Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- GCHQ to advise senior business leaders on how to fight cyber
attacks - GCHQ is to use its expertise to take a lead role advising
Britain's senior business leaders on how to combat the multi-billion
pound threat of cyber attacks, under a programme being unveiled
FTC offers guidance for mobile application development - As
enterprises expand their roll-outs of mobile applications, the
Federal Trade Commission wants them to be mindful of the privacy and
security ramifications that go along with these advancements.
Worker had proper access when he snagged corporate data, court rules
- Decision highlights need for firms to tighten computer access, use
polices - In a decision likely to be sobering for companies fighting
insider threats, an appeals court has ruled that an employee who
used his valid computer access rights to access data from his
employer can't be prosecuted under a federal anti-hacking law.
- Google Aurora Attackers Still On Loose, Symantec Says - Gang that
attacked Google in 2009 has continued operating, stealing sensitive
data via zero-day attacks and compromising target companies'
business partners. Whatever happened to the group of attackers that
successfully hacked into Google in 2009?
- Germany pushes for an end to massive fines for hijacked Wi-Fi -
The cities of Hamburg and Berlin are to launch a new legal
initiative to protect owners of WLAN networks from litigation if
intruders commit offences on their network. Wi-Fi network owners in
Germany look set to get an easier legal ride when their WLANs are
used by criminals.
- GAO - Community Banks and Credit Unions: Impact of the Dodd-Frank
Act Depends Largely on Future Rule Makings.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Sony says 400 customer names, emails from mobile division leaked in
China - The Japanese electronics firm said at least one server run
by a third-party Chinese company was compromised - Sony said
Thursday that hackers accessed about 400 names and email addresses
of its mobile customers in China and Taiwan, but that no credit card
or banking information was compromised.
FBI finds no evidence that AntiSec hacked its laptop - Hackers say
they got data on Apple device users from FBI agent's laptop, but the
agency denies knowing anything about it.
GoDaddy works to restore site service to unknown numbers - An
unknown, but significant, number of websites hosted by GoDaddy are
feeling the effects of an apparent attack on the company's DNS
- Apple Device IDs Leaked by Anonymous Traced to App Developer Blue
Toad - Those Apple device IDs that an Anonymous offshoot claimed to
have hacked from an FBI agent’s computer in March appear to have
actually originated just weeks ago from the hack of a little-known
app development company in Florida.
- Wyndham Hotels challenges FTC security suit over breaches -
Wyndham Hotels and Resorts has filed a motion in U.S. District Court
in Phoenix to dismiss a complaint launched by the Federal Trade
Commission (FTC) over the chain's repeated security breaches.
- Miami hospital hit by second patient breach this year - The
University of Miami Hospital has fired two employees suspected of
stealing and possibly selling the personally identifiable
information (PII) of patients.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Audit Trail Practices for E-Banking Systems
1. Sufficient logs should be maintained for all e-banking
transactions to help establish a clear audit trail and assist in
2. E-banking systems should be designed and installed to capture and
maintain forensic evidence in a manner that maintains control over
the evidence, and prevents tampering and the collection of false
3. In instances where processing systems and related audit trails
are the responsibility of a third-party service provider:
a) The bank should ensure that it has access to relevant audit
trails maintained by the service provider.
b) Audit trails maintained by the service provider meet the bank's
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
MONITORING AND UPDATING
Effective monitoring of threats includes both non - technical and
technical sources. Nontechnical sources include organizational
changes, business process changes, new business locations, increased
sensitivity of information, or new products and services. Technical
sources include new systems, new service providers, and increased
access. Security personnel and financial institution management must
remain alert to emerging threats and vulnerabilities. This effort
could include the following security activities:
! Senior management support for strong security policy awareness and
compliance. Management and employees must remain alert to
operational changes that could affect security and actively
communicate issues with security personnel. Business line managers
must have responsibility and accountability for maintaining the
security of their personnel, systems, facilities, and information.
! Security personnel should monitor the information technology
environment and review performance reports to identify trends, new
threats, or control deficiencies. Specific activities could include
reviewing security and activity logs, investigating operational
anomalies, and routinely reviewing system and application access
! Security personnel and system owners should monitor external
sources for new technical and nontechnical vulnerabilities and
develop appropriate mitigation solutions to address them. Examples
include many controls discussed elsewhere in this booklet including:
- Establishing an effective configuration management process that
monitors for vulnerabilities in hardware and software and
establishes a process to install and test security patches,
- Maintaining up - to - date anti - virus definitions and
intrusion detection attack definitions, and
- Providing effective oversight of service providers and vendors
to identify and react to new security issues.
! Senior management should require periodic security
self-assessments and audits to provide an ongoing assessment of
policy compliance and ensure prompt corrective action of significant
! Security personnel should have access to automated tools
appropriate for the complexity of the financial institution systems.
Automated security policy and security log analysis tools can
significantly increase the effectiveness and productivity of
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
36. Does the institution use a reasonable means for delivering
the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
c. for the consumer who conducts transactions electronically,
clearly and conspicuously posting the notice on the institution's
electronic site and requiring the consumer to acknowledge receipt as
a necessary step to obtaining a financial product or service;
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge
receipt as a necessary step to obtaining the financial product or
(Note: insufficient or unreasonable means of delivery include:
exclusively oral notice, in person or by telephone; branch or office
signs or generally published advertisements; and electronic mail to
a customer who does not obtain products or services electronically.
[§9 (b)(2)(i) and (ii), and (d)])