R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 13, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - The Information Security and Risk Management Conference is being held September 28-30, 2009 in Las Vegas, Nevada. This is a great conference that I highly recommend. For more information and to register, please go to http://www.isaca.org/isrmc.

Incompetence a bigger IT security threat than malign insiders - Accidental security incidents involving workers happen more frequently and have the greater potential for negative impact than malicious insider attacks, according to new research from RSA.

FBI investigating mystery laptops sent to governors - There may be a new type of Trojan Horse attack to worry about - The U.S. Federal Bureau of Investigation is trying to figure out who sent five Hewlett-Packard laptop computers to West Virginia Governor Joe Mahchin a few weeks ago, with state officials worried that they may contain malicious software. http://www.computerworld.com/s/article/9137208/FBI_investigating_mystery_laptops_sent_to_governors?source=rss_security

Twitter fails to fix massive cross-site scripting bug, researcher says - Hackers can hijack accounts more easily by getting people to view a tweet, he says - A vulnerability in Twitter Inc.'s popular microblogging service remains unfixed and can be used by criminals to hijack accounts or redirect users to malicious Web sites, a developer claimed. http://www.computerworld.com/s/article/9137164/Twitter_fails_to_fix_massive_cross_site_scripting_bug_researcher_says_?source=rss_security

Phishing Attacks on the Wane - Phishing attacks have fallen out of favor among cyber crooks who make a living stealing personal and financial information, according to a report released this week by IBM. Instead, attackers increasingly are using malicious Web links and password-stealing Trojan horse programs to filch information from victims, the company found. http://voices.washingtonpost.com/securityfix/2009/08/phishing_attacks_on_the_wane.html

DHS Clarifies Laptop Border Searches - The new rules leave open the possibility that travelers may face penalties for refusing to provide passwords or encryption keys. The Department of Homeland Security on Thursday released new directives covering border searches of electronic devices and media, but the government's rules leave open the question of whether individuals can be compelled to provide passwords and encryption keys.

Security test prompts federal fraud alert - A sanctioned security test of a bank's computer systems had some unexpected consequences this week, leading the federal agency that oversees U.S. credit unions to issue a fraud alert.


Home Office data loss included drug records - The Home Office has confirmed that the volume of data on a lost memory stick was much larger than originally reported. http://news.zdnet.co.uk/security/0,1000000189,39730190,00.htm

Top hacker arrested - A top hacker has been arrested for manipulating 100,000 computers. Chinese news service Xinhua is reporting the tale of the super hacker who formed a 'corpse network' of some 100,000 computers, and used them to do his foul bidding. http://www.techspot.com/news/17248-top-hacker-arrested.html

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 3: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.

Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.

E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.

Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:

1)  Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.

2)  Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.

3)  E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.

4)  Segregation should be maintained between those developing and those administrating e-banking systems.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE  (Part 1 of 2)

Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:

! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic environment for these factors.
! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter


6. Determine if institution oversight of third party provider security controls is adequate.

7. Determine if any third party provider access to the institution's system is controlled according to "Authentication and Access Controls" and "Network Security" procedures.

8. Determine if the contract requires secure remote communications, as appropriate.

9. Determine if the institution appropriately assessed the third party provider's procedures for hiring and monitoring personnel who have access to the institution's systems and data.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [7(d)(1)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated