Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Office of the Comptroller of the Currency Releases Guidance
on Third-Party Relationships - The Office of the Comptroller of the
Currency today issued updated risk management guidance for national
banks and federal savings associations related to third-party
- Revised Interagency Examination Procedures for Regulation
- NIST debuts preliminary framework for securing critical
infrastructure - The National Institute of Standards and Technology
(NIST) has introduced a preliminary cyber security framework to help
companies thwart critical infrastructure attacks.
- Judge orders self-described hacker's computer seized without
warning - The court was worried developer Corey Thuen might erase
evidence - In a rare move, a federal court in Idaho recently ordered
a software developer's computer seized and its contents copied
without prior notice because the developer described himself as a
'hacker' on his website.
- Court Rules Probable-Cause Warrant Required for GPS Trackers - An
appellate court has finally supplied an answer to an open question
left dangling by the Supreme Court in 2012: Do law enforcement
agencies need a probable-cause warrant to affix a GPS tracker to a
target’s vehicle? The Third Circuit Court of Appeals gave a
resounding yes to that question today in a 2 to 1 decision.
- ATM malware may spread from Mexico to English-speaking world -
Attacker can command an unidentified ATM brand to empty cash
cassettes through keypad commands - A malicious software program
found in ATMs in Mexico has been improved and translated into
English, which suggests it may be used elsewhere.
- Cyber-attacks are the greatest threats UK businesses face - Only
four per cent of UK businesses have adequate security measures in
place to battle cyber-attacks - Cyber-attacks are the main threats
UK businesses face with 96 per cent fearing their security functions
are not strong enough, research shows.
- Dutch Banking Malware Gang Busted: Bitcoin's Role - Dutch police
arrest four men on charges of using TorRAT banking malware to steal
an estimated $1.4 million from consumers. They allegedly laundered
the funds using the cryptographic currency known as Bitcoins.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Dept. Of Energy Breach: Bigger Than We Realized - DOE says July
data breach affected more than double the number of people in
initial estimates. CIO tasks an independent investigator to probe
breach and agency's technology infrastructure. The Department of
Energy has revised its count of the number of people whose
information was compromised in a July 2013 intrusion that resulted
in the theft of personal information.
- UN Nuclear Agency Computers Infected with Malware - The
International Atomic Energy Agency (IAEA) has admitted that some of
its computers have been infected with malware for at least the last
few months, but denies that any sensitive data regarding its nuclear
inspections has been compromised.
- Aaron's computer rental chain settles FTC spying charges - The
rent-to-own computer company settles a complaint that accused it of
secretly taking Webcam photos of users in their homes and recording
keystrokes of Web site login credentials.
- Adobe breach impacts closer to 38 million customers - The number
of Adobe customers impacted in a breach disclosed earlier this month
has skyrocketed to about 38 million. That is more than ten times the
roughly three million affected users the company announced
- Two nurses' aides guilty for using patient data to commit tax
fraud - Two former nurses' aides for Virginia-based nonprofit
Sentara Healthcare have pleaded guilty to accessing thousands of
electronic patient records and using the information to file
fraudulent tax returns.
- Phishing email fools Missouri university staff, compromises
thousands - Employees of Missouri-based Saint Louis University fell
victim to a phishing email that resulted in them providing account
information, subsequently putting thousands at risk.
- Twelve-year-old hacks gov't websites, trades info with Anonymous -
A 12-year-old Canadian boy has pleaded guilty to hacking government
websites - he knocked some of them out for days - and causing
damages of about $60,000 in an incident that dates back to spring
- Minneapolis medical assistant fired for accessing patient data - A
medical assistant at Minneapolis-based health clinic Inver Grove
Heights - a part of Allina Health System - was fired for the
unauthorized viewing of nearly 4,000 patient records over the span
of more than three years.
- Norks seed online games with malware in fiendish DDoS plot - South
Korea’s National Police Agency (NPA) is warning users not to
download unofficial online games as they may contain malware
designed by the North to compromise machines which can then be used
to launch DDoS attacks on the country.
- Shared password across accounts results in MongoHQ breach - Upon
detecting unauthorized access to an employee's administration
application on Monday, California-based database-as-a-service
platform MongoHQ discovered it was the victim of a breach that may
have compromised information of its employees and customers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Token Systems (2 of 2)
Weaknesses in token systems relate to theft of the token, ease in
guessing any password generating algorithm within the token, ease of
successfully forging any authentication credential that unlocks the
token, and reverse engineering, or cloning, of the token. Each of
these weaknesses can be addressed through additional control
mechanisms. Token theft generally is protected against by policies
that require prompt reporting and cancellation of the token's
ability to allow access to the system. Additionally, the impact of
token theft is reduced when the token is used in multi - factor
authentication; for instance, the password from the token is paired
with a password known only by the user and the system. This pairing
reduces the risk posed by token loss, while increasing the strength
of the authentication mechanism. Forged credentials are protected
against by the same methods that protect credentials in non - token
systems. Protection against reverse engineering requires physical
and logical security in token design. For instance, token designers
can increase the difficulty of opening a token without causing
irreparable damage, or obtaining information from the token either
by passive scanning or active input/output.
Token systems can also incorporate public key infrastructure, and
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
17. Does the institution provide consumers who receive the
short-form initial notice with a reasonable means of obtaining the
longer initial notice, such as:
a. a toll-free telephone number that the consumer may call to
request the notice; [§6(d)(4)(i)] or
b. for the consumer who conducts business in person at the
institution's office, having copies available to provide immediately
by hand-delivery? [§6(d)(4)(ii)]