R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

April 9, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Banks need to step up tech for mobile users, report - Banks worldwide are at risk of incurring costly consequences to their operations if they don't move away from legacy systems and get in step with digital advancements. https://www.scmagazine.com/banks-need-to-step-up-tech-for-mobile-users-report/article/647564/

IoT liability: Legal issues abound - The fact that U.S. intelligence agencies have the ability to use connected devices as spy tools may or may not be surprising, depending on one's level of cynicism. https://www.scmagazine.com/iot-liability-legal-issues-abound/article/647579/

10 Words to Watch in Security for 2017 - Cybersecurity has dominated the news cycle this year and 2017 will continue that trend, bringing the issue front and center in boardrooms and the situation room, but a new vocabulary is evolving to describe and deal with these threats. https://www.scmagazine.com/10-words-to-watch-in-security-for-2017/article/644712/

Insurer sues Rosen Hotels over data breach payments - St. Paul Fire & Marine Insurance has filed a lawsuit asking a Florida judge to formally state that the insurance company is not responsible for paying any costs related to a data breach that took place at Rosen Hotels & Resorts last year.

U.S., U.K. warn airports, nuclear facilities of cyberattacks - Airports and nuclear power plants in the U.S. and U.K. are on alert for cyberattacks after governments in both countries issued alerts. https://www.scmagazine.com/us-uk-warn-airports-nuclear-facilities-of-cyberattacks/article/648163/

Yee-hacked! Fired Texan sysadmin goes rogue, trashes boot business - A former IT administrator working at a cowboy boot manufacturer has pled guilty to hacking the servers and cloud accounts of his employer after they fired him and had him removed from the building. http://www.theregister.co.uk/2017/03/31/it_admin_pleads_guilty_to_hacking_bosses/

Clues from Russian banking machine theft leads investigators to ATMitch malware - Kaspersky Lab on Tuesday revealed further details about a memory-only "fileless malware" campaign that a cybercriminal organization has been employing to steal money remotely from ATMs while leaving behind virtually no trace of malicious activity. https://www.scmagazine.com/clues-from-russian-banking-machine-theft-leads-investigators-to-atmitch-malware/article/648423/

Gigs up, Bossland ordered to pay Blizzard $8.5M for game hacks - Blizzard Entertainment was awarded $8.5 million in a lawsuit against German company Bossland for making in-game cheats. https://www.scmagazine.com/german-company-ordered-to-pay-for-blizzard-game-cheats/article/648738/


FYI - Yu-Gi-Oh fan forum breached, 6.5M email addresses, passwords compromised - A hacker has made off with at least 6.5 million email addresses and poorly hashed passwords from a Yu-Gi-Oh fan project called “Dueling Network.” https://www.scmagazine.com/yu-gi-oh-dueling-network-fan-forum-compromised/article/647560/

Hacker compromises nearly 100k McDonald's Canada job applications - The McDonald's Canada career website has suffered a data breach that compromised about 95,000 restaurant job applications, the fast-food giant acknowledged on Friday in a company statement. https://www.scmagazine.com/hacker-compromises-nearly-100k-mcdonalds-canada-job-applications/article/647978/

4,000 WordPress sites infected through fake plugin - About 4,000 WordPress websites have been infected with malware that disguises itself as a search engine optimization plugin to attract unwary webmasters. https://www.scmagazine.com/4000-wordpress-sites-infected-through-fake-plugin/article/648431/

Brazilian bank hacked, loses control of its online presense - A Brazilian bank had all of its 36 domains and other online assets seized by hackers who then used the pages to push malware onto the banks customers. https://www.scmagazine.com/brazilian-bank-hacked-loses-control-of-its-online-presense/article/648773/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)
  1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.
  a)  Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.
  b)  The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.
  c)  All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.
  2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.
  a)  Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.
  b)  Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.
  c)  Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.
  d)  Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.
  e)  Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.
  f)  An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
  Outsourced Development
  Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:
  ! Verifying credentials and contracting only with reputable providers;
  ! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
  ! Obtaining fidelity coverage;
  ! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
  ! Establishing security requirements, acceptance criterion, and test plans;
  ! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
  ! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
  ! Performing security tests to verify that the security requirements are met before implementing the software in production.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Section III. Operational Controls - Chapter 10


10.2.1 User Account Management
 User account management involves (1) the process of requesting, establishing, issuing, and closing user accounts; (2) tracking users and their respective access authorizations; and (3) managing these functions.
 User account management typically begins with a request from the user's supervisor to the system manager for a system account. If a user is to have access to a particular application, this request may be sent through the application manager to the system manager. This will ensure that the systems office receives formal approval from the "application manager" for the employee to be given access. The request will normally state the level of access to be granted, perhaps by function or by specifying a particular user profile. (Often when more than one employee is doing the same job, a "profile" of permitted authorizations is created.)
 Systems operations staff will normally then use the account request to create an account for the new user. The access levels of the account will be consistent with those requested by the supervisor. This account will normally be assigned selected access authorizations. These are sometimes built directly into applications, and other times rely upon the operating system. "Add-on" access applications are also used. These access levels and authorizations are often tied to specific access levels within an application.
 Next, employees will be given their account information, including the account identifier (e.g., user ID) and a means of authentication (e.g., password or smart card/PIN). One issue that may arise at this stage is whether the user ID is to be tied to the particular position an employee holds (e.g., ACC5 for an accountant) or the individual employee (e.g., BSMITH for Brenda Smith). Tying user IDs to positions may simplify administrative overhead in some cases; however, it may make auditing more difficult as one tries to trace the actions of a particular individual. It is normally more advantageous to tie the user ID to the individual employee. However, if the user ID is created and tied to a position, procedures will have to be established to change them if employees switch jobs or are otherwise reassigned.
 When employees are given their account, it is often convenient to provide initial or refresher training and awareness on computer security issues. Users should be asked to review a set of rules and regulations for system access. To indicate their understanding of these rules, many organizations require employees to sign an "acknowledgment statement," which may also state causes for dismissal or prosecution under the Computer Fraud and Abuse Act and other applicable state and local laws.
 When user accounts are no longer required, the supervisor should inform the application manager and system management office so accounts can be removed in a timely manner. One useful secondary check is to work with the local organization's personnel officer to establish a procedure for routine notification of employee departures to the systems office.
 It is essential to realize that access and authorization administration is a continuing process. New user accounts are added while others are deleted. Permissions change: sometimes permanently, sometimes temporarily. New applications are added, upgraded, and removed. Tracking this information to keep it up to date is not easy, but is necessary to allow users access to only those functions necessary to accomplish their assigned responsibilities -- thereby helping to maintain the principle of least privilege. In managing these accounts, there is a need to balance timeliness of service and record keeping. While sound record keeping practices are necessary, delays in processing requests (e.g., change requests) may lead to requests for more access than is really necessary -- just to avoid delays should such access ever be required.
 Managing this process of user access is also one that, particularly for larger systems, is often decentralized. Regional offices may be granted the authority to create accounts and change user access authorizations or to submit forms requesting that the centralized access control function make the necessary changes. Approval of these changes is important -- it may require the approval of the file owner and the supervisor of the employee whose access is being changed.
 Example of Access Levels Within an Application
 Level                 Function
 1                        Create Records
 2                        Edit Group A records
 3                        Edit Group B records
 4                        Edit all records
 Sample User Account and Password Acknowledgment Form:
 "I hereby acknowledge personal receipt of the system password(s) associated with the user Ids listed below. I understand that I am responsible for protecting the password(s), will comply with all applicable system security standards, and will not divulge my password(s) to any person. I further understand that I must report to the Information Systems Security Officer any problem I encounter in the use of the password(s) or when I have reason to believe that the private nature of my password(s) has been compromised."

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated