Internet Banking News

February 7, 2016

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. Independent pen-testing is part of any financial institution's cybersecurity defense. To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.

FYI - FDIC Publication Focuses on Enhancing Banks' Cybersecurity Programs -"A Framework for Cybersecurity," which appears in the Winter 2015 issue of Supervisory Insights, released today, discusses the cyber threat landscape and how financial institutions' information security programs can be enhanced to address evolving cybersecurity risks. www.fdic.gov/news/news/press/2016/pr16006.html

FYI - How Incident Response Fails In Industrial Control System Networks - Experts say a solid incident response plan is the best way to minimize the damage of a cyberattack--but IR isn't so simple for the ICS/SCADA world. Worries of eventual cyberattacks on utilities as well as chemical and other industrial sites have intensified in the wake of the recent attacks that led to a power blackout in western Ukraine. http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-control-system-networks/d/d-id/1324094

FYI - NSA Hacking Chief: Internet of Things Security Keeps Me Up at Night - The leader of the National Security Agency’s hackers says that putting industrial control systems online has made America less secure. http://www.technologyreview.com/news/546251/nsa-hacking-chief-internet-of-things-security-keeps-me-up-at-night/

FYI - Congress to federal agencies: You have two weeks to tally your backdoored Juniper kit - A House committee wants to gauge the impact of the recent Juniper ScreenOS backdoors on government departments and agencies. http://www.computerworld.com/article/3026440/security/congress-to-federal-agencies-you-have-two-weeks-to-tally-your-backdoored-juniper-kit.html

FYI - CISO salaries and demand for cyber-skills skyrockets, surprising no-one - Two new studies have shown that vacancies in cyber-security positions have skyrocketed as have CISOs salaries. http://www.scmagazine.com/ciso-salaries-and-demand-for-cyber-skills-skyrockets-surprising-no-one/article/469300/

FYI - Cybercrime for sale - When the United States Secret Service started to focus on cybercrimes nearly two decades ago, the market for this kind of electronic malfeasance was not nearly as large or as organized as it would quickly become. http://www.scmagazine.com/cybercrime-for-sale/article/470269/

FYI - TalkTalk loses 250,000 customers post-breach - now supplier scam too - “Customers have lost faith in TalkTalk as a trustworthy brand," following the October breach of the broadand, TV and telecoms provider. http://www.scmagazine.com/talktalk-loses-250000-customers-post-breach--now-supplier-scam-too/article/469571/

FYI - Major banks to roll out ATMs that use smartphones for authentication - Bank of America, Wells Fargo and JPMorgan Chase have announced plans to roll out ATMs that take smartphones as well as ATM cards to authenticate transactions in an effort to reduce the likelihood of skimming and other security attacks as well as make ATM use more convenient for users. http://www.scmagazine.com/atms-will-authenticate-transactions-via-smart-phone/article/470265/

FYI - Cybersecurity Gap Blocks Pentagon From a Lockheed F-35 Database - The Pentagon hasn’t had updated information on maintenance of the F-35 jet since May because a Lockheed Martin Corp. database doesn’t meet new government cybersecurity requirements, according to the Defense Department’s testing office. http://www.bloomberg.com/news/articles/2016-02-01/cybersecurity-gap-blocks-pentagon-from-a-lockheed-f-35-database

FYI - No BYOD for Census workers - The Census Bureau has opted not to pursue a bring-your-own-device strategy for gathering information during the 2020 census. https://fcw.com/articles/2016/01/29/census-byod-noble.aspx

FYI - Teaming up IT and legal departments for better corporate security - Companies looking to create strong security and privacy protocols have to encourage their IT and legal departments to not only work together, but each should learn a little of the other's job. http://www.scmagazine.com/teaming-up-it-and-legal-departments-for-better-corporate-security/article/471090/

FYI - Information governance hard to achieve, worth effort to protect data - Information governance (IG) is nearly impossible to achieve, but is a goal worth pursuing to protect the privacy of sensitive data and ensure organizations can meet discovery requests, according to a panel at the LegalTech show in New York. http://www.scmagazine.com/information-governance-hard-to-achieve-worth-effort-to-protect-data/article/470943/

FYI - Law enforcement's encryption claims overblown, study finds - The surge in Internet-connected devices will offer ample new surveillance opportunities, according to a Harvard study. Encryption may not protect criminals as much as we have been led to believe. http://www.cnet.com/news/law-enforcements-encryption-claims-overblown-study-finds/

FYI - Smart office buildings have more backdoors than the designers intended - All of the convenience created by installing smart appliances and controls in an office is being countered by the inherent threat these devices can then pose to the network to which they are attached. http://www.scmagazine.com/smart-office-buildings-have-more-backdoors-than-the-designers-intended-ibm/article/471448/

FYI - New research reveals 71 percent of UK organisations not cyber-resilient - Study of 450 UK IT and security professionals uncovers insufficient planning and lack of clear ownership as major inhibitors to achieving cyber resilience. http://www.scmagazine.com/new-research-reveals-71-percent-of-uk-organisations-not-cyber-resilient/article/471200/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Would you like fraud with that? Burger chain giant Wendy's 'hacked' - Wendy's – the third largest fast-food chain in the world – has become the latest retail giant to lose customers' credit card numbers to crooks, it appears. http://www.theregister.co.uk/2016/01/27/us_wendys_stores_breached/

FYI - Website admin cPanel hacked, loses a bunch of folks' contact details - Website administration firm cPanel told customers that it had been hacked over the weekend, potentially exposing contact information in the process. http://www.theregister.co.uk/2016/01/27/cpanel_security_breach/

FYI - HSBC UK online banking operations disrupted by DDoS attack - HSBC UK this morning was the target of a DDoS attack that flooded the financial institution's systems with manufactured traffic, much to the dismay of online banking customers who were unable to access and manage their accounts. http://www.scmagazine.com/hsbc-uk-online-banking-operations-disrupted-by-ddos-attack/article/469460/

FYI - Unauthorized access leads to Neiman Marcus Group breach, 5,200 affected - Neiman Marcus Group (NMG) reported that someone gained unauthorized access to online customer accounts on the Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP websites. http://www.scmagazine.com/attacker-accesses-5200-neiman-marcus-group-customer-accounts/article/470237/

FYI - TaxSlayer breached: 8,800 customers notified PII may be compromised - Tax preparation software publisher TaxSlayer notified about 8,800 of its customers last week that an unauthorized third party may have gained access to the personal information contained on their tax return. http://www.scmagazine.com/taxslayer-breached-8800-customers-notified-pii-may-be-compromised/article/470259/

FYI - Lincolnshire county council resolves ransomware restlessness - Lincolnshire council has restored itself to full capacity after its systems were infected with ransomware. On 26th January, a phishing email loaded with an infectious attachment deployed ransomware on the local authority's computers. http://www.scmagazine.com/lincolnshire-county-council-resolves-ransomware-restlessness/article/470271/

FYI - US police contracts and private forum posts dumped online - Fraternal Order of the Police not feeling very fraternal - A data dump covering hundreds of police contracts and thousands of private forum posts by US law enforcement officers has been posted online. http://www.theregister.co.uk/2016/01/29/us_police_contracts_and_private_forum_posts_dumped_online/

FYI - Qbot virus still attacking Royal Melbourne Hospital - A computer virus that can steal passwords is still causing headaches at one of Melbourne's largest hospitals. A virus that infected computer systems at Royal Melbourne Hospital two weeks ago still hasn't been fixed and continues to "mutate". http://www.zdnet.com/article/qbot-virus-still-attacking-royal-melbourne-hospital/

FYI - Hackers attack 20M accounts of Alibaba e-commerce unit - A group of hackers tried to access active accounts belonging to more than 20 million users of Taobao, Alibaba Group Holding Ltd.'s e-commerce unit. http://www.scmagazine.com/hackers-attack-20m-accounts-of-alibaba-e-commerce-unit/article/471412/

FYI - Student SSNs exposed in University of Central Florida breach - The University of Central Florida today publicly acknowledged a data breach in which the Social Security (SSN) numbers of 63,000 current and former students were illegally accessed. http://www.scmagazine.com/student-ssns-exposed-in-university-of-central-florida-breach/article/471439/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (1 of 2)

The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.

System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.

A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.

Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.

An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY

Tools to Implement Policy - Standards, Guidelines, and Procedures:

Because policy is written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. Procedures are yet more detailed steps to be followed to accomplish particular security-related tasks. Standards, guidelines, and procedures may be promulgated throughout an organization via handbooks, regulations, or manuals.

Organizational standards (not to be confused with American National Standards, FIPS, Federal Standards, or other national or international standards) specify uniform use of specific technologies, parameters, or procedures when such uniform use will benefit an organization. Standardization of organization wide identification badges is a typical example, providing ease of employee mobility and automation of entry/exit systems. Standards are normally compulsory within an organization.

Guidelines assist users, systems personnel, and others in effectively securing their systems. The nature of guidelines, however, immediately recognizes that systems vary considerably, and imposition of standards is not always achievable, appropriate, or cost-effective. For example, an organizational guideline may be used to help develop system-specific standard procedures. Guidelines are often used to help ensure that specific security measures are not overlooked, although they can be implemented, and correctly so, in more than one way.

Procedures normally assist in complying with applicable security policies, standards, and guidelines. They are detailed steps to be followed by users, system operations personnel, or others to accomplish a particular task (e.g., preparing new user accounts and assigning the appropriate privileges).

Some organizations issue overall computer security manuals, regulations, handbooks, or similar documents. These may mix policy, guidelines, standards, and procedures, since they are closely linked. While manuals and regulations can serve as important tools, it is often useful if they clearly distinguish between policy and its implementation. This can help in promoting flexibility and cost-effectiveness by offering alternative implementation approaches to achieving policy goals.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.