R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 30, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
-
ISPs under strain from barrage of DDoS attacks - Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, according to a report from Arbor Networks. http://news.zdnet.co.uk/security/0,1000000189,39549409,00.htm

FYI -
IT admin used inside knowledge to hack and steal - A former San Jose network administrator is facing 12 years in prison after pleading guilty to hacking, ID theft, burglary and drug charges. According to the Santa Clara District Attorney's office, Andrew Madrid, 34, used his IT experience to pull off a variety of crimes between September 2006 and March 2008. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119940&source=rss_topic17

FYI -
Computer virus affects hospitals - The Royal London Hospital is among the three hit by the computer bug - Three London hospitals have been forced to shut down their entire computer systems for at least 24 hours after being hit by a virus. http://news.bbc.co.uk/2/hi/uk_news/england/london/7735502.stm

FYI -
Software update vulnerabilities - The automatic update features in many software applications are proving to be vulnerable to attack. Hackers are taking notice. You should, too. There's been considerable discussion recently about how automatic software updates, such as those to download security patches, can be used as potential vectors of attack. http://www.scmagazineus.com/Hot-or-not-Software-update-vulnerabilities/article/121252/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
Firm offers $1 million bounty for blackmailers - Drug-benefits provider Express Scripts announced that it had established a large fund to reward people who provide information leading to the capture and prosecution of the online attackers that stole sensitive data from its servers and then attempted to extort money from the company and its customers. http://www.securityfocus.com/brief/854

FYI -
University of Florida discloses patient-record data breach - Data breach exposes 330,000 records - The University of Florida today disclosed that an unknown attacker gained access to a server in its College of Dentistry where hundreds of thousands of patient records were stored. http://www.networkworld.com/news/2008/111208-ufla.html?hpg1=bn

FYI -
State failed to encrypt private data - The state Department of Health and Human Services violated security policies by not properly protecting residents' personal information, including their Social Security numbers, on an agency laptop that was stolen last month. http://www.newsobserver.com/news/story/1294350.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft (Part 3 of  6)


FDIC Response to Identity Theft

The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 1 of 2)


Financial institutions must control access to system software within the various network clients and servers as well as stand-alone systems. System software includes the operating system and system utilities. The computer operating system manages all of the other applications running on the computer. Common operating systems include IBM OS/400 and AIX, LINUX, various versions of Microsoft Windows, and Sun Solaris. Security administrators and IT auditors need to understand the common vulnerabilities and appropriate mitigation strategies for their operating systems. Application programs and data files interface through the operating system. System utilities are programs that perform repetitive functions such as creating, deleting, changing, or copying files. System utilities also could include numerous types of system management software that can supplement operating system functionality by supporting common system tasks such as security, system monitoring, or transaction processing.

System software can provide high-level access to data and data processing. Unauthorized access could result in significant financial and operational losses. Financial institutions must restrict privileged access to sensitive operating systems. While many operating systems have integrated access control software, third - party security software is available for most operating systems. In the case of many mainframe systems, these programs are essential to ensure effective access control and can often integrate the security management of both the operating system and the applications. Network security software can allow institutions to improve the effectiveness of the administration and security policy compliance for a large number of servers often spanning multiple operating system environments. The critical aspects for access control software, whether included in the operating system or additional security software, are that management has the capability to:

! Restrict access to sensitive or critical system resources or processes and have the capability, depending on the sensitivity to extend protection at the program, file, record, or field level;
! Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters; and
! Filter logs for potential security events and provide adequate reporting and alerting capabilities.


Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

14. Determine whether adequate policies and procedure govern the destruction of sensitive data on machines that are taken out of service.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated