Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
August 19, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - Number Of Hackers
Attacking Banks Jumps 81% - Hackers no longer need to be technical
wizards to set up an operation to steal people's banking information
and then rob their accounts. The number of hackers attacking banks
worldwide jumped 81% from last year, according to figures released
at the BlackHat security conference Thursday. Researchers from
SecureWorks also reported that hackers going after the company's
credit-union clients increased by 62% from last year.
FYI - GAO recommends
changes to FISMA reporting - Published on July 30, 2007 Agency
computer systems are vulnerable because many lack basic controls,
and one of the best ways to improve information technology security
is to improve the metrics for how departments measure how these
basic controls are implemented. That was the conclusion of the
Government Accountability Office, which on Friday issued a tell-tale
report identifying widespread IT security weaknesses across the
FYI - VoIP
vulnerabilities unveiled at Black Hat - VoIP phone systems, relying
on so-called "soft phone" software, may have thousands of potential
vulnerabilities, researchers at Sipera Systems said at the annual
Black Hat conference this week in Las Vegas.
FYI - Black Hat
attendees pick mobile threats as the next hot security topic -
Mobile threats were considered the next major security issue by IT
professionals who attended the Black Hat conference in Las Vegas
this week, according to a survey released today by Symantec.
FYI - Viruses, Spyware,
Phishing Cost U.S. Consumers $7 Billion Over Two Years - The survey,
based on a national sample of 2,000 U.S. households with Internet
access, suggests that consumers face a 25% chance of being
FYI - Russian phishers
loot $500K in two-year hacking spree - A pair of Russian hackers
looted more than $500,000 from Turkish bank accounts during the
course of a Trojan-powered two year hacking spree.
FYI - VeriSign worker
exits after laptop security breach - VeriSign has warned workers of
the theft of a laptop that contained their personal information. The
laptop was stolen from a car parked in the garage of a California
worker sometime on the night of 12 July.
FYI - Stolen health
computer stored 20,000 names - Police and the office of the
information and privacy commissioner are investigating a theft of
four Capital Health computers - one containing 20,000 patient names,
health card numbers, addresses and reason for admittance to
hospital. But the risk of a hacker cracking the passwords is very
low, said Capital Health spokesman Steve Buick.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 2 of 10)
A. RISK DISCUSSION
Compliance risk arises when the linked third party acts in a manner
that does not conform to regulatory requirements. For example,
compliance risk could arise from the inappropriate release or use of
shared customer information by the linked third party. Compliance
risk also arises when the link to a third party creates or affects
compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an
institution. This guidance applies to links to affiliated, as well
as non-affiliated, third parties. A link to a third-party website
that provides a customer only with information usually does not
create a significant risk exposure if the information being provided
is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our coverage of the FDIC's "Guidance on Managing Risks
Associated With Wireless Networks and Wireless Customer Access."
Risk Mitigation Components - Wireless Internet Devices
For wireless customer access, the financial institution should
institute policies and standards requiring that information and
transactions be encrypted throughout the link between the customer
and the institution. Financial institutions should carefully
consider the impact of implementing technologies requiring that a
third party have control over unencrypted customer information and
As wireless application technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless application services. They should also consider
informing customers when wireless Internet devices that require the
use of communications protocols deemed insecure will no longer be
supported by the institution.
The financial institution should consider having regular independent
security testing performed on its wireless customer access
application. Specific testing goals would include the verification
of appropriate security settings, the effectiveness of the wireless
application security implementation and conformity to the
institution's stated standards. The security testing should be
performed by an organization that is technically qualified to
perform wireless testing and demonstrates appropriate ethical
the top of the newsletter
IT SECURITY QUESTION:
Physical access to main computers:
a. Are the servers located in a secure location in the building?
b. Is access to the computer room restricted?
c. Is the computer room locked all the time?
d. Is there a 24 hours camera surveillance in computer room?
e. Is the computer room free of clutter?
f. Is there a fire extinguisher?
g. Are fire extinguishers regularly inspected?
h. Is there a smoke or heat detector?
i. Is there a "power down" switch?
j. Is there a "visitors log"?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify
which module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and
controls, including review of new products and services and controls
over servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including
the use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training
5) Suitability of the compliance audit program for ensuring
a) the procedures address all
regulatory provisions as applicable;
b) the work is accurate and
comprehensive with respect to the institution's information sharing
c) the frequency is appropriate;
d) conclusions are appropriately
reached and presented to responsible parties;
e) steps are taken to correct
deficiencies and to follow-up on previously identified deficiencies;
6) Knowledge level of management and personnel.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.