Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- GAO - Information Technology: Leveraging Best Practices to Help
Ensure Successful Major Acquisitions.
- Cyber dragnet: Five new HACKERS join FBI's 'most wanted' list -
'Operation Ghost Click' seeks its last fugitive - The US Federal
Bureau of Investigation has added five new names to its "Cyber's
Most Wanted" list, bringing the total number of fugitives urgently
wanted in relation to computer and data-related crimes to 17.
- More than half of corporate breaches go unreported, according to
study - In a survey of 200 security professionals who deal with
malware analysis for U.S. businesses, 57 percent revealed they
investigated or addressed a data breach their company never
- New York Police Detective Pleads Guilty to Hacking Charges - A New
York City police detective has pleaded guilty to hiring hacking
services to steal the passwords of dozens of email accounts
belonging to fellow officers in the police department and others.
- Mom helped hide laptops from FBI in cabinet, gets 6 months
probation - Barrett Brown's mother will also pay a $1,000 fine as
part of guilty plea. Back in January 2013, former self-proclaimed
Anonymous spokesperson Barrett Brown was charged for the third time
in four months on federal criminal charges.
- Firm highlights top site attacks on world's biggest banks - An
analysis of the most common website attacks affecting the world's
biggest banks, turned up concerning evidence that a common coding
flaw remains an easy entry point for attackers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers steal $1.2m of bitcoins from Inputs.io, a supposedly
secure wallet service - In a phone interview with Australia’s AM
radio show Tradefortress responded to challenges that the theft was
‘an inside job’, though he insisted that he wouldn’t be reporting
the theft to the police because the bitcoins are untraceable and it
would be impossible to track the culprit.
- Two hard drives stolen from Washington State University office -
Hundreds of employees, former employees and students of Washington
State University are being notified that their personal information
may have been compromised after two possibly unencrypted external
hard drives were stolen from an on-campus office.
- Indiana data breach dates back to 2001 - The personal information
of hundreds of Jeffersonville, IN vendors and officials may have
been compromised in an ongoing data breach that dates back to 2001.
- Instagram companion app compromises 100k accounts - An iOS and
Android application that claims to provide free 'likes' and
followers to users of Instagram is actually a clever scam.
- More than 800,000 accounts compromised in MacRumors Forums breach
- About 860,000 members who post on the forums of popular Apple
website MacRumors are being asked to change their passwords after
accounts were compromised in a hack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the Internet or
on-line text. Thus, institutions should carefully review their
on-line advertisements in an effort to minimize compliance risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business" under
HUD's rules prescribing lobby notices. Thus, institutions may want
to consider including the "lobby notice," particularly in the case
of interactive systems that accept applications.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Public Key Infrastructure (Part 2
The certificate authority (CA), which may be the financial
institution or its service provider, plays a key role by attesting
with a digital certificate that a particular public key and the
corresponding private key belongs to a specific user or system. It
is important when issuing a digital certificate that the
registration process for initially verifying the identity of users
is adequately controlled. The CA attests to the individual user's
identity by signing the digital certificate with its own private
key, known as the root key. Each time the user establishes a
communication link with the financial institution's systems, a
digital signature is transmitted with a digital certificate. These
electronic credentials enable the institution to determine that the
digital certificate is valid, identify the individual as a user, and
confirm that transactions entered into the institution's computer
system were performed by that user.
The user's private key exists electronically and is susceptible to
being copied over a network as easily as any other electronic file.
If it is lost or compromised, the user can no longer be assured that
messages will remain private or that fraudulent or erroneous
transactions would not be performed. User AUPs and training should
emphasize the importance of safeguarding a private key and promptly
reporting its compromise.
PKI minimizes many of the vulnerabilities associated with passwords
because it does not rely on shared secrets to authenticate
customers, its electronic credentials are difficult to compromise,
and user credentials cannot be stolen from a central server. The
primary drawback of a PKI authentication system is that it is more
complicated and costly to implement than user names and passwords.
Whether the financial institution acts as its own CA or relies on a
third party, the institution should ensure its certificate issuance
and revocation policies and other controls discussed below are
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Opt Out Notice
19. If the institution discloses nonpublic personal information
about a consumer to a nonaffiliated third party, and the exceptions
under §§13-15 do not apply, does the institution provide the
consumer with a clear and conspicuous opt out notice that accurately
explains the right to opt out? [§7(a)(1)]