R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 15, 2015

ewsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Cyberattacks on federal government hit record high - Federal network cybersecurity incidents were up 15 percent in fiscal 2014 from the previous year, according to a recent government report. http://thehill.com/policy/cybersecurity/234601-cyberattacks-on-government-hit-record-high

FYI - Law firms to share info about cyber threats - Leading international law firms are moving to share information on hacking threats, a step that could revolutionize how the legal industry copes with attempted cyberespionage. http://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyber-threats

FYI - Anthem Refuses To Let Inspector General Conduct Full Security Audit - Security industry has mixed reactions. Anthem Healthcare initially earned brownie points with security professionals by publicly disclosing a major data breach well before they were obligated to do so. http://www.darkreading.com/anthem-refuses-to-let-inspector-general-conduct-full-security-audit/d/d-id/1319365

FYI - 'Domain shadowing' hijacks registrar accounts to spawn attack sites - Industrialised hack site creation exploit on the rise - Fiends behind the world's most infamous exploit kit Angler are stealing login credentials to create tens of thousands of pop-up domains used in hit-and-run -style attacks. http://www.theregister.co.uk/2015/03/05/worlds_nastiest_exploit_kit_just_got_nastier/

FYI - Man arrested for refusing to give phone passcode to border agents - Technically Incorrect: A Quebec resident believes his cell phone is personal. So when Canadian border agents wanted to search it, he says no. http://www.cnet.com/news/man-charged-for-refusing-to-give-up-phone-passcode-to-canadian-border-agents/

FYI - Spyware vendor may have helped Ethiopia target journalists – even after it was aware of abuses, researchers say - The Ethiopian government appears again to be using Internet spying tools to attempt to eavesdrop on journalists based in suburban Washington, said security researchers who call such high-tech intrusions a serious threat to human rights and press freedoms worldwide. http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/09/spyware-vendor-may-have-helped-ethiopia-spy-on-journalists-even-after-it-was-aware-of-abuses-researchers-say/

FYI - Feds Indict Three in 2011 Epsilon Hack - U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” http://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/

FYI - $1.1M fine issued to firm for violating Canada's anti-spam law - The authority in charge of regulating Canada's broadcasting and telecommunications sector has issued the first fine to an organization for violating the country's anti-spam law. http://www.scmagazine.com/11m-fine-issued-to-firm-for-violating-canadas-anti-spam-law/article/402564/

FYI - 2,400 unsafe mobile apps on employee devices in average large enterprise - The average large global enterprise has approximately 2,400 unsafe mobile applications installed on employee devices. http://www.scmagazine.com/mobile-apps-on-employee-devices-create-headaches-for-enterprise/article/402898/

FYI - Security pros felt more pressure to secure their organization in 2014 than year prior - The pressure is on IT security professionals in the coming year, with 57 percent believing they will feel a greater squeeze this year to keep their organization secure. http://www.scmagazine.com/trustwave-release-annual-security-pressures-report/article/402839/

FYI - 71 percent of orgs were successfully attacked in 2014 - The number of successful cyber attacks against organizations is increasing, according to the “2015 Cyberthreat Defense Report”, which surveyed 814 IT security decision makers and practitioners from organizations – in 19 industries – across North America and Europe. http://www.scmagazine.com/report-71-percent-of-orgs-were-successfully-attacked-in-2014/article/403267/


FYI - Credit Card Breach at Mandarin Oriental - In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach. http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/

FYI - NEXTEP, a POS systems provider, is investigating a possible breach - Michigan-based provider of point-of-sale devices, NEXTEP SYSTEMS, is investigating a possible security compromise of customer systems, according to a statement emailed to SCMagazine.com on Monday. http://www.scmagazine.com/nextep-a-pos-systems-provider-is-investigating-a-possible-breach/article/402441/

FYI - Programmer pleads guilty to stealing Federal Reserve software code - A former top programmer for the Federal Reserve Bank of Kansas City pleaded guilty in federal court Wednesday to stealing software code belonging to the government. http://www.kansascity.com/news/local/crime/article13531559.html

FYI - New York private investigator pleads guilty to computer hacking charge - A New York City-based private investigator has pled guilty to one charge of conspiracy to commit computer hacking, which carries a maximum sentence of five years. http://www.scmagazine.com/eric-saldarriaga-pleads-guilty-to-computer-hacking-charge/article/402474/

FYI - Chicago man convicted in ATM skimming spree that netted $5 million - A Chicago man has been convicted for playing a lead role in an ATM skimming spree that impacted various banks. http://www.scmagazine.com/chicago-man-convicted-in-atm-skimming-spree-that-netted-5-million/article/403045/

Return to the top of the newsletter

We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (7 of 12)

Define what constitutes an incident.

An initial step in the development of a response program is to define what constitutes an incident. This step is important as it sharpens the organization's focus and delineates the types of events that would trigger the use of the IRP. Moreover, identifying potential security incidents can also make the possible threats seem more tangible, and thus better enable organizations to design specific incident-handling procedures for each identified threat.


The ability to detect that an incident is occurring or has occurred is an important component of the incident response process. This is considerably more important with respect to technical threats, since these can be more difficult to identify without the proper technical solutions in place. If an institution is not positioned to quickly identify incidents, the overall effectiveness of the IRP may be affected. Following are two detection-related best practices included in some institutions' IRPs.

Identify indicators of unauthorized system access.

Most banks implement some form of technical solution, such as an intrusion detection system or a firewall, to assist in the identification of unauthorized system access. Activity reports from these and other technical solutions (such as network and application security reports) serve as inputs for the monitoring process and for the IRP in general. Identifying potential indicators of unauthorized system access within these activity or security reports can assist in the detection process.

Involve legal counsel.

Because many states have enacted laws governing notification requirements for customer information security compromises, institutions have found it prudent to involve the institution's legal counsel when a compromise of customer information has been detected. Legal guidance may also be warranted in properly documenting and handling the incident.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.

(FYI - This is the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)

Penetration tests, audits, and assessments can use the same set of tools in their methodologies.  The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.

Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism's effectiveness. Penetration tests generally are not a comprehensive test of the system's security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.

Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.

Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

This chapter illustrates how a hypothetical government agency (HGA) deals with computer security issues in its operating environment. It follows the evolution of HGA's initiation of an assessment of the threats to its computer security system all the way through to HGA's recommendations for mitigating those risks. In the real world, many solutions exist for computer security problems. No single solution can solve similar security problems in all environments. Likewise, the solutions presented in this example may not be appropriate for all environments.

This example can be used to help understand how security issues are examined, how some potential solutions are analyzed, how their cost and benefits are weighed, and ultimately how management accepts responsibility for risks

This case study is provided for illustrative purposes only, and should not be construed as guidance or specific recommendations to solving specific security issues. Because a comprehensive example attempting to illustrate all handbook topics would be inordinately long, this example necessarily simplifies the issues presented and omits many details. For instance, to highlight the similarities and differences among controls in the different processing environments, it addresses some of the major types of processing platforms linked together in a distributed system: personal computers, local-area networks, wide-area networks, and mainframes; it does not show how to secure these platforms.

This section also highlights the importance of management's acceptance of a particular level of risk--this will, of course, vary from organization to organization. It is management's prerogative to decide what level of risk is appropriate, given operating and budget environments and other applicable factors.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated