R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 23, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
 
Internet Privacy
 
Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - PCI issues guidelines for payment security in mobile apps - The Payment Card Industry Security Standards Council (PCI SSC), an industry body which manages payment data security guidelines, released best practices for mobile app developers and device manufacturers. http://www.scmagazine.com/pci-issues-guidelines-for-payment-security-in-mobile-apps/article/259100/?DCMP=EMC-SCUS_Newswire

FYI - House votes to renew controversial surveillance law - The House of Representatives voted Wednesday to renew a contested surveillance law, moving it a step closer to full reauthorization - a goal strongly shared by the White House and the intelligence community as a way to protect the nation against terrorism and other foreign threats. http://www.washingtonpost.com/world/national-security/house-votes-to-renew-controversial-surveillance-law/2012/09/12/ba71bc38-fce5-11e1-a31e-804fccb658f9_story.html

FYI - Permanent cybersecurity team established for EU institutions - CERT-EU will work with EU member states to reduce online attacks - European institutions on Wednesday beefed up cybersecurity efforts by establishing a permanent Computer Emergency Response Team (CERT-EU). http://www.computerworld.com/s/article/9231209/Permanent_cybersecurity_team_established_for_EU_institutions?taxonomyId=244

FYI - Linking to infringing material can violate copyright, says Dutch court - A link to leaked Playboy pictures published by the Dutch blog GeenStijl infringed on Playboy's copyrights, the Court of Amsterdam ruled this week. It is the first time a Dutch court has deemed a hyperlink not only illegal but also copyright infringing. http://www.pcworld.com/article/262320/linking_to_infringing_material_can_violate_copyright_says_dutch_court.html

FYI - GAO - Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged. http://www.gao.gov/products/GAO-12-757

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - GoDaddy blames outage on corrupted router tables - Monday outage was not due to malicious SOPA protesters, GoDaddy claims - Corrupted router tables, not malicious protesters, were the culprits behind Monday's widespread outage of GoDaddy's Internet registrar and hosting services, the company reported. http://www.computerworld.com/s/article/9231180/GoDaddy_blames_outage_on_corrupted_router_tables?taxonomyId=82

FYI - Churchill Downs wagering site hacked - TwinSpires.com, the wagering site for customers of the Louisville, Ky.-based Churchill Downs racetrack, was hacked, exposing the personal information of account holders. http://www.scmagazine.com/churchill-downs-wagering-site-hacked/article/259114/?DCMP=EMC-SCUS_Newswire

FYI - Canadian Researchers Allegedly Misuse Personal Health Data - An investigation into the alleged misuse of personal health information in university medical research has led to the firing of five employees of the British Columbia Ministry of Health and the suspension of two others, according to news reports. http://www.nextgov.com/health/health-it/2012/09/canadian-researchers-allegedly-misuse-personal-health-data/58158/

FYI - Subway restaurant hackers admit to crime spree - Two of the four Romanian hackers charged with the 2011 remote hijacking of credit card processing systems of more than 150 Subway restaurants, as well as other retailers in the United States, have pleaded guilty to the crimes. http://www.scmagazine.com/subway-restaurant-hackers-admit-to-crime-spree/article/259617/?DCMP=EMC-SCUS_Newswire 

FYI - Hacktivists take claim for Bank of America site disruption - A hacktivist group may be behind the sporadic issues that affected Bank of America's website, causing a lag in access for customers. http://www.scmagazine.com/hacktivists-take-claim-for-bank-of-america-site-disruption/article/259777/?DCMP=EMC-SCUS_Newswire

FYI - New espionage campaign tied to RSA breach, GhostNet attacks - A cyber espionage campaign, now linked to attacks on the energy and oil sector in various countries and a military organization, was likely launched by the same attackers behind an RSA breach and the GhostNet spy network. http://www.scmagazine.com/new-espionage-campaign-tied-to-rsa-breach-ghostnet-attacks/article/259991/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices to Help Maintain the Privacy of Customer E-Banking Information


1. Banks should employ appropriate cryptographic techniques, specific protocols or other security controls to ensure the confidentiality of customer e-banking data.

2. Banks should develop appropriate procedures and controls to periodically assess its customer security infrastructure and protocols for e-banking.

3. Banks should ensure that its third-party service providers have confidentiality and privacy policies that are consistent with their own.

4. Banks should take appropriate steps to inform e-banking customers about the confidentiality and privacy of their information. These steps may include:

a)   Informing customers of the bank's privacy policy, possibly on the bank's website. Clear, concise language in such statements is essential to assure that the customer fully understands the privacy policy. Lengthy legal descriptions, while accurate, are likely to go unread by the majority of customers.

b)   Instructing customers on the need to protect their passwords, personal identification numbers (PINs) and other banking and/or personal data. 

c)   Providing customers with information regarding the general security of their personal computer, including the benefits of using virus protection software, physical access controls and personal firewalls for static Internet connections.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
 We conclude our series on the FFIEC interagency Information Security Booklet

MONITORING AND UPDATING - UPDATING

Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).

Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated