R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 5, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Examining the Current State of Database Security - Considering that database systems hold extremely valuable and sensitive information, one would assume that most organizations would fiercely protect these “crown jewels” with great care. Unfortunately, that is not the case. https://www.scmagazine.com/examining-the-current-state-of-database-security/article/636758/

50 banking smartphone apps fail on security - Anaysis of mobile applications of 50 of the world's top 100 banks has found all to be vulnerable to several security threats. https://www.scmagazine.com/50-banking-smartphone-apps-fail-on-security/article/639775/

Fingerprints to unlock iPhone? Judge says no. A federal judge in Chicago issued an opinion on February 16 that would deny the government's attempt to force Apple device owners from providing a fingerprint to unlock their device. https://www.scmagazine.com/fingerprints-to-unlock-iphone-judge-says-no/article/639939/

Survey explores the minds of hackers: 81% claim they can compromise target in under 12 hours - Eighty-eight percent of hackers surveyed at the 2016 DEF CON conference in Las Vegas last August claimed that they can compromise a target in less than 12 hours, while 81 percent said they can identify and exfiltrate a target's data in the same amount of time. https://www.scmagazine.com/survey-explores-the-minds-of-hackers-81-claim-they-can-compromise-target-in-under-12-hours/article/640255/

New York's new cybersecurity requirements: Are you ready - The New York State Department of Financial Services (DFS), has implemented a new regulation requiring all its supervised companies to comply with the Financial Services' Cybersecurity Requirements which goes into effect March 1, 2017. https://www.scmagazine.com/new-yorks-new-cybersecurity-requirements-are-you-ready/article/639683/

French and German MPs ask for encryption backdoors, industry says 'no' - French and German ministers ask for greater security measures, including encryption backdoors - to fight terrorism in Europe, but tech industry says it isn't possible. https://www.scmagazine.com/french-and-german-mps-ask-for-encryption-backdoors-industry-says-no/article/640693/


FYI - John Legend calls his Twitter hacker hilarious - Singer John Legend took having his Twitter account hacked with a positive attitude saying that while the hacker was vulgar he was also “kinda hilarious”. https://www.scmagazine.com/john-legend-calls-his-twitter-hacker-hilarious/article/640395/

How sweet it isn't: W-2s of 3K Amalgamated Sugar workers exposed - Nearly three thousand workers at Boise, Idaho-based Amalgamated Sugar have received notifications of an intruder accessing the company's network and their personal information being disclosed. https://www.scmagazine.com/how-sweet-it-isnt-w-2s-of-3k-amalgamated-sugar-workers-exposed/article/640540/

Man suspected of DT router DDoS attack arrested in Luton airport - A man has been arrested by agents from the National Crime Agency (NCA) following a European Arrest Warrant put out by Germany's federal police. Germans are to seek extradition of the suspect under charges of computer sabotage. https://www.scmagazine.com/man-suspected-of-dt-router-ddos-attack-arrested-in-luton-airport/article/640104/

Security lapse exposed New York airport's critical servers for a year - Exclusive: The files included gigabytes of emails, sensitive government files, and a password list, which researchers say could give hackers "full access" to the airport's systems. http://www.zdnet.com/article/unsecured-servers-at-new-york-airport-left-exposed-for-a-year/

'Data security incident' affects 36K Boeing workers - While a Nov. 21 gaffe by a Boeing employee who, seeking Excel formatting assistance, emailed a spreadsheet containing personal data of 36,000 company employees to his spouse has not led to exposure of the data as of yet, the Seattle-based aerospace company, as required by law, issued a disclosure to Washington State Attorney General Bob Ferguson. https://www.scmagazine.com/data-security-incident-affects-36k-boeing-workers/article/640731/

vBulletin targeted yet again, 800K accounts compromised - Once again hackers have targeted vBulletin users, this time leaking information from 819,977 user accounts. https://www.scmagazine.com/hacker-leaks-800k-accounts-after-exploiting-vbulletin-forums/article/640911/

Singapore MoD computer breached, 850 lose PII - The personally identifiable information of 850 Singapore military service members and Ministry of Defense staffers was compromised in what is being called a targeted and carefully planned attack on the MOD's I-net computer system. https://www.scmagazine.com/singapore-mod-computer-breached-850-lose-pii/article/640722/

1,000 Redmond (Ore.) school district workers affected by W-2 breach - The Redmond (Ore.) school district reported that one of its workers fell for a phishing scam and emailed the W-2 forms for all district employees to an unauthorized person. https://www.scmagazine.com/1000-redmond-ore-school-district-workers-affected-by-w-2-breach/article/641046/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 11: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions.

