Internet Banking News

February 18, 2018

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. For more information go to On-site FFIEC IT Audits.

FYI - Feds warn on ransomware threat to schools - Hackers have tried to sell over 100 million private records extorted from almost 100 schools and businesses as of the end of last year after escalating, sometimes violent, threats, according to an industry warning issued Jan. 31 by the FBI and the Department of Education inspector general. https://fcw.com/articles/2018/02/06/education-ransomware-rockwell.aspx?admgarea=TC_Security

Girls Go CyberStart Challenge Teasers! - Want to know what kind of challenges you will be up against in Girls Go CyberStart? We have provided some teaser challenges to get your brain thinking like a cyber security expert. https://medium.com/girls-go-cyberstart/girls-go-cyberstart-challenge-teasers-ea7d0c35c5d3

Study shows which phishing attacks most successful - People are very predictable when it comes to designing phishing attacks that appeal to a potential victims with people most likely to click on messages concerning money. https://www.scmagazine.com/study-shows-most-clicked-phishing-attempts/article/743513/

Equifax data breach may have exposed a wider range of data - Equifax revealed to a Senate committee in a document that even more personal data than had been originally reported may have been exposed during the massive data breach the credit monitoring company experienced last year. https://www.scmagazine.com/equifax-data-breach-may-have-exposed-a-wider-range-of-data/article/743510/

Google will label all HTTP sites 'not secure' starting in July 2018 - Google recently announced that the Chrome browser will soon start flagging every site not using HTTPS encryption as “not secure.” https://www.scmagazine.com/chrome-to-label-non-https-site-as-not-secure-starting-july-2018/article/743657/

UK Government websites hit by cryptocurrency mining campaign - More than 5,000 sites, including sites belonging to the NHS, ICO, local councils and the Student Loans Company were hit by a cryptocurrency mining campaign that exploited a popular plug-in to infect sites with a malicious script. https://www.scmagazine.com/uk-government-websites-hit-by-cryptocurrency-mining-campaign/article/743639/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Waldo County, Maine, phishing attack results in data breach - A phishing attack compromised the information of 100 Waldo County employees in Maine. https://www.scmagazine.com/waldo-county-maine-employee-data-breached-after-phishing-attack/article/743142/

Dial 'B' for Breach: Unauthorized party access data on 800K Swisscom customers - Telecom giant Swisscom yesterday disclosed that an unauthorized intruder misappropriated an unnamed sales partner's access to its data, thereby compromising basic information pertaining to approximately 800,000 customers. https://www.scmagazine.com/dial-b-for-breach-unauthorized-party-access-data-on-800k-swisscom-customers/article/742976/

Adversary breaches Tennessee hospital's medical records server to install cryptominer - Decatur County General Hospital in Parsons, Tenn., has publicly disclosed that an unauthorized party accessed the server for its electronic medical record system and secretly implanted cryptomining malware. https://www.scmagazine.com/adversary-breaches-tennessee-hospitals-medical-records-server-to-install-cryptominer/article/743319/

2018 Winter Olympic Games hit with destroyer malware during opening ceremony - Warnings that the 2018 Winter Olympic Games would be the target for hackers came true almost immediately as the Pyeongchang computer system was hit with a "destroyer" cyberattack knocking its website and other services offline. https://www.scmagazine.com/2018-winter-olympic-games-hit-with-destroyer-malware-during-opening-ceremony/article/743811/

Adversary breaches Tennessee hospital's medical records server to install cryptominer - Decatur County General Hospital in Parsons, Tenn., has publicly disclosed that an unauthorized party accessed the server for its electronic medical record system and secretly implanted cryptomining malware. https://www.scmagazine.com/adversary-breaches-tennessee-hospitals-medical-records-server-to-install-cryptominer/article/743319/

Ransomware attack on Sacramento Bee database exposes voter records of 19.5M Californians - The Sacramento Bee deleted two databases hosted by a third party after a ransomware attack exposed the voter records of 19.5 million California voters and 53,000 current and former subscribers to the newspaper. https://www.scmagazine.com/ransomware-attack-on-sacramento-bee-database-exposes-voter-records-of-195m-californians/article/743302/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 2 of 10)

  A. RISK DISCUSSION

  Introduction

  Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

  Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

  Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

  SECURITY MEASURES

  Encryption

  Encryption, or cryptography, is a method of converting information to an unintelligible code. The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.

  Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters. Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.8 Interdependencies

There are support and operations components in most of the controls discussed in this handbook.

Personnel. Most support and operations staff have special access to the system. Some organizations conduct background checks on individuals filling these positions to screen out possibly untrustworthy individuals.

Incident Handling. Support and operations may include an organization's incident handling staff. Even if they are separate organizations, they need to work together to recognize and respond to incidents.

Contingency Planning. Support and operations normally provides technical input to contingency planning and carries out the activities of making backups, updating documentation, and practicing responding to contingencies.

Security Awareness, Training, and Education. Support and operations staff should be trained in security procedures and should be aware of the importance of security. In addition, they provide technical expertise needed to teach users how to secure their systems.

Physical and Environmental. Support and operations staff often controls the immediate physical area around the computer system.

Technical Controls. The technical controls are installed, maintained, and used by support and operations staff. They create the user accounts, add users to access control lists, review audit logs for unusual activity, control bulk encryption over telecommunications links, and perform the countless operational tasks needed to use technical controls effectively. In addition, support and operations staff provides needed input to the selection of controls based on their knowledge of system capabilities and operational constraints.

Assurance. Support and operations staff ensures that changes to a system do not introduce security vulnerabilities by using assurance methods to evaluate or test the changes and their effect on the system. Operational assurance is normally performed by support and operations staff.

14.9 Cost Considerations

The cost of ensuring adequate security in day-to-day support and operations is largely dependent upon the size and characteristics of the operating environment and the nature of the processing being performed. If sufficient support personnel are already available, it is important that they be trained in the security aspects of their assigned jobs; it is usually not necessary to hire additional support and operations security specialists. Training, both initial and ongoing, is a cost of successfully incorporating security measures into support and operations activities.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.