R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 26, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - AT&T Hit by DDoS Attack, Suffers DNS Outage - A distributed denial-of-service attack aimed at AT&T's DNS (Domain Name System) servers has disrupted data traffic for some of the company's customers. https://www.pcworld.com/businesscenter/article/260940/atandt_hit_by_ddos_attack_suffers_dns_outage.html

FYI - Appeals Court OKs Warrantless, Real-Time Mobile Phone Tracking - A federal appeals court on Wednesday said the authorities do not need a probable-cause warrant to track a suspect’s every move via GPS signals from a suspect’s mobile phone. http://www.wired.com/threatlevel/2012/08/warrantless-gps-phone-tracking/

FYI - ACLU sues for FBI GPS tracking guidelines - The American Civil Liberties Union is taking the Justice Department to court over the Federal Bureau of Investigation's most recent policies for using global positioning systems to track people. http://www.nextgov.com/mobile/2012/08/aclu-sues-fbi-gps-tracking-guidelines/57452/?oref=ng-HPriver

FYI - New NIST encryption guidelines may force agencies to replace old websites - Next month the National Institute of Standards and Technology (NIST) plans to put out for public review its draft for a new government encryption standard that, when finalized, is going to compel federal agencies with older websites to replace them. http://www.computerworld.com/s/article/9230330/New_NIST_encryption_guidelines_may_force_agencies_to_replace_old_websites?taxonomyId=244

FYI - Can YOU crack the Gauss uber-virus encryption? - Appeal for help to break open hidden scrambled payload - Antivirus experts have called on cryptographers and other clever bods for help after admitting they are no closer to figuring out the main purpose of the newly discovered Gauss supervirus. http://www.theregister.co.uk/2012/08/14/gauss_mystery_payload/

FYI - NIST seeks vulnerability analysis for military Android apps - The National Institute of Standards and Technology is seeking vulnerability analysis and security scanning for the Pentagon’s Android software applications, according to a solicitation posted Thursday. http://www.nextgov.com/mobile/2012/08/nist-seeks-vulnerability-analysis-military-android-apps/57505/?oref=ng-channelriver


FYI - Jailed man narrowly escapes fatal error in electronic health record - In one of a series of alleged errors by a county jail’s new electronic health record system, the EHR recommended what could have been a fatal dose of medication for a heart patient, the jail’s nurses said this week. http://www.nextgov.com/health/2012/08/jailed-man-narrowly-escapes-fatal-error-electronic-health-record/57439/?oref=ng-HPtopstory

FYI - Data-wiping Shamoon targeting Middle East energy sector - Researchers are warning of the latest advanced cyber threat, Shamoon, which has targeted at least one energy company in the Middle East. http://www.scmagazine.com/data-wiping-shamoon-targeting-middle-east-energy-sector/article/254967/?DCMP=EMC-SCUS_Newswire

FYI - ICO to investigate Tesco following data security claims - The Information Commissioner's Office (ICO) is to investigate Tesco after research revealed failings in the retail giant's security. http://www.scmagazineuk.com/ico-to-investigate-tesco-following-data-security-claims/article/255238/

FYI - 500K Credit Cards Stolen in Australian Point-of-Sale Hack - Police in Australia are investigating a breach of half a million credit card numbers that reports say was conducted by the same gang that struck the Subway restaurant chain in the United States. http://www.wired.com/threatlevel/2012/08/500k-credit-cards-stolen/

FYI - University of South Carolina web server hacked by overseas attackers - The University of South Carolina (USC) in Columbia announced Tuesday that its College of Education's web server was hacked – a discovery made in June by school officials. http://www.scmagazine.com/university-of-south-carolina-web-server-hacked-by-overseas-attackers/article/255591/?DCMP=EMC-SCUS_Newswire

FYI - MD Anderson sustains second security breach this year - An employee of the University of Texas MD Anderson Cancer Center lost a thumb drive, potentially exposing unencrypted medical and personal information of patients. http://www.scmagazine.com/md-anderson-sustains-second-security-breach-this-year/article/255479/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 2 of 3)

3. Banks should adopt appropriate procedures for ensuring the adequacy of contracts governing e-banking. Contracts governing outsourced e-banking activities should address, for example, the following:

a)  The contractual liabilities of the respective parties as well as responsibilities for making decisions, including any sub-contracting of material services are clearly defined.

b)   Responsibilities for providing information to and receiving information from the service provider are clearly defined. Information from the service provider should be timely and comprehensive enough to allow the bank to adequately assess service levels and risks. Materiality thresholds and procedures to be used to notify the bank of service disruptions, security breaches and other events that pose a material risk to the bank should be spelled out.

c)   Provisions that specifically address insurance coverage, the ownership of the data stored on the service provider's servers or databases, and the right of the bank to recover its data upon expiration or termination of the contract should be clearly defined.

d)   Performance expectations, under both normal and contingency circumstances, are defined. 

e)  Adequate means and guarantees, for instance through audit clauses, are defined to insure that the service provider complies with the bank's policies. 

f)   Provisions are in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider.

g)   For cross-border outsourcing arrangements, determining which country laws and regulations, including those relating to privacy and other customer protections, are applicable.

h)  The right of the bank to conduct independent reviews and/or audits of security, internal controls and business continuity and contingency plans is explicitly defined.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.


Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:

Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.

Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.

Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.

Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.

Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
(FYI - This is exactly the type of independent diagnostic testing that the VISTA pen-test study covers.  Please refer to http://www.internetbankingaudits.com/ for information.)

Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and
practices; [§8(a)(1)]

b. the institution has provided the consumer with a new opt out notice;

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and

d. the consumer has not opted out? [§8(a)(4)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated