R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 24, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

- Inside Security: Plan for That One Unintended Click - What’s at the top of the food chain when it comes to security breaches? People. And, no amount of security awareness training can completely protect an organization against a phishing attack. Even the most security-conscious end user can accidentally click on a suspicious link by accident. https://www.scmagazine.com/home/opinion/inside-security-plan-for-that-one-unintended-click/

U.S. Navy taken to task for cybersecurity flaws - The U.S. Navy is prepared to face and defeat the nation’s enemies in all physical environments, but is losing an on-going cyberwar with China, according to its own assessment of the situation. https://www.scmagazine.com/home/security-news/government-and-defense/u-s-navy-taken-to-task-for-cybersecurity-flaws/

House Dem introduces bill requiring public firms to disclose cybersecurity expertise in leadership - A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise amid growing cyberattacks targeting U.S. companies. https://thehill.com/policy/cybersecurity/433880-house-dem-introduces-cyber-bill-that-would-require-publicly-traded

How a wireless keyboard lets hackers take full control of connected computers - There’s a critical vulnerability in a model of Fujitsu wireless keyboard that makes it easy for hackers to take full control of connected computers, security researchers warned on Friday. Anyone using the keyboard model should strongly consider replacing it immediately. https://arstechnica.com/information-technology/2019/03/how-a-wireless-keyboard-lets-hackers-take-full-control-of-connected-computers/

Cyberattack shuts down Committee for Public Counsel Services network, leaving bar advocates unpaid - The Massachusetts public defender agency has been unable to access its IT network for weeks, following a cyber attack that forced the shutdown of its email service. https://www.masslive.com/news/2019/03/cyberattack-shuts-down-committee-for-public-counsel-services-leaving-bar-advocates-unpaid.html

GAO - Including Users Early and Often in Software Development Could Benefit Programs - https://www.gao.gov/products/GAO-19-136 

Top 12 phishing email subject lines - Cybercriminals often try to create a sense of urgency in their phony attempts to swindle unsuspecting users out of crucial information with subject lines that would compel the unsuspecting user into opening the phony email and potentially downloading malicious attachments. https://www.scmagazine.com/home/security-news/top-12-phishing-email-subject-lines/


FYI - Stolen email credentials being used to pry into cloud accounts - Malicious actors are using the massive supply of previously stolen login credentials to help brute force their way into high-profile cloud-based business systems that cannot easily use two-factor authentication for security. https://www.scmagazine.com/home/email-security/stolen-email-credentials-being-used-to-pry-into-cloud-accounts/

Report: Chinese e-retailer Gearbest leaves database exposed, endangering 1.5 million records - The parent company of Chinese e-retailing giant Gearbest has been operating a completely unsecured corporate database, leaving roughly 1.5 million customer records unencrypted and exposed to the public, a new report warns. https://www.scmagazine.com/home/security-news/report-chinese-e-retailer-gearbest-leaves-database-exposed-endangering-1-5-million-records/

Reports: Israeli officials’ devices hacked; data possessed by Iran - Hackers stole information from former Israeli prime minister Ehud Barak’s computer and phone months ago and sold it to Iran, according to multiple news outlets, citing a TV report by Israel’s Channel 12 this past weekend. https://www.scmagazine.com/home/security-news/reports-israeli-officials-devices-hacked-data-possessed-by-iran/

Norwegian aluminum producer Norsk Hydro hit by an unspecified cyberattack - Norwegian aluminum producer Norsk Hydro was hit by a cyber attack which began Monday evening and escalated into the night. https://www.scmagazine.com/home/security-news/norwegian-aluminum-producer-norsk-hydro-was-hit-by-a-cyber-attack-which-began-monday-evening-and-escalated-into-the-night/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this Report fall into three broad, and often overlapping, categories of issues. However, these principles are not weighted by order of preference or importance. If only because such weighting might change over time, it is preferable to remain neutral and avoid such prioritization.
  A. Board and Management Oversight (Principles 1 to 3): 
  1. Effective management oversight of e-banking activities. 
  2. Establishment of a comprehensive security control process. 
  3. Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies. 
  B. Security Controls (Principles 4 to 10):
  4. Authentication of e-banking customers. 
  5. Non-repudiation and accountability for e-banking transactions. 
  6. Appropriate measures to ensure segregation of duties. 
  7. Proper authorization controls within e-banking systems, databases and applications. 
  8. Data integrity of e-banking transactions, records, and information. 
  9. Establishment of clear audit trails for e-banking transactions. 
  10. Confidentiality of key bank information.
  C. Legal and Reputational Risk Management (Principles 11 to 14):
  11. Appropriate disclosures for e-banking services. 
  12. Privacy of customer information. 
  13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems and services. 
  14. Incident response planning.
  Each of the above principles will be cover over the next few weeks, as they relate to e-banking and the underlying risk management principles that should be considered by banks to address these issues.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

Protocols and Ports (Part 3 of 3)
  Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org.  Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.


19.3.2 Deciding on Hardware vs. Software Implementations

The trade-offs among security, cost, simplicity, efficiency, and ease of implementation need to be studied by managers acquiring various security products meeting a standard. Cryptography can be implemented in either hardware or software. Each has its related costs and benefits.

In general, software is less expensive and slower than hardware, although for large applications, hardware may be less expensive. In addition, software may be less secure, since it is more easily modified or bypassed than equivalent hardware products. Tamper resistance is usually considered better in hardware.

In many cases, cryptography is implemented in a hardware device (e.g., electronic chip, ROM-protected processor) but is controlled by software. This software requires integrity protection to ensure that the hardware device is provided with correct information (i.e., controls, data) and is not bypassed. Thus, a hybrid solution is generally provided, even when the basic cryptography is implemented in hardware. Effective security requires the correct management of the entire hybrid solution.

19.3.3 Managing Keys

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Ultimately, the security of information protected by cryptography directly depends upon the protection afforded to keys.

All keys need to be protected against modification, and secret keys and private keys need protection against unauthorized disclosure. Key management involves the procedures and protocols, both manual and automated, used throughout the entire life cycle of the keys. This includes the generation, distribution, storage, entry, use, destruction, and archiving of cryptographic keys.

With secret key cryptography, the secret key(s) should be securely distributed (i.e., safeguarded against unauthorized replacement, modification, and disclosure) to the parties wishing to communicate. Depending upon the number and location of users, this task may not be trivial. Automated techniques for generating and distributing cryptographic keys can ease overhead costs of key management, but some resources have to be devoted to this task. FIPS 171, Key Management Using ANSI X9.17, provides key management solutions for a variety of operational environments.

Public key cryptography users also have to satisfy certain key management requirements. For example, since a private-public key pair is associated with (i.e., generated or held by) a specific user, it is necessary to bind the public part of the key pair to the user.

In a small community of users, public keys and their "owners" can be strongly bound by simply exchanging public keys (e.g., putting them on a CD-ROM or other media). However, conducting electronic business on a larger scale, potentially involving geographically and organizationally distributed users, necessitates a means for obtaining public keys electronically with a high degree of confidence in their integrity and binding to individuals. The support for the binding between a key and its owner is generally referred to as a public key infrastructure.

Users also need to be able enter the community of key holders, generate keys (or have them generated on their behalf), disseminate public keys, revoke keys (in case, for example, of compromise of the private key), and change keys. In addition, it may be necessary to build in time/date stamping and to archive keys for verification of old signatures.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.