  To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should ensure that adequate information is provided on their websites to allow customers to make informed conclusions about the identity and regulatory status of the bank before they enter into e-banking transactions.
  Examples of such information that a bank could provide on its own website include:
  1)  The name of the bank and the location of its head office (and local offices if applicable).
  2)  The identity of the primary bank supervisory authority(ies) responsible for the supervision of the bank's head office.
  3)  How customers can contact the bank's customer service center regarding service problems, complaints, suspected misuse of accounts, etc.
  4)  How customers can access and use applicable Ombudsman or consumer complaint schemes.
  5)  How customers can obtain access to information on applicable national compensation or deposit insurance coverage and the level of protection that they afford (or links to websites that provide such information).
  6)  Other information that may be appropriate or required by specific jurisdictions.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Typical controls to protect against malicious code use technology, policies and procedures, and training. Prevention and detection of malicious code typically involves anti-virus and other detection products at gateways, mail servers, and workstations. Those products generally scan messages for known signatures of a variety of malicious code, or potentially dangerous behavioral characteristics. Differences between products exist in detection capabilities and the range of malicious code included in their signatures. Detection products should not be relied upon to detect all malicious code. Additionally, anti-virus and other products that rely on signatures generally are ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and encrypted e-mail will all shield malicious code from detection.
 Signature-based anti-virus products scan for unique components of certain known malicious code. Since new malicious code is created daily, the signatures need to be updated continually. Different vendors of anti-virus products update their signatures on different frequencies. When an update appears, installing the update on all of an institution's computers may involve automatically pushing the update to the computers, or requesting users to manually obtain the update.
 Heuristic anti - virus products generally execute code in a protected area of the host to analyze and detect any hostile intent. Heuristic products are meant to defend against previously unknown or disguised malicious code.
 Malicious code may be blocked at the firewall or gateway. For example, a general strategy might be to block all executable e-mail attachments, as well as any Active-X or Java applets. A more refined strategy might block based on certain characteristics of known code.
 Protection of servers involves examining input from users and only accepting that input which is expected. This activity is called filtering. If filtering is not employed, a Web site visitor, for instance, could employ an attack that inserts code into a response form, causing the server to perform certain actions. Those actions could include changing or deleting data and initiating fund transfers.
 Protection from malicious code also involves limiting the capabilities of the servers and Web applications to only include functions necessary to support operations. See "Systems Development, Acquisition, and Maintenance."
 Anti-virus tools and code blocking are not comprehensive solutions. New malicious code could have different signatures, and bypass other controls. Protection against newly developed malicious code typically comes in the form of policies, procedures, and user awareness and training. For example, policies could prohibit the installation of software by unauthorized employees, and regular reviews for unauthorized software could take place. System users could be trained not to open unexpected messages, not to open any executables, and not to allow or accept file transfers in P2P communications. Additional protection may come from disconnecting and isolating networks from each other or from the Internet in the face of a fast-moving malicious code attack.
 An additional detection control involves network and host intrusion detection devices. Network intrusion detection devices can be tuned to alert when known malicious code attacks occur. Host intrusion detection can be tuned to alert when they recognize abnormal system behavior, the presence of unexpected files, and changes to other files.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Section III. Operational Controls - Chapter 10 - PERSONNEL/USERS ISSUES


 Many important issues in computer security involve human users, designers, implementers, and managers. A broad range of security issues relate to how these individuals interact with computers and the access and authorities they need to do their job. No computer system can be secured without properly addressing these security issues.
 This chapter examines issues concerning the staffing of positions that interact with computer systems; the administration of users on a system, including considerations for terminating employee access; and special considerations that may arise when contractors or the public have access to systems. Personnel issues are closely linked to logical access controls.
 10.1 Staffing

 The staffing process generally involves at least four steps and can apply equally to general users as well as to application managers, system management personnel, and security personnel. These four steps are: (1) defining the job, normally involving the development of a position description; (2) determining the sensitivity of the position; (3) filling the position, which involves screening applicants and selecting an individual; and (4) training.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated