R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

January 31, 2016

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - NSA chief: Encryption is here to stay - National Security Agency Director Adm. Michael Rogers on Thursday insisted “encryption is foundational to the future.” http://thehill.com/policy/cybersecurity/266624-nsa-chief-encryption-is-foundational-to-the-future

FYI - Dridex trojan targeting UK banks with Dyre-like 'redirection' techniques - Researchers from IBM Security have revealed that a new variant of the Dridex malware has taken inspiration from the Dyre banking Trojan and is launching attacks on UK bank accounts. http://www.v3.co.uk/v3-uk/news/2442758/dridex-trojan-targeting-uk-banks-with-dyre-like-redirection-techniques

FYI - 64 percent of IT execs think achieving basic compliance will stop most breaches - In a survey of large enterprises, 64 percent of more than 1,100 senior IT executives believe that simply meeting cybersecurity compliance requirements, as opposed to striving for best practices, is “very” or “extremely” effective at preventing data breaches. http://www.scmagazine.com/survey-64-percent-of-it-execs-think-achieving-basic-compliance-will-stop-most-breaches/article/466925/

FYI - Cyber Hit on China-Owned Boeing Supplier Sends Stock Down 19% - Cyberfraud sent shares of Austria’s FACC AGto their steepest drop since the supplier of parts to Boeing Co.and Airbus Group SE began trading in 2014. The company put damages at 50 million euros ($55 million) -- one of biggest losses after a hacking event for its size. http://www.bloomberg.com/news/articles/2016-01-20/cyberattack-sends-shares-of-aerospace-supplier-facc-19-lower

FYI - Survey says: Data breaches in other industries will damage financial institutions - Respondents to a new survey from Silicon Valley-based software company FICO unanimously agreed: Data breaches this year in other industries will damage financial institutions. http://www.scmagazine.com/survey-says-data-breaches-in-other-industries-will-damage-financial-institutions/article/467086/

FYI - U.S. Supreme Court affirms Exel exec's hacking conviction - The felony conviction of former Exel Transportation Services (ETS) President, who used the information he pilfered from his former employer to start a new company, still stands, the U.S. Supreme Court said Monday. http://www.scmagazine.com/us-supreme-court-affirms-exel-execs-hacking-conviction/article/467253/

FYI - Advocacy groups call for repeal Cybersecurity Act of 2015 - A coalition that includes the American Civil Liberties Union (ACLU), FreedomWorks, and other digital privacy advocacy groups sent a letter to members of the U.S. House of Representatives urging them to support a bipartisan bill that would repeal the Cybersecurity Act of 2015. http://www.scmagazine.com/conservative-liberal-groups-pen-letter-to-repeal-cybersecurity-act-of-2015/article/467509/

FYI - Feds say 'Oops!' in anti-hacking deal - An update to an international accord potentially opens everyone to attacks, something the US government didn't figure out until after it was signed. To fight hackers and oppressive rulers, the US government updated a deal with 40 countries last May to keep dangerous software from moving from one nation to another. http://www.cnet.com/news/hacking-deal-in-dispute-as-the-world-tries-to-control-dangerous-hacking-tools/

FYI - Apple can read your iMessages despite them being encrypted - Despite Apple taking a pro-encryption stance, with its CEO insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form, it uses its own key. http://www.scmagazine.com/apple-can-read-your-imessages-despite-them-being-encrypted/article/467675/


FYI - Ukraine energy utilities attacked again with open source Trojan backdoor - Macro phish attempts to hook BlackEnergy borscht and battered sector - Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts.

FYI - San Diego County employees data mistakenly sent to Wells Fargo - San Diego Country, California employees mistakenly had their personal information, to include Social Security numbers, forwarded to Wells Fargo late last year. http://www.scmagazine.com/san-diego-county-employees-data-mistakenly-sent-to-wells-fargo/article/466905/

FYI - FACC AG, Belgian bank fall victim to BEC - An aircraft components designer and a Belgian bank were the latest victims of the business email compromise (BEC) scam, prompting the IC3 to issue an alert.

FYI - University of Virginia hit with Phishing scam, 1,400 affected - The University of Virginia (UVA) suffered a data breach that was initiated via a phishing scam that revealed the tax and banking data of some of the school's employees. http://www.scmagazine.com/university-of-virginia-hit-with-phishing-scam-1400-affected/article/467224/

FYI - Flint hospital hit with cyber attack after Anonymous threatens action - Hurley Medical Center in Flint, Mich. was hit by a cyber attack Thursday, one day after the hacktivist group, Anonymous, threatened to take action for the city's water crisis in a YouTube video. http://www.scmagazine.com/flint-medical-center-hit-with-cyber-attack-following-anonymous-call-for-action-against-gov-snyder/article/466912/

FYI - N.Y. state police uncover horseracing hack for inside information - A former jockey agent has been charged by the District Attorney of Queens County, New York, with illegally accessing the New York Racing Association's (NYRA) computer system to obtain information that would help him find horses for his jockey to race. http://www.scmagazine.com/ny-state-police-uncover-horseracing-hack-for-inside-information/article/467683/

FYI - Missing drives contained PHI on 950K Centene customers - Six hard drives containing personal and health information on clients of health insurance company Centene Corp. have gone missing. http://www.scmagazine.com/missing-drives-contained-phi-on-950k-centene-customers/article/467860/

FYI - Lawsuit dismissed in Georgia after state admits to massive breach - Plaintiffs in Atlanta had a class-action lawsuit dismissed on Monday following the state's acknowledgement it had put at risk the data of six million voters. http://www.scmagazine.com/lawsuit-dismissed-in-georgia-after-state-admits-to-massive-breach/article/467701/

FYI - NCH Healthcare suffers data breach - NCH Healthcare Systems, which operates two hospitals in the Naples, Fla. area, notified employees and medical staff last week that two servers containing some personal information were accessed by unauthorized personnel. http://www.scmagazine.com/nch-healthcare-suffers-data-breach/article/469192/

Return to the top of the newsletter

This week concludes our series on the FDIC's Supervisory Policy on Identity Theft (Part 6 of  6)
 President’s Identity Theft Task Force
 On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.
 Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  


 Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.
Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:
 1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.
 2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).
 3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).
 4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).
 5)  Documenting current controls and security processes, including both information technology and physical security.
 6)  Identifying security requirements and considerations (e.g., GLBA).
 7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Section II. Management Controls Chapter 5
 In discussions of computer security, the term policy has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy. 
 Policy means different things to different people. The term "policy" is used in this chapter in a broad manner to refer to important computer security-related decisions.
 In this chapter the term computer security policy is defined as the "documentation of computer security decisions"-which covers all the types of policy described above. In making these decisions, managers face hard choices involving resource allocation, competing objectives, and organizational strategy related to protecting both technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can result in policy, with the scope of the policy's applicability varying according to the scope of the manager's authority. In this chapter we use the term policy in a broad manner to encompass all of the types of policy described above-regardless of the level of manager who sets the particular policy.
 Managerial decisions on computer security issues vary greatly. To differentiate among various kinds of policy, this chapter categorizes them into three basic types:
 1)  Program policy is used to create an organization's computer security program.
 2)  Issue-specific policies address specific issues of concern to the organization.
 3)  System-specific policies focus on decisions taken by management to protect a particular system.
 Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.
 Familiarity with various types and components of policy will aid managers in addressing computer security issues important to the organization. Effective policies ultimately result in the development and implementation of a better computer security program and better protection of systems and information.
 These types of policy are described to aid the reader's understanding. It is not important that one categorizes specific organizational policies into these three categories; it is more important to focus on the functions of each.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated