Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Out of the office - I will be at
ICBA’s Community Bank Technology Conference being held this week in
Las Vegas. I will be speaking on auditing community banks and look
forward to see you there.
- Data breaches 10 times worse, say ICO figures - Data breaches in
the UK have increased tenfold in the past five years, figures from
the Information Commissioner's Office (ICO) reveal. In local
government the increase was 1,609% and within the NHS 935%.
- Cybercrooks fool financial advisers to steal from clients - In a
new twist, cyber-robbers are using ginned-up e-mail messages in
attempts to con financial advisers into wiring cash out of their
clients' online investment accounts.
- Judge dismisses BancorpSouth defense in online theft suit - Bank
contended that Choice Escrow's failure to secure online credentials
caused $440,000 online heist - A federal judge has rejected
BancorpSouth's plan to use contractual agreements with customers as
a shield against liability claims stemming from an online heist of
some $440,000 that was illegally wire-transferred from the account
of one of the bank's commercial customers in March 2010.
- Interior seeks to safeguard mobile devices - Interior Department
officials are seeking ideas to protect the agency's mobile devices
while they’re being used on trips outside of the country.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Toyota Contractor Accused of Sabotaging Company Network, Stealing
Data - A former programmer for Toyota has been accused of sabotaging
applications on the car company’s network and stealing data after he
was fired from his job last week, according to a civil complaint
filed by the company.
- Julius Baer Says Employee Stole German Offshore Client Data -
Julius Baer Group Ltd., the Swiss wealth manager established in
1890, is contacting German customers after an employee stole
information on their offshore bank accounts in Switzerland.
- Natural gas giant RasGas targeted in cyber attack - Reports have
surfaced that liquified natural gas (LNG) producer RasGas, based in
the Persian Gulf nation of Qatar, has been struck by an unidentified
virus, this time shutting down its website and email servers.
- Hackers leak '1 MILLION records' on Apple fanbois from FEDS - FBI
laptop with data on 12m iThings 'pwned via Java hole' - Hackers have
dumped online the unique identification codes for one million Apple
iPhones and iPads allegedly lifted from an FBI agent's laptop. The
leak, if genuine, proves Feds are walking around with data on at
least 12 million iOS devices.
- 6.46 million LinkedIn passwords leaked online - More than 6.4
million LinkedIn passwords have leaked to the Web after an apparent
hack. Though some login details are encrypted, all users are advised
to change their passwords.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Authorization Practices for E-Banking Applications
1. Specific authorization and access privileges should be
assigned to all individuals, agents or systems, which conduct
2. All e-banking systems should be constructed to ensure that they
interact with a valid authorization database.
3. No individual agent or system should have the authority to change
his or her own authority or access privileges in an e-banking
4. Any addition of an individual, agent or system or changes to
access privileges in an e-banking authorization database should be
duly authorized by an authenticated source empowered with the
adequate authority and subject to suitable and timely oversight and
5. Appropriate measures should be in place in order to make
e-banking authorization databases reasonably resistant to tampering.
Any such tampering should be detectable through ongoing monitoring
processes. Sufficient audit trails should exist to document any such
6. Any e-banking authorization database that has been tampered with
should not be used until replaced with a validated database.
7. Controls should be in place to prevent changes to authorization
levels during e-banking transaction sessions and any attempts to
alter authorization should be logged and brought to the attention of
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
MONITORING AND UPDATING
A static security program provides a false sense of security and
will become increasingly ineffective over time. Monitoring and
updating the security program is an important part of the ongoing
cyclical security process. Financial institutions should treat
security as dynamic with active monitoring; prompt, ongoing risk
assessment; and appropriate updates to controls. Institutions should
continuously gather and analyze information regarding new threats
and vulnerabilities, actual attacks on the institution or others,
and the effectiveness of the existing security controls. They should
use that information to update the risk assessment, strategy, and
implemented controls. Monitoring and updating the security program
begins with the identification of the potential need to alter
aspects of the security program and then recycles through the
security process steps of risk assessment, strategy, implementation,
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
35. Does the institution deliver
the privacy and opt out notices, including the short-form notice, so
that the consumer can reasonably be expected to receive actual
notice in writing or, if the consumer agrees, electronically?