R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 31, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI - Study finds software piracy growing - Piracy rates are down in roughly half countries surveyed, but cost is up - Software piracy grew last year, accounting for 41 percent of all PC software installed, with losses to companies estimated at $53 billion, the Business Software Alliance. http://www.msnbc.msn.com/id/30699735/

FYI - DHS data centers at risk - Centers have multiple vulnerabilities - The Homeland Security Department set up a huge data center on the Mississippi Gulf Coast in 2006 without considering protections against hurricanes, power outages and perimeter security threats, according to a new report from DHS Inspector General Richard Skinner. http://fcw.com/Articles/2009/05/13/DHS-data-centers-at-risks-says-IG.aspx

FYI - Majority of adolescents online have tried hacking - While the majority of adults surveyed revealed that they are concerned about their children being exposed to strangers or illicit content online, the data in a new report indicated that the adolescents themselves are more interested in hacking into their friends' instant messaging or social network accounts.
http://www.scmagazineus.com/Study-Majority-of-adolescents-online-have-tried-hacking/article/136926/?DCMP=EMC-SCUS_Newswire
http://www.techworld.com/security/news/index.cfm?newsID=115913

FYI - GAO - Agencies Make Progress in Implementation of Requirements, but Significant Weaknesses Persist.
Report - http://www.gao.gov/new.items/d09701t.pdf
Highlights - http://www.gao.gov/highlights/d09701thigh.pdf

FYI - Mystery virus strikes FBI, U.S. Marshals - The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies Thursday, according to an Associated Press report. http://news.cnet.com/8301-1009_3-10247388-83.html?tag=mncol

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Information-sharing platform hacked - Homeland Security Information Network suffers intrusions - The Homeland Security Department's platform for sharing sensitive but unclassified data with state and local authorities was hacked recently, a DHS official has confirmed. http://fcw.com/Articles/2009/05/13/Web-DHS-HSIN-intrusion-hack.aspx

FYI - California water company insider steals $9 million, flees country - An insider at the California Water Service Company in San Jose broke into the company's computer system and transferred $9 million into offshore bank accounts and fled the country. http://www.scmagazineus.com/California-water-company-insider-steals-9-million-flees-country/article/136923/?DCMP=EMC-SCUS_Newswire

FYI - Defense Department insider charged with espionage - A Defense Department official has been charged with espionage conspiracy after allegedly selling classified U.S. government information to an agent of the People's Republic of China (PRC). http://www.scmagazineus.com/Defense-Department-insider-charged-with-espionage/article/136743/?DCMP=EMC-SCUS_Newswire

FYI - MoD loses 28 laptops this year - The Ministry of Defence has admitted to losing 28 laptops since the beginning of the year. Defence minister Bob Ainsworth revealed the figure on Thursday in response to a written parliamentary question by shadow secretary of state for defence Liam Fox. http://news.zdnet.co.uk/security/0,1000000189,39652594,00.htm

FYI - California water company insider steals $9 million, flees country - An insider at the California Water Service Company in San Jose broke into the company's computer system and transferred $9 million into offshore bank accounts and fled the country. http://www.scmagazineus.com/California-water-company-insider-steals-9-million-flees-country/article/136923/

FYI - Facebook users warned over renewed phishing assault As Gray Lady's fashion blog gets pwned - Facebook users are facing a new wave of phishing attacks following a previous barrage in April. Fraudulent messages from already compromised accounts on the social networking website attempt to trick users into handing over their login details to one of a series of fake sites. The assault follows the pattern of a previous similarly-focused attack last month. http://www.theregister.co.uk/2009/05/15/facebook_phishing_scam/

FYI - "Gumblar" website compromises increase 188 percent this week - Thousands of legitimate websites have been infected since late March with code that is silently infecting visitors with malware. And as of this week, the number of compromised websites has skyrocketed. http://www.scmagazineus.com/Gumblar-website-compromises-increase-188-percent-this-week/article/136836/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Security Controls 

While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorization privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information. 

Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort.  Regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

 ELECTRONIC AND PAPER - BASED MEDIA HANDLING

DISPOSAL

Financial institutions need appropriate disposal procedures for both electronic and paper based media. Policies should prohibit employees from discarding sensitive media along with regular garbage to avoid accidental disclosure. Many institutions shred paper - based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unreconstructable before disposal. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience.

Computer - based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re - used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer - based media.

TRANSIT

Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include:

! Restrictions on the carriers used and procedures to verify the identity of couriers,
! Requirements for appropriate packaging to protect the media from damage,
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving companies, and
! Use of nondisclosure agreements between couriers and third parties.

Financial institutions should address the security of their back - up tapes at all times, including when the tapes are in transit from the data center to off - site storage.

Return to the top of the newsletter

IT SECURITY QUESTION:  SOFTWARE DEVELOPMENT AND ACQUISITION

5. Evaluate whether the software contains appropriate authentication and encryption.

6. Evaluate the adequacy of the change control process.

 7. Evaluate the appropriateness of software libraries and their access controls.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

 Content of Privacy Notice 

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e)  if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f)  an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g)  any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h)  the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i)  a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated