R. Kinney Williams - Yennik, Inc.ģ
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 19, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- FDIC leads agencies in major cyber incidents - The Federal Deposit Insurance Corporation was responsible for 10 of 16 major information security incidents in FY2016, according to the annual report of the Office of Management and Budget. https://fcw.com/articles/2017/03/10/fisma-report-omb.aspx?m=1

Government Isn't Sharing Cyber Threats As Promised, Private Sector Says - When it comes to cyber threat information sharing, itís government thatís not holding up its end of the bargain, industry officials told lawmakers Thursday. http://www.nextgov.com/cybersecurity/2017/03/government-isnt-sharing-cyber-threats-promised-private-sector-says/136035/

Home Depot to pay $25M in breach settlement - Following a massive breach, retailer Home Depot has agreed to pay off a settlement of $25 million for damages resulting from the incursion in 2014 that exposed personal information of more than 50 million customers. https://www.scmagazine.com/home-depot-to-pay-25m-in-breach-settlement/article/643491/

US telecoms regs bow to ISPs, customers no longer federally protected - The US Federal Communications Commission has bowed to the telecoms lobby in blocking a regulation which would make ISPs take 'reasonable measures' to protect customer data. https://www.scmagazine.com/us-telecoms-regs-bow-to-isps-customers-no-longer-federally-protected/article/643307/

Israel-UK cyber-security lessons - shared concerns, shared responses - Israel is under constant threat and conscription gives its army access to its brightest students - what can the UK learn from its approach to and understanding of cyber-terrorism? https://www.scmagazine.com/israel-uk-cyber-security-lessons--shared-concerns-shared-responses/article/643511/

VA chief swears off software development - For the past year or more at congressional hearings and public appearances, senior officials from the Department of Veterans Affairs have been warming up to the idea of moving to commercial software for electronic health records, scheduling, acquisitions and other core business processes. https://fcw.com/articles/2017/03/10/shulkin-commerical-it.aspx

Researchers hack Fitbits and other IoT devices using sound - Researchers from the University of Michigan and the University of South Carolina were able to develop a series of attacks that manipulate internet of things (IoT) devices using sound. https://www.scmagazine.com/researchers-develop-sound-based-attacks-on-iot-devices/article/644249/

312 and counting data breaches, in 2017, report - So far this year, there have been 312 data breaches as of March 14, 2017, which have compromised a combined total of more than 1.3 million records. https://www.scmagazine.com/report-finds-more-than-312-data-breaches-this-year/article/644421/


FYI - Payments Giant Verifone Investigating Breach - Credit and debit card payments giant Verifone is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions, according to sources. http://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/

Canadian tax and labor websites taken offline this weekend - Canada's Revenue and Statistics agencies were knocked offline Friday when officials, concerned about several vulnerabilities, took down the sites as a precautionary measure. https://www.scmagazine.com/canadian-tax-and-labor-websites-taken-offline-this-weekend/article/643629/

Hackers steal personal data of thousands of hospital staff - Information on staff accessed through attack on IT contractor's server. Hackers have stolen information about thousands of NHS medical professionals by compromising the server of a private contractor. http://www.zdnet.com/article/hackers-steal-personal-data-of-thousands-of-hospital-staff/

Encrypting data at rest is vital, but it's just not happening - Regulators and security strategists recommend encrypting data at rest, but few organisations do it, and most get it wrong. Good thing there are bigger problems to tackle first. The Office of the Australian Information Commissioner (OAIC) has been clear about encrypting personal data, both in its guidelines and in recent data breach investigations. But according to Chris Gatford, director of penetration testing firm Hacklabs, very few organisations are living up to expectations. http://www.zdnet.com/article/encrypting-data-at-rest-is-vital-but-its-just-not-happening/

Over 33M records leaked from US corporate database - The database contains email addresses and other contact information for thousands of corporate and government employees. https://www.cnet.com/news/more-than-33-million-records-leaked-from-us-corporate-database/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight - Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.
  To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.
  The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:
  1)  Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.
  2)  E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.
  3)  Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Security Controls in Application Software

 Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).
 Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Section III. Operational Controls - Chapter 10


 10.1.2 Determining Position Sensitivity
 Knowledge of the duties and access levels that a particular position will require is necessary for determining the sensitivity of the position. The responsible management official should correctly identify position sensitivity levels so that appropriate, cost-effective screening can be completed.
 Various levels of sensitivity are assigned to positions in the federal government. Determining the appropriate level is based upon such factors as the type and degree of harm (e.g., disclosure of private information, interruption of critical processing, computer fraud) the individual can cause through misuse of the computer system as well as more traditional factors, such as access to classified information and fiduciary responsibilities. Specific agency guidance should be followed on this matter.
 It is important to select the appropriate position sensitivity, since controls in excess of the sensitivity of the position wastes resources, while too little may cause unacceptable risks.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated