Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
This week, I am attending the Network Security
Conference sponsored by the Information Systems Audit and Control
Association (ISACA) being held at Caesars Place in Las Vegas. I look forward to
meeting any of you that will also be in attendance.
Data breaches already surpass 2007 total - The number of reported
data breaches has already surpassed 2007's total, according to a
report from Identity Theft Resource Center.
Medical identity thefts on the rise - Medical identity theft is
increasing, in part because of the wealth of personal information
available in medical records, experts say. And much of this identity
theft is coming from within the medical community.
UK gov loses 29 million personal records - UK government departments
have managed to leak a total of 29 million personal records over a
TV news anchor admits to hacking, leaking colleague's e-mail -
Philadelphia's Mendte pleads guilty to accessing a protected
computer - A Philadelphia TV news anchor pleaded guilty today to
breaking into his co-anchor's e-mail accounts more than 500 times
and feeding information he found there to a local newspaper.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thousands hit by bank card scam in Galway - GARDAÍ HAVE uncovered a
large-scale international ATM and credit card cloning operation
involving thousands of cards used recently in the Galway area.
Gardaí believe it is more serious than the card fraud which came to
light earlier this week in the east of the country.
Personal data of a million bank customers found on computer sold on
eBay for £35 - Personal details of more than a million bank
customers have been found on a computer sold on eBay.
Every prisoner in UK victim of data breach - The personal
information on thousands of criminals in England and Wales has been
lost on a USB drive. Although the data had been encrypted in a
database, it was not encrypted when moved to the mobile storage
Hackers breach Best Western in data heist - Eight million account
details stolen - Hackers have broken into the corporate databases
for best Western Hotels and may have stolen the names, addresses and
credit card information of every customer who stayed with the
international group since 2007.
Red Hat admits breach of its servers, Fedora - Infrastructure
servers compromised by hackers company says - Red Hat confirmed
Friday that hackers compromised infrastructure servers belonging to
the company and the Fedora Project, including systems used to sign
Bank of NY Mellon data breach now affects 12.5 mln - Bank of New
York Mellon Corp said on Thursday that a security breach involving
the loss of personal information is much larger than previously
reported, affecting about 12.5 million people, up from 4.5 million.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
begin this week reviewing the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part
1 of 10)
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking
relationships are exposed to several risks associated with the use
of this technology. The most significant risks are reputation
risk and compliance risk.
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in distinguishing whether the financial
institution or the linked third party is offering products and
- customer dissatisfaction with the quality of products or
services obtained from a third party; and
- customer confusion as to whether certain regulatory
protections apply to third-party products or services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Protocols and Ports (Part 3 of 3)
are built in conformance with the protocols to provide services from
hosts to clients. Because clients must have a standard way of
accessing the services, the services are assigned to standard host
ports. Ports are logical not physical locations that are either
assigned or available for specific network services. Under TCP/IP,
65536 ports are available, and the first 1024 ports are commercially
accepted as being assigned to certain services. For instance, Web
servers listen for requests on port 80, and secure socket layer Web
servers listen on port 443. A complete list of the commercially
accepted port assignments is available at www.iana.org.
Ports above 1024 are known as high ports, and are user - assignable.
However, users and administrators have the freedom to assign any
port to any service, and to use one port for more than one service.
Additionally, the service listening on one port may only proxy a
connection for a separate service. For example, a Trojan horse
keystroke - monitoring program can use the Web browser to send
captured keystroke information to port 80 of an attacker's machine.
In that case, monitoring of the packet headers from the compromised
machine would only show a Web request to port 80 of a certain IP
Return to the top of the
C. HOST SECURITY
Determine if the configuration minimizes the functionality of
programs, scripts, and plug - ins to what is necessary and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
If the institution discloses nonpublic personal
information to nonaffiliated third parties, do the requirements for
initial notice in §4(a)(2), opt out in §§7 and 10, revised notice
in §8, and for service providers and joint marketing in §13, not
apply because the information is disclosed as necessary to effect,
administer, or enforce a transaction that the consumer requests or
authorizes, or in connection with:
a. servicing or processing a financial product or service
requested or authorized by the consumer; [§14(a)(1)]
b. maintaining or servicing the consumer's account with the
institution or with another entity as part of a private label credit
card program or other credit extension on behalf of the entity; or [§14(a)(2)]
c. a proposed or actual securitization, secondary market sale
(including sale of servicing rights) or other similar transaction
related to a transaction of the consumer? [§14(a)(3)]