Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- President’s tech council plays sad trombone for federal
cybersecurity - Report finds that government "rarely follows
accepted best practices." - The President's Council of Advisors on
Science and Technology (PCAST) released a report on the state of the
nation's cybersecurity today. The report's first finding: the US
government is terrible at cybersecurity.
- Microsoft, HURTING after NSA backdooring, vows to now harden its
pipe - Snooping on private messages 'breach of the 4th Amendment' -
Microsoft is scrambling to encrypt its data centers' interlinks -
after a fresh Snowden leak suggested the NSA and GCHQ tapped into
the cables and intercepted sensitive network traffic.
- 'Neverquest' trojan threatens online banking users - Attackers
could start to aggressively distribute this malware in the near
future - A new Trojan program that targets users of online financial
services has the potential to spread very quickly over the next few
months, security researchers warn.
- U.S. government settles software piracy case - The Army used
thousands more copies of a system than what they paid for, and tried
to hack the software to get around the licenses, the software
company alleges. The government is paying $50 million to make the
case go away.
- U.S. data breach notification laws likely to remain state-by-state
- Constantly updating technology coupled with the dynamic and
evolving nature of data breaches may be stalling notification laws
from becoming uniform across the United States.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
European Parliament's network hacked;
public Wi-Fi shutdown - The news comes not long after leaked
documents showed the NSA was bugging and spying EU offices around
the world. But the U.S. agency can likely be ruled out as a suspect
in this latest hack, following reports from German media.
Funds of RBS customers unavailable
during Cyber Monday glitch - A system failure hitting The Royal Bank
of Scotland (RBS) on Cyber Monday kept more than 1 million UK
customers from making online purchases, withdrawing money from ATM
machines or carrying out other transactions via online and mobile
Staffer compromises more than a
thousand Pittsburgh patients - More than a thousand patients treated
at a variety of University of Pittsburgh Medical Center (UPMC)
locations over the past year are being notified that their personal
information was viewed inappropriately by a former employee.
More than 1,700 alerted to breach of
Oregon online retailer - More than 1,700 people who made purchases
with online retailer Made In Oregon are being notified that their
credit card information may have been compromised in a security
Discovery of two million hacked
credentials, '123456' is again the common password - Researchers
with SpiderLabs, the advanced security team with information
security company Trustwave, discovered a treasure trove of nearly
two million pilfered credentials from a variety of companies,
including Facebook, Google, Yahoo, Twitter, LinkedIn and payroll
service provider ADP.
access plain text info on nearly 500K JPMorgan Chase cardholders -
Banking and financial services holding company JPMorgan Chase is
alerting 465,000 prepaid cash cardholders that their personal
information may have been compromised by hackers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Biometrics (Part 2 of 2)
Weaknesses in biometric systems relate to the ability of an attacker
to submit false physical characteristics, or to take advantage of
system flaws to make the system erroneously report a match between
the characteristic submitted and the one stored in the system. In
the first situation, an attacker might submit to a thumbprint
recognition system a copy of a valid user's thumbprint. The control
against this attack involves ensuring a live thumb was used for the
submission. That can be done by physically controlling the thumb
reader, for instance having a guard at the reader to make sure no
tampering or fake thumbs are used. In remote entry situations,
logical liveness tests can be performed to verify that the submitted
data is from a live subject.
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning. Degrees of
freedom relate to measurable differences between biometric readings,
with more degrees of freedom indicating a more unique biometric.
Facial recognition systems, for instance, may have only nine degrees
of freedom while other biometric systems have over one hundred.
Similar faces may be used to fool the system into improperly
authenticating an individual. Similar irises, however, are difficult
to find and even more difficult to fool a system into improperly
Attacks against system tuning also exist. Any biometric system has
rates at which it will falsely accept a reading and falsely reject a
reading. The two rates are inseparable; for any given system
improving one worsens the other. Systems that are tuned to maximize
user convenience typically have low rates of false rejection and
high rates of false acceptance. Those systems may be more open to
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
22. Does the institution provide the consumer with at least one of
the following reasonable means of opting out, or with another
a. check-off boxes prominently displayed on the relevant forms with
the opt out notice; [§7(a)(2)(ii)(A)]
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent
via electronic mail or a process at the institution's web site, if
the consumer agrees to the electronic delivery of information;
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
institution may require the consumer to use one specific means, as
long as that means is reasonable for that consumer. [§7(a)(iv)])