R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 10, 2010

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

U.S. Tries to Make It Easier to Wiretap the Internet - Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone. http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=3&hp=&adxnnl=1&pagewanted=all&adxnnlx=1285855211-bpHUSDOzix12XhuQ3+ByJQ

BlackBerry CEO suggests route to eavesdropping - Says companies that use phones would need to hand over encryption keys - BlackBerry maker Research in Motion Ltd. says it has no way of providing government officials with the text of encrypted corporate e-mails its devices serve up. But if the companies that employ BlackBerry phones want to hand over the encryption keys to their e-mail, it won't object. http://www.msnbc.msn.com/id/39387290/ns/technology_and_science-security/

Palin hacker's verdict stands - Judge denies ex-UT student's bid to toss out convictions - A federal judge has shot down a former University of Tennessee student's bid to have tossed out convictions in the illegal access of Sarah Palin's personal e-mail account during the 2008 presidential election. http://www.knoxnews.com/news/2010/sep/25/palin-hackers-verdict-stands/


Privacy group takes on ACS:Law over data breach - ACS:Law, which has conducted a letter-writing campaign against people suspected of unlawful file-sharing, is facing legal action by Privacy International after those people's details were leaked during a security breach. http://www.zdnet.co.uk/news/security-threats/2010/09/27/privacy-group-takes-on-acslaw-over-porn-data-breach-40090288/

Maine court limits damage claims in data breach cases - Victims can't seek restitution unless they suffer actual losses, state Supreme Court says - Maine's Supreme Court has ruled that consumers affected by the data breach at supermarket chain Hannaford Bros. in 2008 cannot claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury. http://www.computerworld.com/s/article/9187340/Maine_court_limits_damage_claims_in_data_breach_cases?source=rss_news

Belarusian extradited to US for one-stop ID theft site - US prosecutors have extradited a Belarusian national accused of running a website that helped thousands of criminals exploit stolen financial information. http://www.theregister.co.uk/2010/09/21/id_theft_website_extradition/

Two remaining Comcast.net hijackers sentenced - The remaining two members of a cybergang implicated in a 2008 scheme that redirected visitors wishing to reach Comcast.net to websites of the hackers' choosing each have been sentenced to 18 months in federal prison. http://www.scmagazineus.com/two-remaining-comcastnet-hijackers-sentenced/article/179713/?DCMP=EMC-SCUS_Newswire

Extradited VoIP hacker sentenced to 10 years - The mastermind behind a scheme to hack into internet phone networks and resell services for a profit was sentenced Friday to 10 years in federal prison, the U.S. Attorney's Office in New Jersey announced. http://www.scmagazineus.com/extradited-voip-hacker-sentenced-to-10-years/article/179538/?DCMP=EMC-SCUS_Newswire

U.K. police arrest 19 in major Zeus bust - Police in the U.K. have arrested 19 individuals believed to be part of an organized cybercrime network that used the Zeus trojan to steal six million pounds ($9.5 million) from U.K. bank accounts. http://www.scmagazineus.com/uk-police-arrest-19-in-major-zeus-bust/article/179946/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 


A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:

1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.

2) If using internal testers, the independence of the testers from system administrators.

3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.

4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)]
(Note: annual notices are not required for former customers. [§5(b)(1)and (2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated