R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 11, 2011

CONTENT Internet Compliance Information Systems Security
IT Security
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


Spending less than 5 minutes a week along with a cup of coffee
,
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Staff to be banned from sending emails - The head of one of Europe's largest information technology services companies is to ban staff from sending each other emails, saying they waste time and are outdated. http://www.telegraph.co.uk/technology/news/8921033/Staff-to-be-banned-from-sending-emails.html

FYI - US Senator demands answers from Carrier IQ - Al Franken calls smartphone tracker on the carpet - Senator and former late-night funnyman Al Franken has called on Carrier IQ to explain why its diagnostic software, buried in the bowels of 141 million smartphones, isn't a massive violation of US wiretap laws. http://www.theregister.co.uk/2011/12/01/al_franken_carrier_iq/

FYI - Suspicion in Iran that Stuxnet caused Revolutionary Guards base explosions - Is the Stuxnet computer malworm back on the warpath in Iran? http://www.debka.com/article/21496/

FYI - The Malls Are Watching - Two malls were recently criticized for watching the shopping habits of their customers, according to a report on CNNMoney.com. http://www.washingtonpost.com/business/economy/the-malls-are-watching/2011/11/30/gIQAP6B1GO_story.html

FYI - Cyberattacks up 50 percent in 2011 - A listing on the stock exchange seemed to be an open invitation to hackers in 2011. An annual study on internet crime, conducted by Telus Corp. and the University of Toronto's Rotman School of Management, indicated that publicly traded Canadian companies experienced 50 percent more cyberattacks in 2011 than in the previous year. http://www.scmagazineus.com/cyberattacks-up-50-percent-in-2011/article/218217/?DCMP=EMC-SCUS_Newswire

FYI - Should Homeland Security control the electrical grid? Maybe - The time has come for the U.S. government to focus a single agency's efforts on reinforcing the security of the electrical grid, MIT researchers said today in a wide-ranging report. http://news.cnet.com/8301-13506_3-57336531-17/should-homeland-security-control-the-electrical-grid-maybe/

FYI - Data Protection Directive changes will 'be ineffective' - The upcoming European data protection directive could be ineffective in the short term and will place further financial and security burdens upon European businesses. http://www.scmagazineuk.com/data-protection-directive-changes-will-be-ineffective/article/218102/

FYI - Cyber training no longer basic - For roughly a century, the U.S. military has fought on land, by sea and in the air. For the most part, the domains have been tangible and the boundaries defined. Now a new domain is emerging: cyber warfare. http://fcw.com/Articles/2011/11/28/FEAT-Military-cyber-training.aspx

FYI - Getting serious about health care security - Let's be truthful. Being compliant with the Healthcare Insurance Portability Act and Accountability Act (HIPAA) of 1996 and even its subsequent Privacy and Security rules alone is really like doing the barest of minimums possible to secure your health care organization and the protected health care information (PHI) in its custodianship. http://www.scmagazineus.com/getting-serious-about-health-care-security/article/218274/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers accessed city infrastructure via SCADA - The deputy assistant director of the FBI's Cyber Division says hackers recently accessed the infrastructure of three cities through SCADA systems. http://www.information-age.com/channels/security-and-continuity/news/1676243/hackers-accessed-city-infrastructure-via-scada-fbi.thtml

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.


Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-  
We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION - HOW ENCRYPTION WORKS

In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.


The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 2 of 3)

B. Presentation, Content, and Delivery of Privacy Notices 

1)  Review the financial institution's initial, annual and revised notices, as well as any short-form notices that the institution may use for consumers who are not customers. Determine whether or not these notices:

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information and contain examples as applicable (§6). Note that if the institution shares under Section 13 the notice provisions for that section shall also apply.

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a.  Timeliness of delivery (§§4(a), 7(c), 8(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), 5(a)), means of delivery of annual notice (§9(c)), and accessibility of or ability to retain the notice (§9(e)).

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated