R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 8, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - How to perform a SaaS inventory in five simple steps - According to a recent survey, 71 percent of respondents admitted to using software-as-a-service (SaaS) apps that were not blessed by IT. http://www.scmagazine.com/how-to-perform-a-saas-inventory-in-five-simple-steps/article/309446/?DCMP=EMC-SCUS_Newswire

FYI - Feds developing guidelines to help businesses to better secure their IT systems - Following through on an order earlier this year from U.S. President Barack Obama, the National Institute of Standards and Technology (NIST) is rapidly developing a set of guidelines and best practices to help organizations better secure their IT systems. http://www.pcworld.com/article/2047778/nist-subjects-draft-cybersecurity-framework-to-more-public-scrutiny.html

FYI - Three Charged With Stealing Flow Traders Trading Software - Two men who were employed by Flow Traders were charged in New York with stealing the firm’s electronic trading software by e-mailing it to themselves from their work accounts. http://www.bloomberg.com/news/2013-08-26/three-charged-with-stealing-flow-traders-trading-software.html

FYI - Compliance and security vulnerabilities are top concerns for POS systems - Without adequate controls to manage store systems and the increase in number and variety of devices - retailers can expect security costs to continue to increase rapidly. http://www.net-security.org/secworld.php?id=15475

FYI - India will reportedly ban use of US e-mail services - The government is said to be planning a formal notification to employees banning them from using e-mail providers with servers in the U.S. such as Gmail, to increase the security of confidential government information. http://www.zdnet.com/in/india-will-reportedly-ban-use-of-us-e-mail-services-7000020059/

FYI - Banks' resilience to cyber crime to be tested by Government - Banks’ resilience to cyber attacks are being rated by government officials for the first time amid concerns about the increasing risks to the financial system from electronic criminals and terrorists. http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/10278187/Banks-resilience-to-cyber-crime-to-be-tested-by-Government.html

FYI - Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE - UK data privacy watchdogs have fined Aberdeen City Council £100,000 after a council employee published vulnerable children's details online. http://www.theregister.co.uk/2013/09/02/aberdeen_ico_fine/

FYI - Exclusive: Army Admits To Major Computer Security Flaw - Army’s Deputy of Cybersecurity told BuzzFeed a security failure can allow unauthorized access to computer files. Instead of fixing it, they are telling soldiers to be more careful. http://www.buzzfeed.com/justinesharrock/exclusive-army-admits-to-major-computer-security-flaw

FYI - State-sponsored attacks worsen, but security pros unequipped to spot threat - A majority of IT security professionals said they were unsure whether their own corporate networks had fallen victim to state-sponsored attackers. http://www.scmagazine.com/study-state-sponsored-attacks-worsen-but-security-pros-unequipped-to-spot-threat/article/310267/?DCMP=EMC-SCUS_Newswire


FYI - Hacker group takes responsiblity for DNS attack on major media sites - That's what the Syrian Electronic Army (SEA) tweeted Tuesday, as the pro-Assad hacker collective announced domains belonging to The New York Times, Huffington Post U.K., and Twitter were compromised. http://www.scmagazine.com/hacker-group-takes-responsiblity-for-dns-attack-on-major-media-sites/article/309132/

FYI - Supercomputer hacker coughs to flogging DoE logins to FBI agent - The US hacker caught after trying to sell Department of Energy supercomputer logins to an undercover FBI agent has pleaded guilty in a deal that could see him go to jail for up to 18 months. http://www.theregister.co.uk/2013/08/28/hacker_plea_deal/

FYI - Five arrested after HMRC finds £500,000 online tax fraud - Police have arrested five members of a criminal cyber gang on suspicion of tax fraud, after they allegedly attempted to steal £500,000 by falsely claiming rebates using the identities of 700 British citizens. http://www.computerworlduk.com/news/security/3465705/five-arrested-after-hmrc-finds-500000-online-tax-fraud/

FYI - Citibank to pay CT fine for website vulnerability - Citibank N.A. will pay $55,000 to the state and undergo a third-party security audit for failing to act quickly enough to fix a known security vulnerability on its website. http://www.hartfordbusiness.com/article/20130829/NEWS01/130829864

FYI - Home brewing and wine making company website cracked open by hackers - Alcohol aficionados who made purchases with home brewing and wine making company Midwest Supplies may have had their credit card details compromised in a website breach. http://www.scmagazine.com/home-brewing-and-wine-making-company-website-cracked-open-by-hackers/article/309556/?DCMP=EMC-SCUS_Newswire

FYI - Hacktivists take claim for defacement of Marines site - A hacker collective that has previously taken responsibility for a series of high-profile attacks, including those against The New York Times, now claims it defaced a Marine Corps recruiting website. http://www.scmagazine.com/hacktivists-take-claim-for-defacement-of-marines-site/article/310016/?DCMP=EMC-SCUS_Newswire#

FYI - Military employee "dealt with" for emailing personnel data home - An unidentified Hill Air Force Base employee was looking to work from home, but instead had to be “dealt with” after he emailed personal information on hundreds of colleagues to an unprotected personal email address. http://www.scmagazine.com/military-employee-dealt-with-for-emailing-personnel-data-home/article/309443/?DCMP=EMC-SCUS_Newswire

FYI - Unencrypted medical laptop goes missing, compromising patients - Information may have been compromised for patients of UT Physicians – the medical practice at University of Texas Health Science Center at Houston (UTHealth) – after an unencrypted laptop containing the data was reported missing. http://www.scmagazine.com/unencrypted-medical-laptop-goes-missing-compromising-patients/article/309913/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

This week continues our series on the FDIC's Supervisory Policy on Identity Theft (Part 2 of  6)

Characteristics of Identity Theft

At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses.  Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.

Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.


Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



Access Rights Administration (2 of 5)

System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed.  The financial institution's security policy should address access rights to system resources and how those rights are to be administered.

Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access.  Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems.  Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities.  Formal access rights administration for users consists of four processes:

! An enrollment process to add new users to the system;

! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

! An authentication process to identify the user during subsequent activities; and

! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

9)  Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a)  information from the consumer; [§6(c)(1)(i)]

b)  information about the consumer's transactions with the institution or its affiliates; [§6(c)(1)(ii)]

c)  information about the consumer's transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and

d)  information from a consumer reporting agency? [§6(c)(1)(iv)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated