R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 26, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- First-in-nation state-mandated cybersecurity regulation takes effect March 1 - The nation's first state-mandated cybersecurity regulations regarding banking and financial services companies are scheduled to go into effect in New York state on March 1.

Almost all organizations lack the technology to defend against cyberattacks - A new survey shows that just three percent of IT security professionals believe their organization has the technology in place to deal with the most common cyber problems that they face. https://www.scmagazine.com/almost-all-organizations-lack-the-technology-to-defend-against-cyberattacks-tripwire/article/638345/

New Mexico close to data breach bill - New Mexico's House of Representatives passed a data breach bill on Wednesday night by a unanimous vote. https://www.scmagazine.com/new-mexico-close-to-data-breach-bill/article/638424/

Homeland Security Chairman: We're in the Fight of Our Digital Lives - The chairman of the House of Representatives Homeland Security Committee, Republican Michael McCaul, didn't mince words to describe threats to the country's cyber-security during a keynote here. http://www.eweek.com/security/homeland-security-chairman-were-in-the-fight-of-our-digital-lives.html

NIST Wants To Know How Utility Companies Can Deter Hackers - A new federal effort aims to help energy companies protect themselves from hackers trying to shut down the power grid. http://www.nextgov.com/cybersecurity/2017/02/nist-wants-know-how-utility-companies-deter-hackers/135555/

Smash up your kid's Bluetooth-connected Cayla 'surveillance' doll, Germany urges parents - Or switch it off, bin it, bury it, whatever's necessary - Germany's Federal Network Agency, or Bundesnetzagentur, has banned Genesis Toys' Cayla doll as an illegal surveillance device. http://www.theregister.co.uk/2017/02/17/cayla_doll_banned_in_germany/

Reworked N.Y. Cybersecurity Regulation Takes Effect in March - New York's controversial new cybersecurity regulation will come into effect March 1, imposing new rules on the banking and insurance sectors with the aim of better protecting institutions and consumers against cyberattacks. http://www.bankinfosecurity.com/reworked-ny-cybersecurity-regulation-takes-effect-in-march-a-9733

Malware targeting banks contains apparent false flags designed to frame Russians - Malware samples recovered from watering hole attacks that have recently targeted banks across the globe contain false flags that fraudulently suggest Russian actors are behind the campaign, even though the most likely culprit remains the North Korea-linked APT Lazarus Group, BAE Systems reported in a Monday blog post. https://www.scmagazine.com/malware-targeting-banks-contains-apparent-false-flags-designed-to-frame-russians/article/639223/

Lawsuit claims employee who moved to rival firm stole confidential info - Court filings have accused ticketing company Ticketmaster of using information stolen from a rival firm's computers to spy on its activities. The information was allegedly stolen by a previous employee of the firm, who now works for Ticketmaster. https://www.scmagazine.com/lawsuit-claims-employee-who-moved-to-rival-firm-stole-confidential-info/article/639212/


FYI - Israeli soldiers hit by Android malware from cyberespionage group - More than 100 soldiers from the Israel Defense Forces had their Android phones infected with malware by a cyberespionage group. http://computerworld.com/article/3171148/security/israeli-soldiers-hit-by-android-malware-from-cyberespionage-group.html

Trump fundraising website hacked - A fundraising website of President Donald Trump was defaced on Feb. 19, according to a post on Graham Cluley's security news site. https://www.scmagazine.com/trump-fundraising-website-hacked/article/639220/

17K affected in W-2 data breach at American Senior Communities - American Senior Communities reported that several employees have had their federal tax returns rejected by the IRS with the government stating they were duplicates. This is most likely due to a company payroll worker falling for a W-2 phishing scam in January resulting in cybercriminals filing false returns using the stolen data. https://www.scmagazine.com/17k-affected-in-w-2-data-breach-at-american-senior-communities/article/639225/

400K patient records lost in January health care breaches - Insider threats dominated Protenus' Health Care Breach Barometer with just over half of the compromised patient records that were lost in January being the result of either malicious or unintentional action by an insider. https://www.scmagazine.com/400k-patient-records-lost-in-january-health-care-breaches/article/639385/

Yahoo reveals more breachiness to users victimized by forged cookies - Some accounts may have been accessed with forged cookies as recently as 2016. https://arstechnica.com/information-technology/2017/02/yahoo-reveals-more-breachiness-to-users-victimized-by-forged-cookies/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight
- Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.
  Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorized to do so. Misuse or unauthorized disclosure of data exposes a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorized or inappropriate parties or used in ways the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties.
  To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that:
  1)  All confidential bank data and records are only accessible by duly authorized and authenticated individuals, agents or systems.
  2)  All confidential bank data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks.
  3)  The bank's standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships.
  4)  All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.
 Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.
 Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 9 - Assurance Configuration Management
 From a security point of view, configuration management provides assurance that the system in operation is the correct version (configuration) of the system and that any changes to be made are reviewed for security implications. Configuration management can be used to help ensure that changes take place in an identifiable and controlled environment and that they do not unintentionally harm any of the system's properties, including its security. Some organizations, particularly those with very large systems (such as the federal government), use a configuration control board for configuration management. When such a board exists, it is helpful to have a computer security expert participate. In any case, it is useful to have computer security officers participate in system management decision-making.
 Changes to the system can have security implications because they may introduce or remove vulnerabilities and because significant changes may require updating the contingency plan, risk analysis, or accreditation. Trade Literature/Publications/Electronic News
 In addition to monitoring the system, it is useful to monitor external sources for information. Such sources as trade literature, both printed and electronic, have information about security vulnerabilities, patches, and other areas that impact security. The Forum of Incident Response Teams (FIRST) has an electronic mailing list that receives information on threats, vulnerabilities, and patches.
 9.5 Interdependencies
 Assurance is an issue for every control and safeguard discussed in this Handbook. Are user ID and access privileges kept up to date? Has the contingency plan been tested? Can the audit trail be tampered with? One important point to be reemphasized here is that assurance is not only for technical controls, but for operational controls as well. Although the chapter focused on information systems assurance, it is also important to have assurance that management controls are working well. Is the security program effective? Are policies understood and followed? As noted in the introduction to this chapter, the need for assurance is more widespread than people often realize.
 Life Cycle. Assurance is closely linked to the planning for security in the system life cycle. Systems can be designed to facilitate various kinds of testing against specified security requirements. By planning for such testing early in the process, costs can be reduced; in some cases, without proper planning, some kinds of assurance cannot be otherwise obtained.
 9.6 Cost Considerations
 There are many methods of obtaining assurance that security features work as anticipated. Since assurance methods tend to be qualitative rather than quantitative, they will need to be evaluated. Assurance can also be quite expensive, especially if extensive testing is done. It is useful to evaluate the amount of assurance received for the cost to make a best-value decision. In general, personnel costs drive up the cost of assurance. Automated tools are generally limited to addressing specific problems, but they tend to be less expensive.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated