Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, visit
GAO - U.S. Postal Service Needs to Strengthen System Acquisition and
Management Capabilities to Improve Its Intelligent Mail® Full
Obama Wants Computer Privacy Ruling Overturned - The Obama
administration is seeking to reverse a federal appeals court
decision that dramatically narrows the government's
search-and-seizure powers in the digital age.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thousands of Wis. hospital patients at risk after laptop theft - A
laptop containing the personal information of thousands of patients
of Aurora St. Luke's Medical Center in Milwaukee, Wis. was recently
Restaurants Sue Vendors After Point-of-sale Hack - When Keith Bond
bought a computerized cash register system for his Broussard,
Louisiana, restaurant, he thought he was modernizing his restaurant.
Today, he believes he was unwittingly opening a back door for
Romanian hackers who have now cost him more than US$50,000.
Hackers attempt to take $1.3 million from D.C. firm - It has been a
while since I've written about online banking fraud against small to
mid-sized businesses, but I assure you the criminals perpetrating
these attacks have been busier than ever. In fact, from more than a
dozen incidents I've been investigating lately, the attackers for
whatever reason now appear to be focusing heavily on property
management and real estate firms, and title companies.
Lost Royal Navy memory stick reportedly contained information on
manoeuvres and UK personnel - A memory stick that contained
'restricted' information on naval manoeuvres and personnel around
the UK was reported missing last week.
Skim versus hack: Council still in the dark - Auckland City says it
still doesn't know how carpark systems were compromised - Auckland
City is referring all enquiries about how its carparking systems
were compromised, leading to the reissue of thousands of credit
cards, to Westpac, which is leading the investigation into the
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Authorization Practices for E-Banking Applications
1. Specific authorization and access privileges should be
assigned to all individuals, agents or systems, which conduct
2. All e-banking systems should be constructed to ensure that they
interact with a valid authorization database.
3. No individual agent or system should have the authority to change
his or her own authority or access privileges in an e-banking
4. Any addition of an individual, agent or system or changes to
access privileges in an e-banking authorization database should be
duly authorized by an authenticated source empowered with the
adequate authority and subject to suitable and timely oversight and
5. Appropriate measures should be in place in order to make
e-banking authorization databases reasonably resistant to tampering.
Any such tampering should be detectable through ongoing monitoring
processes. Sufficient audit trails should exist to document any such
6. Any e-banking authorization database that has been tampered with
should not be used until replaced with a validated database.
7. Controls should be in place to prevent changes to authorization
levels during e-banking transaction sessions and any attempts to
alter authorization should be logged and brought to the attention of
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
PART I. Risks Associated with Wireless Internal Networks
Financial institutions are evaluating wireless networks as an
alternative to the traditional cable to the desktop network.
Currently, wireless networks can provide speeds of up to 11Mbps
between the workstation and the wireless access device without the
need for cabling individual workstations. Wireless networks also
offer added mobility allowing users to travel through the facility
without losing their network connection. Wireless networks are also
being used to provide connectivity between geographically close
locations as an alternative to installing dedicated
Wireless differs from traditional hard-wired networking in that it
provides connectivity to the network by broadcasting radio signals
through the airways. Wireless networks operate using a set of FCC
licensed frequencies to communicate between workstations and
wireless access points. By installing wireless access points, an
institution can expand its network to include workstations within
broadcast range of the network access point.
The most prevalent class of wireless networks currently available is
based on the IEEE 802.11b wireless standard. The standard is
supported by a variety of vendors for both network cards and
wireless network access points. The wireless transmissions can be
encrypted using "Wired Equivalent Privacy" (WEP)
encryption. WEP is intended to provide confidentiality and integrity
of data and a degree of access control over the network. By design,
WEP encrypts traffic between an access point and the client.
However, this encryption method has fundamental weaknesses that make
it vulnerable. WEP is vulnerable to the following types of
1) Decrypting information based on statistical analysis;
2) Injecting new traffic from unauthorized mobile stations
based on known plain text;
3) Decrypting traffic based on tricking the access point;
4) Dictionary-building attacks that, after analyzing about a
day's worth of traffic, allow real-time automated decryption of all
traffic (a dictionary-building attack creates a translation table
that can be used to convert encrypted information into plain text
without executing the decryption routine); and
5) Attacks based on documented weaknesses in the RC4
encryption algorithm that allow an attacker to rapidly determine the
encryption key used to encrypt the user's session).
the top of the newsletter
IT SECURITY QUESTION:
The IT security question has been discontinued. We have
developed The Weekly IT Security Review, which is a weekly
email that allows IT personnel to continuously review their IT
operations THROUGHOUT THE YEAR.
The Weekly IT Security Review is also be
used by auditors, IT security officers, and management.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
40. Does the institution provide at least one initial, annual,
and revised notice, as applicable, to joint consumers? [§9(g)]