Does Your Financial Institution need an
affordable cybersecurity Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our cybersecurity audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b)
as well as the penetration
study complies with the FFIEC Cybersecurity Assessment Tool
regarding resilience testing.
The cybersecurity penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world cybersecurity weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
- FCC votes to repeal net neutrality, could increase cybersecurity
threats - Despite calls for Federal Communications Commission (FCC)
Chairman Ajit Pai to temporarily suspend the vote on net neutrality
until an investigation into fake comments on the public docket could
be completed, the commission decided today to repeal the regulations
put in place under the Obama administration, prompting criticism
that the move would not only choke freedom but would compromise
security and privacy.
N.C.'s Mecklenberg County CIO details recent ransomware attack -
Mecklenberg County officials reported additional progress restoring
its systems following a ransomware attack earlier this month.
Pentagon Delays Deadline For Military Suppliers to Meet
Cybersecurity Rules - The goal of the new regulations is to secure
sensitive data on the computers and networks at smaller companies.
AHA calls for more oversight of medical device cybersecurity as FDA
outlines plans to modernize approvals - The American Hospital
Association wants the Food and Drug Administration to ramp up
efforts to ensure medical device manufacturers minimize the risks of
Air Force Pays Out Governmentís Biggest Bug Bounty Yet - On Dec. 9,
a group of elite hackers once again found themselves deep within
critical Air Force networks, probing for security gaps that could
put the branchís online operations at risk. And this time, military
cyber specialists joined them in the hunt.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers target private schools in U.K. - Hackers apparently are
taking advantage of poorly secured systems at private schools in the
U.K., nicking identifying data, typically through phishing attacks,
that they could then use to target parents with fake invoices and
other means of cybercrime.
Starbucks free Wi-Fi caught secretly mining cryptocurrency - A tech
CEO noticed the free Wi-Fi at his local Starbucks didn't exactly
come without a price after discovering the network was secretly
jacking his computing power to mine cryptocurrency.
Database aggregating 1.4B credentials found on dark web - A single
file on the dark web with a database of 1.4 billion clear text
credentials not only is the largest aggregate found there but it
opens a trove of credentials to even the least sophisticated
Millions of California voter records exposed in unprotected MongoDB
- California officials are investigating a report that an
unprotected MongoDB database has been discovered possibly containing
the names of every California voter.
Attackers exploit old WordPress to inject sites with code enabling
site redirection, takeover - Attackers have exploited an old
WordPress vulnerability to infect more than one thousand websites
with malware capable of injecting malvertising and even creating a
rogue admin user with full access privileges, according to
Pyramid scheme: AnubisSpy Android malware steals data, seemingly
links to old Sphinx campaign - A newly discovered Android spyware
that victimizes Arabic-speakers has been potentially linked to the
2014-15 Sphinx cyber espionage campaign, which was launched by the
threat group APT-C-15 to target PC users in the Middle East.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Business Resumption and Contingency Plans
The contract should address the service providerís responsibility
for backup and record protection, including equipment, program and
data files, and maintenance of disaster recovery and contingency
plans. Responsibilities should include testing of the plans and
providing results to the institution. The institution should
consider interdependencies among service providers when determining
business resumption testing requirements. The service provider
should provide the institution with operating procedures the service
provider and institution are to implement in the event business
resumption contingency plans are implemented. Contracts should
include specific provisions for business recovery timeframes that
meet the institutionís business requirements. The institution should
ensure that the contract does not contain any provisions that would
excuse the service provider from implementing its contingency plans.
Sub-contracting and Multiple Service Provider Relationships
Some service providers may contract with third-parties in providing
services to the financial institution. To provide accountability, it
may be beneficial for the financial institution to seek an agreement
with and designate a primary contracting service provider. The
institution may want to consider including a provision specifying
that the contracting service provider is responsible for the service
provided to the institution regardless of which entity is actually
conducting the operations. The institution may also want to consider
including notification and approval requirements regarding changes
to the service providerís significant subcontractors.
The contract should fully describe fees and calculations for base
services, including any development, conversion, and recurring
services, as well as any charges based upon volume of activity and
for special requests. Cost and responsibility for purchase and
maintenance of hardware and software may also need to be addressed.
Any conditions under which the cost structure may be changed should
be addressed in detail including limits on any cost increases.
the top of the newsletter
FFIEC IT SECURITY -
We continue our coverage of the
FDIC's "Guidance on Managing Risks Associated With Wireless Networks
and Wireless Customer Access."
Risk Mitigation Components - Wireless Internet Devices
For wireless customer access, the financial institution should
institute policies and standards requiring that information and
transactions be encrypted throughout the link between the customer
and the institution. Financial institutions should carefully
consider the impact of implementing technologies requiring that a
third party have control over unencrypted customer information and
As wireless application technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless application services. They should also consider
informing customers when wireless Internet devices that require the
use of communications protocols deemed insecure will no longer be
supported by the institution.
The financial institution should consider having regular
independent security testing performed on its wireless customer
access application. Specific testing goals would include the
verification of appropriate security settings, the effectiveness of
the wireless application security implementation and conformity to
the institution's stated standards. The security testing should be
performed by an organization that is technically qualified to
perform wireless testing and demonstrates appropriate ethical
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
Training can, and in most cases should, be used to support every
control in the handbook. All controls are more effective if
designers, implementers, and users are thoroughly trained.
Policy. Training is a critical means of informing employees
of the contents of and reasons for the organization's policies.
Security Program Management. Federal agencies need to ensure
that appropriate computer security awareness and training is
provided, as required under the Computer Security Act of 1987. A
security program should ensure that an organization is meeting all
applicable laws and regulations.
Personnel/User Issues. Awareness, training, and education
are often included with other personnel/user issues. Training is
often required before access is granted to a computer system.
13.8 Cost Considerations
The major cost considerations in awareness, training, and education
1) the cost of preparing and updating materials, including the
time of the preparer;
2) the cost of those providing the instruction;
3) employee time attending courses and lectures or watching
4) the cost of outside courses and consultants (both of which may
including travel expenses), including course maintenance.