R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 16, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - GCHQ to advise senior business leaders on how to fight cyber attacks - GCHQ is to use its expertise to take a lead role advising Britain's senior business leaders on how to combat the multi-billion pound threat of cyber attacks, under a programme being unveiled today. http://www.telegraph.co.uk/news/uknews/defence/9521715/PLS-PIC-AND-PUB-GCHQ-to-advise-senior-business-leaders-on-how-to-fight-cyber-attacks.html

FYI - FTC offers guidance for mobile application development - As enterprises expand their roll-outs of mobile applications, the Federal Trade Commission wants them to be mindful of the privacy and security ramifications that go along with these advancements. http://www.scmagazine.com/ftc-offers-guidance-for-mobile-application-development/article/257656/

FYI - Worker had proper access when he snagged corporate data, court rules - Decision highlights need for firms to tighten computer access, use polices - In a decision likely to be sobering for companies fighting insider threats, an appeals court has ruled that an employee who used his valid computer access rights to access data from his employer can't be prosecuted under a federal anti-hacking law. http://www.computerworld.com/s/article/9230998/Worker_had_proper_access_when_he_snagged_corporate_data_court_rules?taxonomyId=82

FYI - Google Aurora Attackers Still On Loose, Symantec Says - Gang that attacked Google in 2009 has continued operating, stealing sensitive data via zero-day attacks and compromising target companies' business partners. Whatever happened to the group of attackers that successfully hacked into Google in 2009? http://www.informationweek.com/security/attacks/google-aurora-attackers-still-on-loose-s/240006930

FYI - Germany pushes for an end to massive fines for hijacked Wi-Fi - The cities of Hamburg and Berlin are to launch a new legal initiative to protect owners of WLAN networks from litigation if intruders commit offences on their network. Wi-Fi network owners in Germany look set to get an easier legal ride when their WLANs are used by criminals. http://www.zdnet.com/germany-pushes-for-an-end-to-massive-fines-for-hijacked-wi-fi-7000003844/

FYI - GAO - Community Banks and Credit Unions: Impact of the Dodd-Frank Act Depends Largely on Future Rule Makings. http://www.gao.gov/products/GAO-12-881


FYI - Sony says 400 customer names, emails from mobile division leaked in China - The Japanese electronics firm said at least one server run by a third-party Chinese company was compromised - Sony said Thursday that hackers accessed about 400 names and email addresses of its mobile customers in China and Taiwan, but that no credit card or banking information was compromised. http://www.computerworld.com/s/article/9230977/Sony_says_400_customer_names_emails_from_mobile_division_leaked_in_China?taxonomyId=82

FYI - FBI finds no evidence that AntiSec hacked its laptop - Hackers say they got data on Apple device users from FBI agent's laptop, but the agency denies knowing anything about it. http://news.cnet.com/8301-1009_3-57505925-83/fbi-finds-no-evidence-that-antisec-hacked-its-laptop/

FYI - GoDaddy works to restore site service to unknown numbers - An unknown, but significant, number of websites hosted by GoDaddy are feeling the effects of an apparent attack on the company's DNS servers. http://www.scmagazine.com/godaddy-works-to-restore-site-service-to-unknown-numbers/article/258376/?DCMP=EMC-SCUS_Newswire

FYI - Apple Device IDs Leaked by Anonymous Traced to App Developer Blue Toad - Those Apple device IDs that an Anonymous offshoot claimed to have hacked from an FBI agent’s computer in March appear to have actually originated just weeks ago from the hack of a little-known app development company in Florida. http://www.wired.com/threatlevel/2012/09/udid-leak-traced-to-blue-toad/

FYI - Wyndham Hotels challenges FTC security suit over breaches - Wyndham Hotels and Resorts has filed a motion in U.S. District Court in Phoenix to dismiss a complaint launched by the Federal Trade Commission (FTC) over the chain's repeated security breaches. http://www.scmagazine.com/wyndham-hotels-challenges-ftc-security-suit-over-breaches/article/258559/?DCMP=EMC-SCUS_Newswire

FYI - Miami hospital hit by second patient breach this year - The University of Miami Hospital has fired two employees suspected of stealing and possibly selling the personally identifiable information (PII) of patients. http://www.scmagazine.com/miami-hospital-hit-by-second-patient-breach-this-year/article/258895/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Audit Trail Practices for E-Banking Systems

1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.

2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.

3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:

a)   The bank should ensure that it has access to relevant audit trails maintained by the service provider.

b)   Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.


Effective monitoring of threats includes both non - technical and technical sources. Nontechnical sources include organizational changes, business process changes, new business locations, increased sensitivity of information, or new products and services. Technical sources include new systems, new service providers, and increased access. Security personnel and financial institution management must remain alert to emerging threats and vulnerabilities. This effort could include the following security activities:

! Senior management support for strong security policy awareness and compliance. Management and employees must remain alert to operational changes that could affect security and actively communicate issues with security personnel. Business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.

! Security personnel should monitor the information technology environment and review performance reports to identify trends, new threats, or control deficiencies. Specific activities could include reviewing security and activity logs, investigating operational anomalies, and routinely reviewing system and application access levels.

! Security personnel and system owners should monitor external sources for new technical and nontechnical vulnerabilities and develop appropriate mitigation solutions to address them. Examples include many controls discussed elsewhere in this booklet including:

 -  Establishing an effective configuration management process that monitors for vulnerabilities in hardware and software and establishes a process to install and test security patches,

 -  Maintaining up - to - date anti - virus definitions and intrusion detection attack definitions, and

 -  Providing effective oversight of service providers and vendors to identify and react to new security issues.

! Senior management should require periodic security self-assessments and audits to provide an ongoing assessment of policy compliance and ensure prompt corrective action of significant deficiencies.

! Security personnel should have access to automated tools appropriate for the complexity of the financial institution systems. Automated security policy and security log analysis tools can significantly increase the effectiveness and productivity of security personnel.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [§9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution's electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or 

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated