of systems and
data. Those gains could include reduced financial losses, increased
customer confidence, positive audit findings, and regulatory
compliance. Any particular approach should consider: (1) policies,
standards, and procedures; (2) technology and architecture; (3)
resource dedication; (4) training; and (5) testing.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
7. Does the institution provide an annual privacy notice to each
customer whose loan the institution owns the right to service?