Internet Banking News

July 10, 2011

CONTENT	Internet Compliance	Information Systems Security
IT Security	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices. For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - FFIEC guidance addresses corporate account takeover - The long-awaited update to the Federal Financial Institutions Examination Council (FFIEC) guidelines around authentication has been released. http://www.scmagazineus.com/ffiec-guidance-addresses-corporate-account-takeover/article/206430/

FYI - DOD proposes new cybersecurity requirements for contractors - Federal contractors whose information systems contain unclassified Defense Department information would have to safeguard that information from unauthorized access and notify DOD of any breaches under a proposed rule published today. http://fcw.com/articles/2011/06/29/dod-proposed-cybersecurity-requirements-for-contractors.aspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal personal data of military, gov personnel - Hackers breached the security of a defense industry news website and stole sensitive subscriber information that could be used in attacks targeting the US military and its contractors. http://www.theregister.co.uk/2011/06/30/military_personnel_data_breach/

FYI - Electronic Arts Bioware server hacked - Electronic Arts’ BioWare studio posted an Q&A answering questions about a cyber attack after sending customers e-mails detailing a hack on one of the company’s decade-old servers for forums supporting its online game, Neverwinter Nights. http://www.washingtonpost.com/blogs/faster-forward/post/electronic-arts-bioware-server-hacked/2011/06/24/AGml2XjH_blog.html

FYI - Fox News hacker tweets Obama dead - Hackers have taken over a Twitter account belonging to US broadcaster Fox News and declared President Obama dead.
http://www.bbc.co.uk/news/technology-14012294
http://www.scmagazineus.com/secret-service-probing-fox-twitter-hack/article/206836/?DCMP=EMC-SCUS_Newswire

FYI - Hackers claim Apple online data was compromised - A list of 27 user names and encrypted passwords apparently for an Apple website was posted to the Internet over the weekend along with a warning from hacker group Anonymous that the Cupertino-based computer maker could be a target of its attacks. http://www.computerworld.com/s/article/9218114/Hackers_claim_Apple_online_data_was_compromised?taxonomyId=17

FYI - DropBox CEO: Lone hacker downloaded data from 'fewer than a hundred' accounts - A user victimized by last Monday’s security lapse at DropBox sent me this personal apology letter from CEO Drew Houston. http://www.zdnet.com/blog/apple/dropbox-ceo-lone-hacker-downloaded-data-from-fewer-than-a-hundred-accounts/10476

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 6 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Due Diligence

A financial institution should conduct sufficient due diligence to determine whether it wishes to be associated with the quality of products, services, and overall content provided by third-party sites. A financial institution should consider more product-focused due diligence if the third parties are providing financial products, services, or other financial website content. In this case, customers may be more likely to assume the institution reviewed and approved such products and services. In addition to reviewing the linked third-party's financial statements and its customer service performance levels, a financial institution should consider a review of the privacy and security policies and procedures of the third party. Also, the financial institution should consider the character of the linked party by considering its past compliance with laws and regulations and whether the linked advertisements might by viewed as deceptive advertising in violation of Section 5 of the Federal Trade Commission Act.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 3 of 3)

Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org. Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in ง4(a)(2), opt out in งง7 and 10, revised notice in ง8, and for service providers and joint marketing in ง13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a. servicing or processing a financial product or service requested or authorized by the consumer; [ง14(a)(1)]

b. maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [ง14(a)(2)]

c. a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [ง14(a)(3)]

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.
Purchase now for the special inaugural price.