R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 30, 2014

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Third of employees use company devices for social media and online shopping - That fancy laptop all employees receive at the start of their employment? As it turns out they aren't using it solely for work-related activities, according to a new study. http://www.scmagazine.com/employees-use-company-devices-for-non-work-related-activity/article/384775/

FYI - Target to judge: Banks’ losses in our card breach aren’t our problem - Files in federal court to have banks’ data breach suit thrown out. Target’s massive data breach, in which criminals were able to drop malware onto point-of-sale systems and compromise at least 40 million credit and debit cards, is now the subject of a federal lawsuit by banks who issued those cards. http://arstechnica.com/tech-policy/2014/11/target-to-judge-banks-losses-in-our-card-breach-arent-our-problem/

FYI - Hackers to probe cyber crime defences at British banks - In the next few months hackers will try to penetrate the cyber defences of Britain's major banks and steal information about millions of customers. But for once they'll be welcome. http://www.dailymail.co.uk/wires/reuters/article-2840995/Hackers-probe-cyber-crime-defences-British-banks.html

FYI - USPS draws ire of Congress over data breach response - The United States Postal Service (USPS) was scolded by members of a congressional subcommittee in a hearing over its response to the recent data breach that impacted its network and employees. http://www.scmagazine.com/congress-criticizes-usps-data-breach-response/article/384520/

FYI - Private investigator fined €5,000 for accessing data - A private investigator has been convicted on two charges of illegally obtaining information from the Pulse system and fined a total of €5,000. http://www.irishtimes.com/news/crime-and-law/private-investigator-fined-5-000-for-accessing-garda-data-1.2012999


FYI - Foreign Governments Have Hacked U.S. Grid, NSA Head Says - Several foreign governments have hacked into U.S. energy, water and fuel distribution systems and might damage essential services, the top national security official said. http://www.bloomberg.com/news/2014-11-20/foreign-governments-have-hacked-u-s-power-system-nsa-head-says.html

FYI - Brigham Young University-Idaho student hacks transcript, earns $7k in scholarships - A Brigham Young University-Idaho (BYU) student broke into his school's computer system to alter his grades and ultimately use his altered transcript to receive thousands of dollars in academic scholarships. http://www.scmagazine.com/student-hacks-academic-transcript/article/384746/

FYI - Breach impacts about 10,000 employees in Maryland school system - Prince George's County Public Schools (PGCPS) in Maryland is notifying roughly 10,000 employees that their personal information – including Social Security numbers – was inadvertently included in a report that was shared internally via email, and also disseminated outside of the PGCPS email domain. http://www.scmagazine.com/breach-impacts-about-10000-employees-in-maryland-school-system/article/385003/

FYI - Attackers Hijack Craigslist Domain Name - Users looking to visit online classifieds titan Craigslist on Sunday evening were redirected to a site hosted at the domain DigitalGangster(dot)Com, as a result of a DNS hijack. http://www.securityweek.com/attackers-hijack-craigslist-domain-name 

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 11: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.

 Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.
 To ensure effective response to unforeseen incidents, banks should develop: 
 1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.
 2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.
 3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.
 4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.
 5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.
 6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.
 7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.
 8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 A maxim of security is "prevention is ideal, but detection is a must."  Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.
 Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.
 Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.

Return to the top of the newsletter

This is the last time will will publish this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
Account number sharing
A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (§12).
 B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (§12(b)(1)).
 C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (§12(b)(2)).

(This is the last time will will publish this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated