R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 27, 2011

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.
FYI - Senators explore Web site seizure options - U.S senators will introduce legislation this year targeting Web sites that traffic in digital piracy or counterfeited goods, said the primary sponsor of a controversial bill proposed in 2010 that would give government agencies more authority to shut down those sites. http://www.computerworld.com/s/article/9209864/Senators_explore_Web_site_seizure_options?taxonomyId=144

FYI - Feds Accidentally Seize 84,000 Innocent Domains - Imagine you're a respectable, law-abiding owner of a small business. You show up to your shop one morning, only to find the doors barred and a big sign in front window reading, "The federal government has seized this business as it's affiliated with creating, distributing, and/or storing........"
http://www.securecomputing.net.au/News/248422,us-wrongly-suspends-84000-websites.aspx
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=229218959&cid=RSSfeed_IWK_All

FYI - Man pockets $8m running computer fraud ring - Zombies dialed premium phone numbers - A New Hampshire man has admitted pocketing almost $8 million in a scheme that infected people's computers with software that forced their modems to surreptitiously dial premium phone numbers. http://www.theregister.co.uk/2011/02/16/computer_fraud_plea/

FYI - Web-based services hurting wiretapping efforts - Web-based e-mail, social-networking and peer-to-peer services are frustrating law enforcement wiretapping efforts, a lawyer for the U.S. Federal Bureau of Investigation told lawmakers Thursday, but she did not offer concrete ideas on how to fix the problem. http://www.computerworld.com/s/article/9210121/FBI_Web_based_services_hurting_wiretapping_efforts?taxonomyId=84

FYI - Can deploying monitoring software put you in jeopardy? - Some probation and parole officers are using computer monitoring software to manage risk associated with their cases. http://www.scmagazineus.com/can-deploying-monitoring-software-put-you-in-jeopardy/article/196789/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Canadian cyberattack traced to China - A cyberattack against Canada that tried to access classified government information and forced two key departments to go offline has been traced back to China, according to a story today from CBC News. http://news.cnet.com/8301-1009_3-20032813-83.html

FYI - Online banking hit by thieves - A new Trojan dubbed "OddJob" is stealing people's money by taking over their online banking sessions after they think they've logged off.http://news.cnet.com/8301-27080_3-20034954-245.html

FYI - Trojan steals session IDs, bypasses logout requests - A new banking trojan targeting U.S. customers has the ability to keep online account sessions open after customers believe they have logged off, enabling criminals to surreptitiously steal money. http://www.scmagazineus.com/trojan-steals-session-ids-bypasses-logout-requests/article/196816/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 4 of 4)

Service Provider Oversight

Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.

Summary

The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution’s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (4 of 5)

The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.

Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.

Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed.  Additionally, access to these default accounts should be monitored more closely than other accounts.

Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]

b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.
Purchase now for the special inaugural price.

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated