R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 18, 2011

CONTENT Internet Compliance Information Systems Security
IT Security
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.
REMINDER - This week September 19, 2011, I am attending the ISACA Information Security and Risk Management Conference in Las Vegas, Nevada.  I look forward to seeing you there.

FYI - Justice Dept. loses round in warrantless phone tracking - The American Civil Liberties Union is touting its victory in a case against the Department of Justice over alleged mobile phone tracking. http://news.cnet.com/8301-1009_3-20102518-83/justice-dept-loses-round-in-warrantless-phone-tracking/?tag=mncol;title

 FYI - Court Approves Lawsuit Against Toyota Over Cyberstalking Ad Stunt - A woman who was targeted by Toyota in a creepy, stalker-themed online advertising stunt will be allowed to sue the company, despite the carmaker’s argument that she unknowingly agreed to the whole thing. http://www.wired.com/threatlevel/2011/09/toyota-punkd/

FYI - Online ID thief sentenced to 14 years - A man who pleaded guilty on April 4 to one count of wire fraud and one count of aggravated identity theft was sentenced last week in U.S. District Court in Alexandria, Va. to 14 years in prison. http://www.scmagazineus.com/online-id-thief-sentenced-to-14-years/article/211853/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Patient data posted online in major breach of privacy - Medical records for 20,000 emergency room patients were on website for a year - A medical privacy breach at Stanford University’s hospital in Palo Alto, Calif., led to the public posting of medical records for 20,000 emergency room patients, including names and diagnosis codes, on a commercial website for nearly a year, the hospital has confirmed. http://www.msnbc.msn.com/id/44443413/ns/technology_and_science-the_new_york_times/#.TmlDP-zQp8E

FYI - GlobalSign stops secure certificates after hack - Belgian security firm GlobalSign has temporarily stopped issuing authentication certificates for secure websites. http://www.bbc.co.uk/news/technology-14819257

 FYI - Linux Foundation Confirms Malware Attack - Foundation advises users to change passwords following exploit of kernel.org, used to distribute the Linux kernel. The Linux Foundation last week emailed all of its users, warning them that an attacker had compromised LinuxFoundation.org and Linux.com, as well as their subdomains. The attacker may also have stolen usernames, email addresses, and passwords. http://www.informationweek.com/news/security/attacks/231601225

FYI - Vending machine company announces major data breach - Up to 40,000 reported may be affected by breach of Vacationland Vendors machines at waterparks in Wisconsin, Tennessee - Vacationland Vendors, a company that supplies vending machines and games to entertainment venues, has disclosed a data breach affecting about 40,000 people who visited waterpark resorts in Wisconsin and Tennessee between December 2008 and May 2011. http://www.computerworld.com/s/article/9219945/Vending_machine_company_announces_major_data_breach?taxonomyId=17

FYI - BC Twitter hack attributed to 'Christmas tree' trojan - A group of hacktivists was able to compromise the NBC News Twitter account on Friday by tricking the network's social media head into clicking on a malicious attachment. http://www.scmagazineus.com/nbc-twitter-hack-attributed-to-christmas-tree-trojan/article/211981/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week concludes our series on the FDIC's Supervisory Policy on Identity Theft (Part 6 of  6)

President’s Identity Theft Task Force

On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.

Conclusion

Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 2 of 3)

Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:

! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or software;
! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and
! Attacks against machines and communications used for remote administration.
 
 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1)  an initial notice of its privacy policies;

2)  an opt out notice (including, among other things, a reasonable means to opt out); and

3)  a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.
Purchase now for the special inaugural price.

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated