Does Your Financial Institution need an
affordable cybersecurity Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our cybersecurity audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b)
as well as the penetration
study complies with the FFIEC Cybersecurity Assessment Tool
regarding resilience testing.
The cybersecurity penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world cybersecurity weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
- Why You Need a Cybersecurity Incident Response Plan (And How to
Create One) - This simple wisdom from Ben Franklin is as valuable
today as it was in the 18th century. Applied to today's
cybersecurity industry, the above quote can mean the difference
between successful breach response and devastating loss of customer
data and reputation.
Beyond 'Culture and Awareness' - Emerging Approaches to Internal
Threats and Breaches - In looking at the plethora of recent data
breaches, it's easy to think that attackers have gained an unfair
advantage over security professionals.
Uber's delayed breach notification would run afoul of GDPR - If the
Global Data Protection Rules (GDPR) had been in effect during the
latest Uber hack, the ride-sharing company would have faced stiffed
consequences – or maybe it would have chosen a more prudent, secure
route by promptly revealing the attack that compromised the personal
data of 57 million customers and drivers, and by taking bold steps
to mitigate the damage.
Cellphone tracking case in front of SCOTUS could have broad privacy
implications - When the Supreme Court takes up Carpenter vs. the
United States Wednesday, the likely landmark case will clarify if
law enforcement must obtain court-issued warrants to access location
data from wireless providers rather than invoke the lower standard
for access imposed by the 30-year-old Stored Communications Act.
Cottage Health fined $2M by Calif. AG for two breaches - California
Attorney General Xavier Becerra has slapped Cottage Health System
with $2 million in fines for a pair of breaches.
New Ursnif variants silently targets banks and employ redirection
attacks - New Ursnif variants being tested in the wild are using
redirection attacks to target Australian banks and malicious TLS
callback techniques to achieve process injection.
Majority of U.K. Uber users and drivers caught up in data breach -
More than half of all Uber riders and drivers in the U.K. were
impacted by the ride sharing company's data breach that was revealed
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Uber hid massive hack compromising data of 57M for a year - For
more than a year, even as it negotiated with regulators in the U.S.
over privacy infractions, Uber hid a massive hack that resulted in
cyberthieves pilfering the personal information of 57 million
customers and drivers and prompted the company to fire two
Fake Symantec site spreads OSX.Proton password stealer - A security
researcher using the Twitter handle @noarfromspace last week spotted
a fake Symantec blog spreading a new variant of the OSX.Proton
Imgur acts fast to disclose years-old breach that compromised 1.7
million users - Online image sharing and hosting service Imgur was
breached in 2014, resulting in the theft of roughly 1.7 million user
email addresses and passwords, the company confirmed last Friday in
an online notification.
Ann Arundel school workers phished, lose paychecks - Cybercriminals
used what was most likely a phishing attack to gain the information
needed redirect the direct deposited pay checks of 36 Ann Arundel
County school employees stealing about $57,000.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Some considerations for contracting with service providers are
discussed below. This listing is not all-inclusive and the
institution may need to evaluate other considerations based on its
unique circumstances. The level of detail and relative importance of
contract provisions varies with the scope and risks of the services
Scope of Service
The contract should clearly describe the rights and responsibilities
of parties to the contract.
• Timeframes and activities for
implementation and assignment of responsibility.
Implementation provisions should take into consideration other
existing systems or interrelated systems to be developed by
different service providers (e.g., an Internet banking system
being integrated with existing core applications or systems
• Services to be performed by the service provider including
duties such as software support and maintenance, training of
employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services
performed under the contract.
• Guidelines for adding new or different services and for
Institutions should generally include performance standards defining
minimum service level requirements and remedies for failure to meet
standards in the contract. For example, common service level metrics
include percent system uptime, deadlines for completing batch
processing, or number of processing errors. Industry standards for
service levels may provide a reference point. The institution should
periodically review overall performance standards to ensure
consistency with its goals and objectives.
the top of the newsletter
FFIEC IT SECURITY -
We continue our coverage of
the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
PART I. Risks Associated with Wireless Internal Networks
Financial institutions are evaluating wireless networks as an
alternative to the traditional cable to the desktop network.
Currently, wireless networks can provide speeds of up to 11 Mbps
between the workstation and the wireless access device without the
need for cabling individual workstations. Wireless networks also
offer added mobility allowing users to travel through the facility
without losing their network connection. Wireless networks are also
being used to provide connectivity between geographically close
locations as an alternative to installing dedicated
Wireless differs from traditional hard-wired networking in that it
provides connectivity to the network by broadcasting radio signals
through the airways. Wireless networks operate using a set of FCC
licensed frequencies to communicate between workstations and
wireless access points. By installing wireless access points, an
institution can expand its network to include workstations within
broadcast range of the network access point.
The most prevalent class of wireless networks currently available
is based on the IEEE 802.11b wireless standard. The standard is
supported by a variety of vendors for both network cards and
wireless network access points. The wireless transmissions can be
encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is
intended to provide confidentiality and integrity of data and a
degree of access control over the network. By design, WEP encrypts
traffic between an access point and the client. However, this
encryption method has fundamental weaknesses that make it
vulnerable. WEP is vulnerable to the following types of decryption
1) Decrypting information based on statistical analysis;
2) Injecting new traffic from unauthorized mobile stations based
on known plain text;
3) Decrypting traffic based on tricking the access point;
4) Dictionary-building attacks that, after analyzing about a
day's worth of traffic, allow real-time automated decryption of all
traffic (a dictionary-building attack creates a translation table
that can be used to convert encrypted information into plain text
without executing the decryption routine); and
5) Attacks based on documented weaknesses in the RC4 encryption
algorithm that allow an attacker to rapidly determine the encryption
key used to encrypt the user's session).
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
13.6.4 Motivate Management and Employees
To successfully implement an awareness and training program, it is
important to gain the support of management and employees.
Consideration should be given to using motivational techniques to
show management and employees how their participation in the CSAT
program will benefit the organization.
Management. Motivating management normally relies upon
increasing awareness. Management needs to be aware of the losses
that computer security can reduce and the role of training in
computer security. Management commitment is necessary because of the
resources used in developing and implementing the program and also
because the program affects their staff.
Employees. Motivation of managers alone is not enough.
Employees often need to be convinced of the merits of computer
security and how it relates to their jobs. Without appropriate
training, many employees will not fully comprehend the value of the
system resources with which they work.
Some awareness techniques were discussed above. Regardless of the
techniques that are used, employees should feel that their
cooperation will have a beneficial impact on the organization's
future (and, consequently, their own).
Employees and managers should be solicited to provide input to the
CSAT program. Individuals are more likely to support a program when
they have actively participated in its development.