Internet Banking News

March 27, 2016

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. Independent pen-testing is part of any financial institution's cybersecurity defense. To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.

FYI - 20% of employees are willing to sell their work email passwords - One in five employees say they’d be willing to sell their work-related passwords, according to a survey of 1,000 office workers at private organizations. http://www.marketwatch.com/story/20-of-employees-are-willing-to-sell-their-work-email-passwords-2016-03-22

FYI - London Police Chief Sir Bernard Hogan-Howe's comment that banks should not reimburse fraud victims who fail to protect themselves are simply rewarding bad cyber security hygiene has received some backlash, with one group saying he is attempting to shift the blame from cybercriminals to their victims. http://www.scmagazine.com/london-police-chief-said-banks-dont-incentivize-cyber-hygiene-but-bad-behavior-instead/article/485155/

FYI - Cyberespionage groups are stealing digital certificates to sign malware - An increasing number of cyberespionage groups are using stolen code-signing certificates to make their hacking tools and malware look like legitimate applications. http://www.computerworld.com/article/3044728/security/cyberespionage-groups-are-stealing-digital-certificates-to-sign-malware.html

FYI - Only 17 percent of surveyed U.K. students 'genuinely concerned' about cybersecurity - About three-quarters of higher and continuing education students, or 77 percent, recognize cyberattacks as a burgeoning threat, yet only 17 percent of the collective student body are “genuinely concerned” over cybersecurity, according to a new U.K.-based survey study. http://www.scmagazine.com/only-17-percent-of-surveyed-uk-students-genuinely-concerned-about-cybersecurity/article/484024/

FYI - NIST releases updated telework guidance - Government agencies should establish virtual mobile infrastructure (VMI) technology, in which telecommuting employees would access network information through customized mobile operating systems hosted on virtual machines, and the intermediary connection is destroyed when the session ends, according to draft guidance for telework protocol released by the National Institute of Standards and Technology (NIST). http://www.scmagazine.com/nist-releases-updated-telework-guidance/article/484286/

FYI - 25% of knowledge workers don't trust their IT teams with personal data - Due to lack of a clearly defined security strategy, IT decision makers (ITDMs) risk losing the trust of knowledge workers. http://www.scmagazine.com/25-of-knowledge-workers-dont-trust-their-it-teams-with-personal-data/article/484713/

FYI - FBI says car hacking is a real risk - Security researchers have shown they can take over steering and disable the brakes of moving vehicles. If you're not already worried about your car being hacked, you really should be, the US government says. http://www.cnet.com/roadshow/news/fbi-says-car-hacking-is-a-real-risk/

FYI - GAO - Healthcare.gov: Actions Needed to Enhance Information Security and Privacy Controls.
Report: http://www.gao.gov/products/GAO-16-265
Highlights: http://www.gao.gov/assets/680/676004.pdf

FYI - Fitch Ratings warns insurers that aggressive cyber policies will be deemed credit-negative - Prominent credit rating agency Fitch Ratings issued a warning on Monday that aggressive growth strategies in the cyber insurance market could negatively impact its ratings, due to the inherent risks of such an emerging, inchoate business model.http://www.scmagazine.com/fitch-ratings-warns-insurers-that-aggressive-cyber-policies-will-be-deemed-credit-negative/article/484857/

FYI - House subcommittee hearing discusses making cyber insurance more accessible - A lack of actuarial data on cybersecurity risks places a significant hurdle that may be keeping some small business from acquiring cyber insurance, according to industry leaders testifying before a Homeland Security subcommittee hearing. http://www.scmagazine.com/industry-professionals-discuss-cyber-insurance-adoption-and-best-practices-at-house-hearing/article/485043/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Donald Trump doxxed by Anonymous group, SSN revealed - Anonymous made good on its promise to launch a full frontal assault on Trump, revealing private information, including his social security number and cell phone, while chiding the billionaire presidential hopeful in a video, saying he “should have expected us.” http://www.scmagazine.com/donald-trump-doxxed-by-anonymous-group-ssn-revealed/article/483929/

FYI - Amex warns of breach, cardholders should protect data - After a merchant breach prompting American Express to warn customers that card member information may have been compromised, cardholders should take multiple steps to protect their sensitive data. http://www.scmagazine.com/update-amex-warns-of-breach-cardholders-should-protect-data/article/483764/

FYI - Canadian hospital infected with ransomware - Yet another hospital, this time in Canada, has been infected with Ransomware. A hospital in Canada is the latest victim in a rash of cyber-attacks on hospitals. The Ottawa Hospital in Canada's southeastern region of Ontario was hit with ransomware on several of its computers recently. http://www.scmagazine.com/canadian-hospital-infected-with-ransomware/article/484209/

FYI - Apparent DDoS attack knocks Swedish news services offline - Seven of Sweden's top online newspapers were disabled for several hours this past weekend after a series of apparent distributed denial of service (DDoS) attacks, the Agence France-Presse has reported. http://www.scmagazine.com/apparent-ddos-attack-knocks-swedish-news-services-offline/article/484450/

FYI - Hospitals in Kentucky, SoCal become latest targets of hackers - The scourge of malware attacks against hospitals continued this week, including a ransomware assault targeting Henderson, Ky.-based Methodist Hospital and another possible ransomware incident at two Southern California facilities. http://www.scmagazine.com/hospitals-in-kentucky-socal-become-latest-targets-of-hackers/article/484760/

FYI - Lenovo-related website redirected visitors to Angler EK - A Lenovo-related website apparently redirected visitors on March 13 to the Angler exploit kit, “a source of no small amount of crypto-ransomware,” according to an F-Secure. http://www.scmagazine.com/lenovo-related-website-redirected-visitors-to-angler-ek/article/484761/

FYI - SWIFT To Issue Warning In Wake Of Cyberattack On Bagladesh Central Bank - After a recent cyber-theft of over $80 million from Bangladesh Bank, SWIFT today plans to advise banks to implement security measures to avoid similar attacks. http://www.darkreading.com/cloud/swift-to-issue-warning-in-wake-of-cyberattack-on-bagladesh-central-bank-/d/d-id/1324767

FYI - W-2 Data Breach places 21K Sprouts Farmers Market employees at risk - Sprouts Farmers Market is the latest corporation to fall victim to a W-2 phishing scam, with the company admitting an employee sent off the tax data for all its workers to an unknown person. http://www.scmagazine.com/w-2-data-breach-places-21k-sprouts-farmers-market-employees-at-risk/article/485044/

FYI - Iranians indicted in hacks on US banks, New York dam - The formal accusation comes as the government warns of hacking dangers to US infrastructure. Score one for the US government in its fight against hackers. http://www.cnet.com/news/iranians-indicted-for-hacking-us-banks-new-york-dam/

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.

An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.

ACCESS RIGHTS ADMINISTRATION (1 of 5)

Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:

1) Assign users and system resources only the access required to perform their required functions,

2) Update access rights based on personnel or system changes,

3) Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and

4) Design appropriate acceptable-use policies and require users to sign them.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY

5.4 Interdependencies

Policy is related to many of the topics covered in this handbook:

Program Management. Policy is used to establish an organization's computer security program, and is therefore closely tied to program management and administration. Both program and system-specific policy may be established in any of the areas covered in this handbook. For example, an organization may wish to have a consistent approach to incident handling for all its systems - and would issue appropriate program policy to do so. On the other hand, it may decide that its applications are sufficiently independent of each other that application managers should deal with incidents on an individual basis.

Access Controls. System-specific policy is often implemented through the use of access controls. For example, it may be a policy decision that only two individuals in an organization are authorized to run a check-printing program. Access controls are used by the system to implement (or enforce) this policy.

Links to Broader Organizational Policies. This chapter has focused on the types and components of computer security policy. However, it is important to realize that computer security policies are often extensions of an organization's information security policies for handling information in other forms (e.g., paper documents). For example, an organization's e-mail policy would probably be tied to its broader policy on privacy. Computer security policies may also be extensions of other policies, such as those about appropriate use of equipment and facilities.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.