R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 22, 2015

ewsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Facebook Unveils Tool For Sharing Data On Malicious Botnets - Facebook noticed the attack first. But Mark Hammell and his team couldn’t stop it without help from Tumblr, Pinterest, and others. http://www.wired.com/2015/02/facebook-unveils-tool-sharing-data-malicious-botnets/

FYI - Cellphone 'kill switch' leads to sharp declines in theft - It was announced Tuesday that international efforts to implement “kill switches” in all smart phones, which allow mobiles to be turned off remotely, have led to major declines in the crime in three major cities. http://www.csmonitor.com/Innovation/2015/0211/Cellphone-kill-switch-leads-to-sharp-declines-in-theft

FYI - NIST requests final comments on ICS security guide - The National Institute of Standards and Technology (NIST) is updating its security guide for industrial control systems (ICS) to include tailored guidance for utilities, automakers, chemical firms and other companies that utilize such systems. http://www.scmagazine.com/nist-requests-final-comments-on-ics-security-guide/article/397751/

FYI - Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole - ASLR vulnerability patched today used in tandem with previously patched Flash vuln to carry out drive-by-downloads against political and economic targets. http://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059

FYI - Breach index: Mega breaches, rise in identity theft mark 2014 - A global study found that more than one billion records were compromised in data breaches last year. http://www.scmagazine.com/breach-index-mega-breaches-rise-in-identity-theft-mark-2014/article/398236/

FYI - Canada losing cybersecurity war - Canada's companies are ill-prepared to meet modern cybersecurity challenges, according to a survey by the Ponemon Institute. http://www.scmagazine.com/canada-losing-cybersecurity-war/article/397732/

FYI - To attract more women, cybersecurity industry could drop macho jargon - The cybersecurity industry has a history of hostility toward women. To make the field more welcoming, female security pros recommend moving away from the aggressive language of combat and talking about protecting people instead. http://www.csmonitor.com/World/Passcode/2015/0216/To-attract-more-women-cybersecurity-industry-could-drop-macho-jargon


FYI - Cyber attack takes down Dutch government sitesDDoS - The attack, which also took down some private sites, highlighted the vulnerability of public infrastructure. http://www.bbc.com/news/technology-31440973

FYI - Defense Contract Management Agency Probes Hack - The Defense Contract Management Agency, the U.S. federal government entity responsible for performing contract administration services for the Department of Defense, is responding to a suspected cybersecurity breach and has pulled a number of its servers offline while the investigation continues. http://krebsonsecurity.com/2015/02/defense-contract-management-agency-probes-hack/

FYI - Bank Hackers Steal Millions via Malware - In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card, or touched a button. Cameras showed that the piles of money were swept up by customers who appeared lucky to be there at the right moment.

FYI - Tennessee healthcare group notifies employees of payroll breach - Tennessee-based State of Franklin Healthcare Associates (SoFHA) has notified all employees that their personal information was accessed during a security breach at the company's third party payroll vendor, and some if has already been used to file fraudulent tax returns. http://www.scmagazine.com/tennessee-healthcare-group-notifies-employees-of-payroll-breach/article/398240/

FYI - Data at risk following burglary at Liberty Tax Service office in California - Computer towers were stolen during a burglary at a Liberty Tax Service office in California, and now an undisclosed number of individuals are being notified that personal information – including Social Security numbers – may be at risk. http://www.scmagazine.com/data-at-risk-following-burglary-at-liberty-tax-service-office-in-california/article/398664/

FYI - Big Fish Games notifies customers of payment card breach - Big Fish Games is notifying an undisclosed number of customers that malware was installed on the billing and payment pages of its websites, and it appears to have intercepted customer payment information. http://www.scmagazine.com/big-fish-games-notifies-customers-of-payment-card-breach/article/398913/

FYI - Chesapeake suit claims former CEO stole trade secrets - In a lawsuit filed in Oklahoma County District Court, Chesapeake Energy has accused its former CEO Aubrey McClendon of making off with company data, including “highly sensitive trade secrets,” when he left the company to form a new firm, American Energy Partners. http://www.scmagazine.com/chesapeake-suit-claims-former-ceo-stole-trade-secrets/article/399073/

FYI - University of Maine laptop and media card stolen, contained student data - A University of Maine laptop computer and media card containing student information – including Social Security numbers – was stolen from the checked bag of a faculty member while on an airline flight. http://www.scmagazine.com/university-of-maine-laptop-and-media-card-stolen-contained-student-data/article/399042/

Return to the top of the newsletter

We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (4 of 12)

Reaction Procedures

Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.

Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.


Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.

In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.

A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.


19.3.4 Security of Cryptography Modules

FIPS 140-1, Security Requirements for Cryptographic Modules, specifies the physical and logical security requirements for cryptographic modules. The standard defines four security levels for cryptographic modules, with each level providing a significant increase in security over the preceding level. The four levels allow for cost-effective solutions that are appropriate for different degrees of data sensitivity and different application environments. The user can select the best module for any given application or system, avoiding the cost of unnecessary security features.

Cryptography is typically implemented in a module of software, firmware, hardware, or some combination thereof. This module contains the cryptographic algorithm(s), certain control parameters, and temporary storage facilities for the key(s) being used by the algorithm(s). The proper functioning of the cryptography requires the secure design, implementation, and use of the cryptographic module. This includes protecting the module against tampering.

19.3.5 Applying Cryptography to Networks

The use of cryptography within networking applications often requires special considerations. In these applications, the suitability of a cryptographic module may depend on its capability for handling special requirements imposed by locally attached communications equipment or by the network protocols and software.

Encrypted information, MACs, or digital signatures may require transparent communications protocols or equipment to avoid being misinterpreted by the communications equipment or software as control information. It may be necessary to format the encrypted information, MAC, or digital signature to ensure that it does not confuse the communications equipment or software. It is essential that cryptography satisfy the requirements imposed by the communications equipment and does not interfere with the proper and efficient operation of the network.

Data is encrypted on a network using either link or end-to-end encryption. In general, link encryption is performed by service providers, such as a data communications provider. Link encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T1 line). Since link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing. End-to-end encryption is generally performed by the end-user organization. Although data remains encrypted when being passed through a network, routing information remains visible. It is possible to combine both types of encryption.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated