R. Kinney Williams
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
September 28, 2008
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
San Francisco hunts for mystery device on city network - It was
apparently installed by accused rogue network admin Terry Childs -
With costs related to an alleged rogue network administrator's
hijacking of the city's network now estimated at $1 million, San
Francisco officials say they are searching for a mysterious
networking device hidden somewhere on the network.
8 Laptop Bags That Zip Through Airport Security - While no one
questions the need to properly scan laptops when going through
airport security, the requirement to remove them from their
protective cases is a different story. "Naked" notebooks can easily
get dropped, damaged, forgotten and even stolen outright. One study
done for Dell estimated that about 12,000 laptops are lost in U.S.
airports every week -- a claim that has been challenged by the
Transportation Security Administration.
Five ways to clean your firewall of clutter and stay secure -
Firewalls are an important line of defense for enterprises, handling
vast amounts of traffic. On the perimeter alone firewalls typically
filter millions of packets daily.
It's time to think differently about protecting data - The recent
rash of high profile security breaches, data loss incidents and
associated fraud highlights the fact that the security industry is
failing to meet the threats organizations face when it comes to
protecting the lifeblood of their business - their data and their
Man accused in TJX data breach pleads guilty - One of the 11 people
arrested last month in connection with the massive data theft at TJX
Companies Inc., BJ Wholesale Clubs Inc. and several other retailers
pleaded guilty yesterday to four felony counts, including wire and
credit card fraud and aggravated identity theft.
Alleged Carleton hacker faces criminal charges - A student who
called himself "Kasper Holmberg" gained access to the data by
installing software that he wrote on a terminal in a computer lab
that was attached to a card reader. The software recorded keystrokes
made on the computer and included magnetic stripe card reader
software, police said. http://www.cbc.ca/technology/story/2008/09/11/ot-carleton-080911.html
GAO - Information Technology: Federal Laws, Regulations, and
Mandatory Standards to Securing Private Sector Information
Technology Systems and Data in Critical Infrastructure Sectors.
GAO - Health Information Technology: HHS Has Taken Important Steps
to Address Privacy Principles and Challenges, Although More Work
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Irate Ark. man posts county e-mail records in privacy fight - He
wants sensitive data expunged from county docs - An Arkansas
resident is posting the internal e-mail records of various officials
in the Pulaski County clerk's office on his Web site in retaliation
for what he calls the county's refusal to remove certain public
documents containing Social Security numbers from its Web site.
Massive ATM fraud triggers Gulf banking jitters - Cash machine chaos
- Banks across the United Arab Emirates are fighting to restore
confidence in its banking system after hackers used counterfeit
cards to withdraw funds from cash machines.
Lenders say private customer records have been breached - Hundreds
of thousands of Florida customers of Countrywide Finance Corp. and
The Bank of New York Mellon Shareowner Services are at risk after
two instances of data being compromised. The personal information of
nearly 750,000 Florida consumers may have been compromised in recent
weeks, the result of data breaches at both Countrywide Financial and
the Bank of New York Mellon Shareowner Services.
Security breach at State Farm in Surprise exposes customers to ID
fraud - A security breach at a Surprise insurance agency early this
summer has potentially exposed hundreds of customers across the U.S.
and Canada to identity theft.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a third-party's
website depends on several factors. These factors include the nature
of the products and services provided on the third-party's website,
and the nature of the institution's business relationship with the
third party. This is particularly true with respect to compensation
arrangements for links. For example, a financial institution that
receives payment for offering advertisement-related weblinks to a
settlement service provider's website should carefully consider the
prohibition against kickbacks, unearned fees, and compensated
referrals under the Real Estate Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as reputation
risk if linked third parties offer less security and privacy
protection than the financial institution. Third-party sites may
have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Routing (Part 2 of 2)
Routers and switches are sometimes difficult to locate. Users may
install their own devices and create their own unauthorized subnets.
Any unrecognized or unauthorized network devices pose security
risks. Financial institutions should periodically audit network
equipment to ensure that only authorized and maintained equipment
resides on their network.
DNS hosts, routers and switches are computers with their own
operating system. If successfully attacked, they can allow traffic
to be monitored or redirected. Financial institutions must restrict,
log, and monitor administrative access to these devices. Remote
administration typically warrants an encrypted session, strong
authentication, and a secure client. The devices should also be
appropriately patched and hardened.
Packets are sent and received by devices using a network interface
card (NIC) for each network to which they connect. Internal
computers would typically have one NIC card for the corporate
network or a subnet. Firewalls, proxy servers, and gateway servers
are typically dual-homed with two NIC cards that allow them to
communicate securely both internally and externally while limiting
access to the internal network.
Return to the top of the
C. HOST SECURITY
Determine whether remotely configurable hosts are configured for
secure remote administration.
Return to the top of
INTERNET PRIVACY - With this
issue, we begin our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
On November 12, 1999, President Clinton signed into law the
Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of
the Act governs the treatment of nonpublic personal information
about consumers by financial institutions. Section 502 of the
Subtitle, subject to certain exceptions, prohibits a financial
institution from disclosing nonpublic personal information about a
consumer to nonaffiliated third parties, unless the institution
satisfies various notice and opt-out requirements, and provided that
the consumer has not elected to opt out of the disclosure. Section
503 requires the institution to provide notice of its privacy
policies and practices to its customers. Section 504 authorizes the
issuance of regulations to implement these provisions.
Accordingly, on June 1, 2000, the four federal bank and thrift
regulators published substantively identical regulations
implementing provisions of the Act governing the privacy of consumer
financial information. The regulations establish rules governing
duties of a financial institution to provide particular notices and
limitations on its disclosure of nonpublic personal information, as
1) A financial institution must provide a notice of its
privacy policies, and allow the consumer to opt out of the
disclosure of the consumer's nonpublic personal information, to a
nonaffiliated third party if the disclosure is outside of the
exceptions in sections 13, 14 or 15 of the regulations.
2) Regardless of whether a financial institution shares
nonpublic personal information, the institution must provide notices
of its privacy policies to its customers.
3) A financial institution generally may not disclose customer
account numbers to any nonaffiliated third party for marketing
4) A financial institution must follow reuse and redisclosure
limitations on any nonpublic personal information it receives from a
nonaffiliated financial institution.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.