R. Kinney Williams
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
October 12, 2008
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Second hacker in TJX case pleads guilty - Scott, known as the
wireless hacking expert, faces up to 22 years in prison, $1M fine -
One of the major players in the massive hacking incidents at TJX
Companies Inc., BJ Wholesale Clubs Inc. and other retailers pleaded
guilty on Monday to identity theft and other felony charges in
federal court in Boston.
New certification to stress software lifecycle safety - The movement
to create secure software received a boost with the launch of a new
certification from (ISC)2, a nonprofit leader in educating and
certifying information security professionals. The certification,
called the Certified Secure Software Lifecycle Professional (CSSLP),
is designed to validate secure software development practices and
build expertise to address the increasing number of application
Network at Los Alamos vulnerable to attacks - Unclassified
information on a network the Los Alamos National Laboratory operates
is susceptible to unauthorized access because of major information
security weaknesses, according to a Government Accountability Office
report released on Friday.
California laws will increase penalties for patient data snoopers -
California Gov. Arnold Schwarzenegger on Tuesday signed two bills
into law that will allow the state to impose harsher penalties on
hospital workers who inappropriately access patient data.
Employees engage in risky computing - Data leaks - good intentions
gone bad - Common employee behavior may result in data loss or
leakage of a company's intellectual property, according to a study
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
NHS trust finds lost CDs holding 18,000 staff details - A London NHS
hospital trust has found four discs, containing 18,000 staff
details, that had been thought lost. The discs, which contained
payroll details, went missing earlier this month.
Thieves accessed auction Web site 1.5 million times - Yahoo Japan
Corp.'s auction Web site has been illegally accessed about 1.5
million times since May with codes and passwords stolen from members
from an Internet protocol address in China. Access information was
used without owner knowledge to sell items such as fake luxury-brand
goods, and account holders were charged auction fees by the company
for transactions they did not initiate.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 6 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Packet Filter Firewalls
Basic packet filtering was described in the router section and does
not include stateful inspection. Packet filter firewalls evaluate
the headers of each incoming and outgoing packet to ensure it has a
valid internal address, originates from a permitted external
address, connects to an authorized protocol or service, and contains
valid basic header instructions. If the packet does not match the
pre-defined policy for allowed traffic, then the firewall drops the
packet. Packet filters generally do not analyze the packet contents
beyond the header information. Dynamic packet filtering incorporates
stateful inspection primarily for performance benefits. Before
re-examining every packet, the firewall checks each packet as it
arrives to determine whether it is part of an existing connection.
If it verifies that the packet belongs to an established connection,
then it forwards the packet without subjecting it to the firewall
Weaknesses associated with packet filtering firewalls include the
! The system is unable to prevent attacks that employ application
specific vulnerabilities and functions because the packet filter
cannot examine packet contents.
! Logging functionality is limited to the same information used to
make access control decisions.
! Most do not support advanced user authentication schemes.
! Firewalls are generally vulnerable to attacks and exploitation
that take advantage of problems in the TCP/IP specification.
! The firewalls are easy to misconfigure, which allows traffic to
pass that should be blocked.
Packet filtering offers less security, but faster performance than
application-level firewalls. The former are appropriate in high -
speed environments where logging and user authentication with
network resources are not important. Packet filter firewalls are
also commonly used in small office/home office (SOHO) systems and
default operating system firewalls.
Institutions internally hosting Internet-accessible services should
consider implementing additional firewall components that include
Return to the top of the
C. HOST SECURITY
Determine whether access to utilities on the host are appropriately
restricted and monitored.
Return to the top of
INTERNET PRIVACY - We continue
our review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer
in connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.