Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Social Media: Consumer Compliance Risk Management Guidance - The
Federal Financial Institutions Examination Council , on behalf of
its members, released final guidance on the applicability of
consumer protection and compliance laws, regulations, and policies
to activities conducted via social media by banks, savings
associations, and credit unions, as well as nonbank entities
supervised by the Consumer Financial Protection Bureau.
- Cyber-security puzzle: Who is sending Internet traffic on long,
strange trips? The Internet traffic of governments and financial
companies is being quietly and momentarily diverted to overseas
locations, cyber-security experts say. Who is hijacking traffic and
why is it a mystery?
China bans banks from handling Bitcoin trade - China has banned its
banks from handling transactions involving the Bitcoin virtual
currency. The ban came in a notice issued by the People's Bank of
China, financial watchdogs and the nation's IT ministry.
Site identifies accounts compromised in major breaches - Users
looking to identify whether their accounts have been impacted by
recent breaches, including Adobe's, can check through
haveibeenpwned.com. Computer scientist Troy Hunt launched the site
earlier this week.
PayPal 13 plead guilty to launching DDoS attacks - The US Department
of Justice (DoJ) said the accused had all admitted to carrying out a
Distributed Denial of Service (DDoS) cyber-attack against PayPal in
December 2010 in protest against the payment processing firm's
decision to stop handling donations to WikiLeaks over the Cablegate
Sensitive data management in the coming year - As 2013 draws to a
close, it has become clear that every major industry maintains
sensitive data, and has been targeted by hackers.
- For the right price, employees would sell company data, says new
study - Security professionals aren't confident in the access
management tools they have in place, and they believe employees
would sell sensitive company data if given the right price, a recent
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Researchers discover database with 2M stolen login credentials - The
database contains stolen usernames and passwords associated with
Facebook, Twitter, Google, Yahoo, and more.
Hackers access plain text info on nearly 500K JPMorgan Chase
cardholders - Banking and financial services holding company
JPMorgan Chase is alerting 465,000 prepaid cash cardholders that
their personal information may have been compromised by hackers.
Scottish bank experiences DDoS attack - The Royal Bank of Scotland (RBS)
experienced a distributed denial-of-service (DDoS) attack last week
that shut down its site and prevented customers from accessing their
bank accounts. The attack came less than a week after a separate
system failure yielded similar problems.
Sensitive student data improperly disposed during university
relocation - The personal financial information of students of
National American University (NAU) in Rapid City, S.D., may have
been compromised after thousands of records were found in a dumpster
near the school's old campus.http://www.scmagazine.com/sensitive-student-data-improperly-disposed-during-university-relocation/article/324778/?DCMP=EMC-SCUS_Newswire&spMailingID=7551761&spUserID=MjI5OTI3MzMyMQS2&spJobID=104452877&spReportId=MTA0NDUyODc3S0
Anatomy Of An Electronic Health Record Zero-Day - How a dangerous
security flaw discovered in one of the most pervasive electronic
medical record platforms in the U.S. was found and fixed before it
could do damage.
House legislators request investigation into FDA hack - Lawmakers
have asked the Food and Drug Administration (FDA) to look into an
October hack that involved an unauthorized user gaining access to
the agency's online submission systems.
Data on 20M Chinese hotel guests dumped online by hackers - The
privacy of millions of Chinese hotel guests is at risk after hackers
leaked their personal data online.
Hackers infiltrate European ministry networks at G20 summit -
Chinese hackers compromised the networks of five European ministries
through a spear phishing campaign during September's G20 Summit,
according to experts.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
Disclosures are generally required to be "clear and conspicuous."
Therefore, compliance officers should review the web site to
determine whether the disclosures have been designed to meet this
standard. Institutions may find that the format(s) previously used
for providing paper disclosures may need to be redesigned for an
electronic medium. Institutions may find it helpful to use "pointers
" and "hotlinks" that will automatically present the disclosures to
customers when selected. A financial institution's use solely of
asterisks or other symbols as pointers or hotlinks would not be as
clear as descriptive references that specifically indicate the
content of the linked material.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Single Sign - On
Several single sign - on protocols are in use. Those protocols allow
clients to authenticate themselves once to obtain access to a range
of services. An advantage of single sign - on systems is that users
do not have to remember or possess multiple authentication
mechanisms, potentially allowing for more complex authentication
methods and fewer user - created weaknesses. Disadvantages include
the broad system authorizations potentially tied to any given
successful authentication, the centralization of authenticators in
the single sign - on server, and potential weaknesses in the single
sign - on technologies.
When single sign - on systems allow access for a single login to
multiple instances of sensitive data or systems, financial
institutions should employ robust authentication techniques, such as
multi - factor, PKI, and biometric techniques. Financial
institutions should also employ additional controls to protect the
authentication server and detect attacks against the server and
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
23. If the institution delivers the opt out notice after the initial
notice, does the institution provide the initial notice once again
with the opt out notice? [§7(c)]
24. Does the institution provide an opt out notice, explaining how
the institution will treat opt out directions by the joint
consumers, to at least one party in a joint consumer relationship?