R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 6, 2011

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

- (At least) 4 web authentication authorities breached since June - SSL security chain as good a broken - At least four web authentication authorities have reported being compromised in as many months, according to research from the Electronic Frontier Foundation that renews serious questions about a technology millions of websites rely on to remain secure. http://www.theregister.co.uk/2011/10/27/ssl_certificate_authorities_hacked/

FYI - Tool Lets Single Laptop Take Down An SSL Server - Yet another strike against SSL security - SSL is in the hot seat again: A new, free tool is now circulating that can take down an HTTPS Web server in a denial-of-service attack using a single laptop via a DSL connection. http://www.darkreading.com/authentication/167901072/security/vulnerabilities/231901641/index.html?itc=edit_stub

FYI - Insulin pump hack delivers fatal dosage over the air - Sugar Blues, James Bond style - In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them. http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

FYI - National Security Agency helps banks battle hackers - The National Security Agency, a secretive arm of the U.S. military, has begun providing Wall Street banks with intelligence on foreign hackers, a sign of growing U.S. fears of financial sabotage. http://www.reuters.com/article/2011/10/26/us-cybersecurity-banks-idUSTRE79P5E020111026

FYI - Federal cyber rules halt LAPD's move to Google Apps - FBI security rules are holding up the Los Angeles Police Department's move to Google Web-based email and office applications, according to contractors. The federal policies, which relate to confidentiality of criminal history data, could prevent certain agencies from ever moving operations to the cloud, or third-party data centers that provide software over the Internet, experts say. http://www.nextgov.com/nextgov/ng_20111026_6213.php?oref=topstory

FYI - Breaches lead to major reputation, brand damage - Companies spend on average up to a year to restore their reputation following a data breach, according to a study released Thursday. http://www.scmagazineus.com/breaches-lead-to-major-reputation-brand-damage/article/215595/?DCMP=EMC-SCUS_Newswire

FYI - Banker trade group warns of phishing uptick - The American Bankers Association (ABA) on Wednesday issued a new warning about a “sudden increase” in phishing scams being reported throughout the country. http://www.scmagazineus.com/banker-trade-group-warns-of-phishing-uptick/article/215440/?DCMP=EMC-SCUS_Newswire

FYI - Internet privacy tools too confusing for most users - Users wishing to stop advertisers from tracking their online behaviors face major hurdles, according to a report released this week by Carnegie Mellon University. http://www.scmagazineus.com/internet-privacy-tools-too-confusing-for-most-users/article/215869/?DCMP=EMC-SCUS_Newswire


FYI - Chinese Military Suspected in Hacker Attacks on U.S. Satellites - Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission. http://www.businessweek.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s-satellites.html

FYI - Nasdaq Server Breach: 3 Expected Findings - While federal investigators remain quiet about the ongoing investigation, experts say that the Directors Desk data breach is even worse than thought. Last week, two experts with knowledge of Nasdaq OMX Group's internal investigation said that while attackers hadn't directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. http://www.informationweek.com/news/security/attacks/231901580

FYI - Anonymous downs Oakland police site after violence - The hacktivist group Anonymous is making good on its promise of digital retaliation against the Oakland Police Department for the force it used against protesters this week. http://www.scmagazineus.com/anonymous-downs-oakland-police-site-after-violence/article/215433/?DCMP=EMC-SCUS_Newswire

FYI - Ottawa warned about hackers weeks before crippling cyber attack: CSIS report - Canada's spy agency warned the government that federal departments were under assault from rogue hackers just weeks before an attack crippled key computers. http://www.theglobeandmail.com/news/national/ottawa-warned-about-hackers-weeks-before-crippling-cyber-attack-csis-report/article2219129/?from=sec434

Return to the top of the newsletter

Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.

The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:

! Aircraft crashes
! Chemical effects
! Dust
! Electrical supply interference
! Electromagnetic radiation
! Explosives
! Fire
! Smoke
! Theft/Destruction
! Vibration/Earthquake
! Water
! Wireless emissions
! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Objectives 

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a)  Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice; 
b)  Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out; 
c)  Appropriately honoring consumer opt out directions; 
d)  Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e)  Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated