R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 14, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
 		 Internet Privacy
 		 Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

 FYI - DDoS attacks on major US banks are no Stuxnet - here's why - The attacks that recently disrupted website operations at Bank of America and at least five other major US banks used compromised Web servers to flood their targets with above-average amounts of Internet traffic, according to five experts from leading firms that worked to mitigate the attacks.
http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/
http://krebsonsecurity.com/2012/10/project-blitzkrieg-promises-more-aggressive-cyberheists-against-u-s-banks/

FYI - U.S. banks could be bracing for wave of account takeovers - Security researchers at RSA warned Thursday that a sophisticated plan is being hatched online to raid the bank accounts of customers at some 30 banks in the United States. http://www.scmagazine.com/us-banks-could-be-bracing-for-wave-of-account-takeovers/article/262493/?DCMP=EMC-SCUS_Newswire

FYI - Feds charge 11 over $50m secret tech exports to Russia - An unsealed federal indictment suggests $50m worth of microprocessors and other high-tech kit were illegally shipped to Russia, with possible uses including missile guidance systems and detonation triggers. http://www.zdnet.com/secret-russian-ring-nabbed-for-shipping-50m-of-illegal-tech-exports-7000005226/

FYI - The challenges of securing enterprises in a BYOD world - The consumerization of information technology is having a profound impact on organizations, and many are concerned about the risk that consumer IT poses to the confidentiality, integrity and availability of enterprise resources. http://www.scmagazine.com/the-challenges-of-securing-enterprises-in-a-byod-world/article/262684/?DCMP=EMC-SCUS_Newswire

FYI - SC Congress NY: To cut BYOD security costs, get specific - A secure approach to bring-your-own-device (BYOD) in the workplace starts with defining user guidelines, which ultimately determine the bottom line for companies: what technology should be implemented and how much it will cost. http://www.scmagazine.com/sc-congress-ny-to-cut-byod-security-costs-get-specific/article/263207/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Middle East cyberattacks on Google users increasing - The New York Times reports that tens of thousands of Gmail accounts have been targeted by state-sponsored attacks. Three months after it first began warning users of state-sponsored cyber attacks, Google is saying that the assault has only intensified. http://news.cnet.com/8301-1009_3-57525334-83/middle-east-cyberattacks-on-google-users-increasing/

FYI - NASA, Pentagon hacker TinKode gets two-year suspended sentence - Romanian court orders him to pay over $120,000 to Oracle, NASA and the U.S. Department of Defense - Romanian national received a two-year suspended prison sentence for hacking into computer systems owned by Oracle, NASA, the U.S. Army and the U.S. Department of Defense and was ordered to pay damages totalling more than $120,000. http://www.computerworld.com/s/article/9232113/NASA_Pentagon_hacker_TinKode_gets_two_year_suspended_sentence?taxonomyId=17

FYI - Chamber backs hotel chain in motion to toss FTC case - The law firm of the U.S. Chamber of Commerce has filed an amicus brief in Arizona, asking a U.S. District Court to accept a motion filed by Wyndham Hotels and Resorts that would dismiss a complaint launched by the Federal Trade Commission (FTC) over the hotel chain's repeated security breaches. http://www.scmagazine.com/chamber-backs-hotel-chain-in-motion-to-toss-ftc-case/article/263273/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (2 of 12)
The Importance of an Incident Response Program

A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.

First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.  Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.

Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999.  These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs.  This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.  Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.

Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

PART I. Risks Associated with Wireless Internal Networks

Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.

Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.

The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:

1)  Decrypting information based on statistical analysis;

2)  Injecting new traffic from unauthorized mobile stations based on known plain text;

3)  Decrypting traffic based on tricking the access point;

4)  Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and

5)  Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

40.  Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated