Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 25, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI - This week I am attending Tech Mecca convention being held at the Red Rock Casino in Las Vegas, Nevada.  Tech Mecca is sponsored by the Independent Bankers Association of Texas (IBAT).  I look forward to meeting any of you that will also be in attendance. 

 FYI - AT&T Launches Mobile Banking - Preloaded and downloadable bank access apps are offered nationwide through Wachovia and SunTrust. AT&T Inc. fulfilled its promise of nationwide mobile banking, rolling out a service for customers of two banks that uses an application residing on the user's handset. http://www.pcworld.com/article/id,139620/article.html?tk=nl_dnxnws

FYI - Cisco survey: Spyware, bots top security issues for government IT professionals - Day-to-day worries about spyware and bots are the No. 1 security concern of IT professionals working for the agencies of the federal government, according to a study released by Cisco Systems. http://www.scmagazineus.com/Cisco-survey-Spyware-bots-top-security-issues-for-government-IT-professionals/article/96301/

FYI - PCI council to take over secure application standard - The body charged with managing and promoting the Payment Card Industry Data Security Standard (PCI DSS) announced today it will soon administer another set of merchant guidelines involving secure payment systems. http://www.scmagazineus.com/PCI-council-to-take-over-secure-application-standard/article/90488/

FYI - ODNI changes FISMA focus - Intell agency takes the lead in making reporting secondary to monitoring - Critics often fault agencies' implementation of the Federal Information Security Management Act for focusing too much on writing reports and not enough on security monitoring. However, that criticism is heard less often as agencies take advantage of ways to automate their FISMA reporting requirements and focus instead on real-time security monitoring. http://www.fcw.com/print/13_40/policy/150753-1.html?type=pf

FYI - Problem-Driver DB Ticketed for Security Flaws - The U.S. Department of Transportation isn't adequately protecting personal information stored in a database that state motor vehicle departments use to identify problem drivers, according to a report issued by the DOT's inspector general. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=307313&source=rss_topic17

FYI - Hushmail open to Feds with court orders - US federal law enforcement agencies have obtained access to clear text copies of encrypted emails sent through Hushmail as part a of recent drug trafficking investigation. http://www.theregister.co.uk/2007/11/08/hushmail_court_orders/print.html

FYI - DoubleClick Serves Up Vast Malware Blitz - The third-party ad network says it now has monitoring capabilities in place to catch the problem malware. Rogue anti-spyware software that pushes fraudulent PC scans has found its way onto DoubleClick and legitimate sites, including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies. http://www.eweek.com/article2/0%2C1895%2C2215635%2C00.asp

FYI - Visa Gave TJX a Pass on PCI in 2005 - Retailer got some slack on security compliance - and got hacked in the interim - The comedy of errors that led to TJX Companies' loss of an estimated 94.7 million credit card records isn't very funny. But as the puzzle pieces come together, it is amazing to see how many things went wrong. http://www.darkreading.com/document.asp?doc_id=138838

FYI - Half Million Database Servers Lack Firewall Security - Think your database server is safe? You may want to double-check. According to security researcher David Litchfield, there are nearly half a million database servers exposed on the Internet, without firewall protection. http://www.pcworld.com/businesscenter/article/139622/half_million_database_servers_lack_firewall_security.html

FYI - Veterans can sue over security breach from stolen laptop - A federal judge says veterans can sue the Department of Veterans Affairs in a case that stems from the theft of a worker's laptop computer last year. http://www.nbcactionnews.com/news/national/story.aspx?content_id=33858645-718b-41f6-bc56-81c4b10e6afe

MISSING COMPUTERS/DATA

FYI - Salesforce tight-lipped after phishing attack - Salesforce.com is refusing to reveal details of a security breach caused when one of its employees surrendered their password in a phishing attack against the company. Details of Salesforce.com's customers were stolen as a result of the password being surrended, the CRM services company admitted to customers.
http://news.zdnet.co.uk/security/0,1000000189,39290616,00.htm?r=1
http://www.scmagazineus.com/Phisher-steals-Salesforcecom-customer-list/article/96266/

FYI - Attackers Snatch Member Data from 92 Nonprofits - Attackers have stolen passwords and accounts from 92 nonprofits by infiltrating systems at Convio, the leading online marketing company for nonprofits. http://www.eweek.com/article2/0,1895,2215792,00.asp

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft (Part 6 of  6)

President's Identity Theft Task Force

On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.

Conclusion

Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYWe continue the series  from the FDIC "Security Risks Associated with the Internet." 

Data Transmission and Types of Firewalls 

Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration. 

There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.

Implementation 

When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.
CLIENTS - The complete text of the FDIC's paper "Security Risks Associated with the Internet" dated December 18, 1997, can be found at http://www.fdic.gov/news/news/financial/1997/fil97131.html 

Return to the top of the newsletter

IT SECURITY QUESTION:  Workstations: (Part 2 of 2)

f. Are modems used for Internet connection?
g. Will workstation timeout with no activity?
h. Are screen savers used?
i. Are screen savers password protected?
j. Is a current copy of an anti-virus program installed on the workstations?
k. Are workstations turned off after business hours?
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

 Initial Privacy Notice

4)  Does the institution provide initial notice after establishing a customer relationship only if:

a.  the customer relationship is not established at the customer's election; [§4(e)(1)(i)] or

b.  to do otherwise would substantially delay the customer's transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated