Internet Banking News

March 30, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Why Cyber Jobs Need a Career Path - There’s a myth circulating in the race to recruit and train up cybersecurity professionals that even those without a technical background can become a cyber warrior. http://www.nextgov.com/cio-briefing/wired-workplace/2014/03/why-cyber-jobs-need-career-path/81025/?oref=ng-channelriver

FYI - Target Could Face Federal Charges for Failing to Protect Customer Data From Hackers - It's unclear whether the FTC has issued any subpoenas or other formal demands for information. The FTC declined to comment on whether it has launched a formal investigation. http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/

FYI - Many Organizations Don't Go Public With Data Breaches Or Share Intel - There are likely many more breached retailers than Target, Neiman Marcus, Michaels, and Sally Beauty either unaware that they have been hit or not yet ready to go public. http://www.darkreading.com/attacks-breaches/many-organizations-dont-go-public-with-d/240166693

FYI - Soon-to-be Facebook intern wins UK Cyber Security Challenge - Cambridge student protects Blighty from virtual attack from Churchill War Rooms - A 19-year-old student was crowned the UK Cyber Security Champion after beating all comers over the course of a year-long competition that tested computer defence skills. http://www.theregister.co.uk/2014/03/17/cyber_security_challenge_final_winner_cambridge_student/

FYI - Banks file class-action against Target and Trustwave over massive breach - Banks impacted in the late-2013 breach of Target have banded together to file a class-action against the retail giant, as well as against Trustwave, a Chicago-based security firm said in the lawsuit to have failed to bring Target's systems up to industry standards. http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UMCP reports another cybersecurity breach -The University of Maryland, College Park suffered a second cyberattack on the heels of the recent theft of personal data for hundreds of thousands of students, staff and alumni, university officials announced Thursday. http://www.baltimoresun.com/news/maryland/education/blog/bs-md-umd-another-cyberattack-20140320,0,798878.story

FYI - Auburn University server hacked, data on nearly 14,000 at risk - Over a four-week span, an unidentified hacker could have accessed a compromised Auburn University College of Business server that contained personal information - including Social Security numbers – on close to 14,000 current and former students, faculty and staff. http://www.scmagazine.com/auburn-university-server-hacked-data-on-nearly-14000-at-risk/article/339247/

FYI - University of Maryland breached again - The University of Maryland's computer network was breached earlier this week for the second time this year. The most recent attack affected one university staff member's personal information. http://www.scmagazine.com/university-of-maryland-breached-again/article/339356/

FYI - Employee with Minnesota-based insurer risks data of 38K members - Roughly 38,000 members of Minnesota-based HealthPartners may have personal information at risk after an employee brought home electronic files containing the data, showed the files to a family member for help with formatting, and transferred the files to their own devices, between 2008 and 2010. http://www.scmagazine.com/employee-with-minnesota-based-insurer-risks-data-of-38k-members/article/339453/

FYI - Credit Card Breach at California DMV - The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used online at the California DMV. http://krebsonsecurity.com/2014/03/sources-credit-card-breach-at-california-dmv/

FYI - About 55K in San Francisco impacted in theft of Sutherland computers - The San Francisco Department of Public Health (DPH) is warning more than 55,000 patients served in DPH facilities that their personal information may have been compromised in a Feb. 5 breach of Sutherland Healthcare Solutions (SHS), a billing and collections services provider. http://www.scmagazine.com/about-55k-in-san-francisco-impacted-in-theft-of-sutherland-computers/article/339628/

FYI - More than 1,000 UK HealthCare patients impacted by stolen laptop -A password protected laptop stolen from Talyst, a provider of pharmacy billing management services, has resulted in the compromise of personal information for more than 1,000 patients of University of Kentucky (UK) HealthCare. http://www.scmagazine.com/more-than-1000-uk-healthcare-patients-impacted-by-stolen-laptop/article/339842/

FYI - Univ. of Maryland hackers used trojan to steal IT credentials, access database - University of Maryland President Wallace Loh appeared before Senate members to testify on the occurrences leading up to far-reaching breach. http://www.scmagazine.com/univ-of-maryland-hackers-used-trojan-to-steal-it-credentials-access-database/article/340117/

FYI - Attacker obtains credentials of nearly 100K users of Cerberus app - Nearly 100,000 users of Android anti-theft app Cerberus must reset their encrypted passwords after an attacker was able to gain unauthorized access to their credentials. http://www.scmagazine.com/attacker-obtains-credentials-of-nearly-100k-users-of-cerberus-app/article/340113/

FYI - Data on all Utah-based Sorenson employees compromised in vendor attack - All employees with Utah-based Sorenson Communications, and a branch named CaptionCall, are being notified that their personal information - including Social Security numbers - may have been compromised after the data was accessed in an attack on an unnamed payroll vendor. http://www.scmagazine.com/data-on-all-utah-based-sorenson-employees-compromised-in-vendor-attack/article/340037/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

Performing the Risk Assessment and Determining Vulnerabilities

Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.

When institutions contract with third-party providers for information system services, they should have a sound oversight program. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider's system.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Services and Configuration

Firewalls may provide some additional services:

! Network address translation (NAT) - NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.

! Dynamic host configuration protocol (DHCP) - DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.

! Virtual Private Network (VPN) gateways - A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines. Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.

One common firewall implementation in financial institutions hosting Internet applications is a DMZ, which is a neutral Internet accessible zone typically separated by two firewalls. One firewall is between the institution's private network and the DMZ and then another firewall is between the DMZ and the outside public network. The DMZ constitutes one logical security domain, the outside public network is another security domain, and the institution's internal network may be composed of one or more additional logical security domains. An adequate and effectively managed firewall can ensure that an institution's computer systems are not directly accessible to any on the Internet.

Financial institutions have a variety of firewall options from which to choose depending on the extent of Internet access and the complexity of their network. Considerations include the ease of firewall administration, degree of firewall monitoring support through automated logging and log analysis, and the capability to provide alerts for abnormal activity.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

42. Does the institution provide the consumer with a reasonable opportunity to opt out such as by:

a. mailing the notices required by §10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [§10(a)(3)(i)]

b. where the consumer opens an on-line account with the institution and agrees to receive the notices required by §10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [§10(a)(3)(ii)] or

c. for isolated transactions, providing the notices required by §10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? [§10(a)(3)(iii)]