R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 11, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Supervision of Technology Service Providers and Outsourcing Technology Services - The Federal Financial Institutions Examination Council issued the revised Information Technology Examination Booklet on the Supervision of Technology Service Providers and the updated IT Examination Booklet on Outsourcing Technology Services. www.fdic.gov/news/news/financial/2012/fil12046.html

FYI - U.S. seeks patriotic computer geeks for help in cyber crisis - The U.S. Department of Homeland Security is considering setting up a "Cyber Reserve" of computer security experts who could be called upon in the event of a crippling cyber attack. http://www.reuters.com/article/2012/10/31/usa-cybersecurity-reserve-idUSL1E8LU4MZ20121031

FYI - 60-Second Cash Kiosk Hackers Steal $1 Million - Feds announce they've busted 14 members of a gang that used rapid withdrawals at cash-advance kiosks at casinos in California and Nevada to trick Citibank. The FBI has arrested more than a dozen people on charges that they participated in a gang that stole over $1 million via cash-advance kiosks at 11 casinos and resorts. http://www.informationweek.com/security/attacks/60-second-cash-kiosk-hackers-steal-1-mil/240012604?cid=InformationWeek-Twitter

FYI - Irked by cyberspying, Georgia outs Russia-based hacker -- with photos - in an unprecedented move, Georgia reveals startling details of a hacker it says is stealing its confidential information - In one of the photos, the dark-haired, bearded hacker is peering into his computer's screen, perhaps puzzled at what's happening. Minutes later, he cuts his computer's connection, realizing he has been discovered. http://www.computerworld.com/s/article/9233060/Irked_by_cyberspying_Georgia_outs_Russia_based_hacker_with_photos?taxonomyId=82

FYI - Court OKs warrantless use of hidden surveillance cameras - In latest case to test how technological developments alter Americans' privacy, federal court sides with Justice Department on police use of concealed surveillance cameras on private property. Police are allowed in some circumstances to install hidden surveillance cameras on private property without obtaining a search warrant, a federal judge said yesterday. http://news.cnet.com/8301-13578_3-57542510-38/court-oks-warrantless-use-of-hidden-surveillance-cameras/

FYI - Calif. begins enforcing law requiring mobile privacy policies - California Attorney General Kamala Harris has begun warning mobile application developers, and companies that have apps available for download, that failing to "conspicuously" post privacy policies within 30 days could mean fines. http://www.scmagazine.com/calif-begins-enforcing-law-requiring-mobile-privacy-policies/article/266602/?DCMP=EMC-SCUS_Newswire


FYI - South Carolina tax breach also affects 657k businesses - As the probe deepens into the massive hack of the South Carolina Department of Revenue, forensic investigators have concluded that as many as 657,000 businesses may also have been impacted. http://www.scmagazine.com/south-carolina-tax-breach-also-affects-657k-businesses/article/266599/?DCMP=EMC-SCUS_Newswire

FYI - Hacker group Pyknic defaces NBC, Lady Gaga sites - A hacker collective calling itself “Pyknic” defaced several pages on NBC.com, and claimed it leaked user account info from NBC's online forum. The group even took to a Lady Gaga fan site to carry out further vandalism. http://www.scmagazine.com/hacker-group-pyknic-defaces-nbc-lady-gaga-sites/article/267040/?DCMP=EMC-SCUS_Newswire

FYI - Coca-Cola 'targeted' by China in hack ahead of acquisition attempt Chinese hackers have been blamed for infiltrating confidential systems within Coca-Cola for more than a month, Bloomberg has reported.

FYI - Barnes & Noble customers file lawsuits after breach - Victims of a PIN pad tampering incident, which compromised customer information at dozens of Barnes & Noble stores, have filed three class-action lawsuits against the nation's largest book retailer. http://www.scmagazine.com/barnes-noble-customers-file-lawsuits-after-breach/article/267227/?DCMP=EMC-SCUS_Newswire 

Return to the top of the newsletter

We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (6 of 12)

Best Practices-Going Beyond the Minimum

Each bank has the opportunity to go beyond the minimum requirements and incorporate industry best practices into its IRP. As each bank tailors its IRP to match its administrative, technical, and organizational complexity, it may find some of the following best practices relevant to its operating environment. The practices addressed below are not all inclusive, nor are they regulatory requirements. Rather, they are representative of some of the more effective practices and procedures some institutions have implemented. For organizational purposes, the best practices have been categorized into the various stages of incident response: preparation, detection, containment, recovery, and follow-up.


Preparing for a potential security compromise of customer information is a proactive risk management practice. The overall effectiveness and efficiency of an organization's response is related to how well it has organized and prepared for potential incidents. Two of the more effective practices noted in many IRPs are addressed below.

Establish an incident response team.

A key practice in preparing for a potential incident is establishing a team that is specifically responsible for responding to security incidents. Organizing a team that includes individuals from various departments or functions of the bank (such as operations, networking, lending, human resources, accounting, marketing, and audit) may better position the bank to respond to a given incident. Once the team is established, members can be assigned roles and responsibilities to ensure incident handling and reporting is comprehensive and efficient. A common responsibility that banks have assigned to the incident response team is developing a notification or call list, which includes contact information for employees, vendors, service providers, law enforcement, bank regulators, insurance companies, and other appropriate contacts. A comprehensive notification list can serve as a valuable resource when responding to an incident.

Return to the top of the newsletter
This concludes our coverage of  the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices

Evolution and Obsolescence

As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.

Controlling the Impact of Obsolescence

Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:

1)  What is the upgrade path to the next class of network?
2)  Do the devices support firmware (Flash) upgrades for security patches and upgrades?
3)  How does the vendor distribute security information and patches?

The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.

The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated