R. Kinney Williams
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
August 31, 2008
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
NETWORK SECURITY CONFERENCE - I hope
you have registered for the conference in Las Vegas on September
8-10. If not, go to
www.isaca.org/nsc for more information. I look forward to
see you there.
Thousands of web servers hit by SQL attack - Internet security firm
Secure Computing has issued a warning of an SQL injection attack
that appears to have infected several thousand web servers,
including government and financial services sites.
Clipboards hijacked by furtive code - Security firms are warning
about a web link that is surreptitiously stored in a user's
clipboard. It has been found in Adobe Flash-based advertisements on
otherwise legitimate websites and has attacked clipboards on both
Windows and Macs.
Details in upcoming PCI DSS released - New changes in the Payment
Card Industry Data Security Standard (PCI DSS) version 1.2 have been
disclosed prior to its release in October. According to a summary of
the changes released by the PCI Security Standards Council (PCI),
the modifications include clarifications and explanations of
requirements to adhere to the guidelines of the council.
New laws require data encryption - Iowa has passed a data breach law
that requires companies to encrypt customer details. It joins more
than 40 other states that require encryption and notification of
customers should information be compromised.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Colchester Hospital sacks manager over lost laptop - Colchester
University Hospital has sacked one of its managers over the theft of
his work laptop, which contained unencrypted patient records.
Ireland investigating fake credit card reader scam - If you've used
a credit card reader in Ireland recently you may want to call your
credit card company and monitor your account.
Feds seek to nab credit card thieves in La., Miss. - A ring of
cyberthieves has stolen tens of thousands of credit card numbers
from Louisiana and Mississippi restaurants this year, leading to
over $1 million in losses for the banks that issued them.
Wuesthoff Web site security breached - Hackers penetrated Wuesthoff
Health System's pre-registration Web site earlier this week, gaining
access to personal information on 500 patients, including names,
addresses and Social Security numbers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 3 of 3)
Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes. Enhancements may include:
! Incorporating notification procedures to alert customers of
known e-mail and Internet-related fraudulent schemes and to caution
them against responding;
! Establishing a process to notify Internet service providers,
domain name-issuing companies, and law enforcement to shut down
fraudulent Web sites and other Internet resources that may be used
to facilitate phishing or other e-mail and Internet-related
! Increasing suspicious activity monitoring and employing
additional identity verification controls;
! Offering customers assistance when fraud is detected in
connection with customer accounts;
! Notifying the proper authorities when e-mail and
Internet-related fraudulent schemes are detected, including promptly
notifying their FDIC Regional Office and the appropriate law
enforcement agencies; and
! Filing a Suspicious Activity Report when incidents of e-mail
and Internet-related fraudulent schemes are suspected.
Steps Financial Institutions Can Take to Mitigate Risks
Associated With E-Mail and Internet-Related Fraudulent Schemes
To help mitigate the risks associated with e-mail and
Internet-related fraudulent schemes, financial institutions should
implement appropriate information security controls as described in
the Federal Financial Institutions Examination Council's (FFIEC)
"Information Security Booklet." Specific actions that should
be considered to prevent and deter e-mail and Internet-related
fraudulent schemes include:
! Improving authentication methods and procedures to protect
against the risk of user ID and password theft from customers
through e-mail and other frauds;
! Reviewing and, if necessary, enhancing practices for
protecting confidential customer data;
! Maintaining current Web site certificates and describing how
customers can authenticate the financial institution's Web pages by
checking the properties on a secure Web page;
! Monitoring accounts individually or in aggregate for unusual
account activity such as address or phone number changes, a large or
high volume of transfers, and unusual customer service requests;
! Monitoring for fraudulent Web sites using variations of the
financial institution's name;
! Establishing a toll-free number for customers to verify
requests for confidential information or to report suspicious e-mail
! Training customer service staff to refer customer concerns
regarding suspicious e-mail request activity to security staff.
E-mail and Internet-related fraudulent schemes present a
substantial risk to financial institutions and their customers.
Financial institutions should consider developing programs to
educate customers about e-mail and Internet-related fraudulent
schemes and how to avoid them, consider enhancing incident response
programs to address possible e-mail and Internet-related fraudulent
schemes, and implement appropriate information security controls to
help mitigate the risks associated with e-mail and Internet-related
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 2 of 3)
Other common protocols in a TCP/IP network include the following
! Address resolution protocol (ARP) - Obtains the hardware address
of connected devices and matches that address with the IP address
for that device. The hardware address is the Ethernet card's
address, technically referred to as the "media access
control" (MAC) address. Ethernet systems route messages by the
MAC address, requiring a router to obtain both the IP address and
the MAC address of connected devices. Reverse ARP (RARP) also exists
as a protocol.
! Internet control message protocol (ICMP) - Used to send messages
about network health between devices, provides alternate routing
information if trouble is detected, and helps to identify problems
with a routing.
! File transfer protocol (FTP) - Used to browse directories and
transfer files. Although access can be authenticated or anonymous,
FTP does not support encrypted authentication. Conducting FTP within
encrypted channels, such as a Virtual Private Network (VPN), secure
shell (SSH) or secure sockets layer (SSL) sessions can improve
! Trivial file transfer protocol (TFTP) - A file transfer protocol
with no file - browsing ability, and no support for authentication.
! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail
systems to send mail.
! Post office protocol (POP) - Commonly used to receive e-mail.
! Hypertext transport protocol (HTTP) - Used for Web browsing.
! Secure shell (SSH) -
Encrypts communications sessions, typically used for remote
administration of servers.
! Secure sockets layer (SSL) -
Typically used to encrypt Webbrowsing sessions, sometimes used to
secure e-mail transfers and FTP sessions.
Return to the top of the
C. HOST SECURITY
Determine whether hosts are hardened through the removal of
unnecessary software and services, consistent with the needs
identified in the risk assessment, and that configuration takes
advantage of available object, device, and file access controls.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
SUBPART C - Exception to Opt Out Requirements for
Service Providers and Joint Marketing
47. If the institution discloses nonpublic personal
information to a nonaffiliated third party without permitting the
consumer to opt out, do the opt out requirements of §7 and §10,
and the revised notice requirements in §8, not apply because:
a. the institution disclosed the information to a
nonaffiliated third party who performs services for or functions on
behalf of the institution (including joint marketing of financial
products and services offered pursuant to a joint agreement as
defined in paragraph (b) of §13); [§13(a)(1)]
b. the institution has provided consumers with the initial
notice; [§13(a)(1)(i)] and
c. the institution has entered into a contract with that party
prohibiting the party from disclosing or using the information
except to carry out the purposes for which the information was
disclosed, including use under an exception in §14 or §15 in the
ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.