Internet Banking News

April 17, 2016

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. Independent pen-testing is part of any financial institution's cybersecurity defense. To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.

FYI - Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes - New study reveals that none of the top 10 US university computer science and engineering program degrees requires students take a cybersecurity course. http://www.darkreading.com/vulnerabilities---threats/top-us-undergraduate-computer-science-programs-skip-cybersecurity-classes/d/d-id/1325024

FYI - Maryland hospital: Ransomware success wasn’t IT department’s fault - MedStar denies ransom payment, denies earlier JBoss bugs played role. MedStar, the health network of 10 Maryland hospitals struck by a ransomware attack last week, has now reportedly brought all its systems back online without paying attackers. http://arstechnica.com/security/2016/04/maryland-hospital-group-denies-ignored-warnings-allowed-ransomware-attack/

FYI - Russian hacker group targeting largest EU banks - The Russian government has begun working with Russia's Central Bank to develop a package of measures aimed at fighting Buhtrap, the recently discovered hacker group, which, to date, has stolen around RUB 4 billion (Ł42 million) from Russian and Western banks, and is reportedly planning further attacks on the EU banking system. http://www.scmagazine.com/russian-hacker-group-targeting-largest-eu-banks/article/488790/

FYI - FBI Warns of Cyber Threat to Electric Grid - Three months after a Department of Homeland Security intelligence report downplayed the threat of a cyber attack against the U.S. electrical grid, DHS and the FBI began a nationwide program warning of the dangers faced by U.S. utilities from damaging cyber attacks like the recent hacking against Ukraine’s power grid. http://freebeacon.com/issues/fbi-warns-cyber-threat-electric-grid/

FYI - Cyber-criminals becoming increasingly professional - Cyber-criminals targeting the UK are becoming increasingly professional and have a sophistication almost on par with nation-state hackers, according to a recently published report. http://www.scmagazine.com/cyber-criminals-becoming-increasingly-professional/article/489601/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FDIC breach of 44,000 customers caused by storage device - A former employee of the Federal Deposit Insurance Corp. (FDIC) departed the agency with a storage device that contained data and information involving 44,000 FDIC customers, a FDIC representative told SCMagazine.com. http://www.scmagazine.com/fdic-breach-of-44000-customers-caused-by-storage-device/article/488999/

FYI - 'Panama Papers' Law Firm: We Were Hacked - Founding partner of Mossack Fonseca tells Reuters his firm was a victim of an external hacker who leaked its data. In the latest twist in the historic "Panama Papers" data leak and scandal, the founding partner of the law firm whose files were dumped, exposing illicit offshore holdings of global political leaders, celebrities, and others, says his firm was hacked by an outsider. http://www.darkreading.com/threat-intelligence/panama-papers-law-firm-we-were-hacked/d/d-id/1325007

FYI - Huge data breach leaves details of 55 million Filipino voters exposed to hackers - Officials downplay impact of leak of electoral roll, passport info and fingerprint data - The details of up to 55 million voters in the Philippines have been exposed putting much of the country at risk of identity theft. http://www.scmagazine.com/huge-data-breach-leaves-details-of-55-million-filipino-voters-exposed-to-hackers/article/488499/

FYI - Georgetown University confirms cyberattack, says no data compromised - A cyberattack at Georgetown University didn't compromise any data, school officials confirmed. The university sent an email to its community saying that an outage experienced as a result of the attack came from a firewall closing the network in order to protect the system and data. http://www.scmagazine.com/georgetown-u-says-systems-secure-despite-cyberattack/article/488521/

FYI - Data breaches galore: state health dept., two schools, grocery chain hit - A state agency, two educational institutions, and a grocery chain fell victim to a wave of separate data breaches that swept the southern states and California. http://www.scmagazine.com/data-breaches-hit-several-organizations-across-the-south-west-coast/article/489323/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

Access Rights Administration (4 of 5)

The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.

Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.

Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed. Additionally, access to these default accounts should be monitored more closely than other accounts.

Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT

6.2 Central Computer Security Programs

The purpose of a central computer security program is to address the overall management of computer security within an organization. In the federal government, the organization could consist of a department, agency, or other major operating unit.

As with the management of all resources, central computer security management can be performed in many practical and cost-effective ways. The importance of sound management cannot be overemphasized. There is also a downside to centrally managed computer security programs. Specifically, they present greater risk that errors in judgment will be more widely propagated throughout the organization. As they strive to meet their objectives, managers need to consider the full impact of available options when establishing their computer security programs.

6.2.1 Benefits of Central Computer Security Programs

A central security problem should provide two quite distinct types of benefits:

! Increased efficiency and economy of security throughout the organization, and

! the ability to provide centralized enforcement and oversight.

Both of these benefits are in keeping with the purpose of the Paperwork Reduction Act, as implemented in OMB Circular A-130.

The Paperwork Reduction Act establishes a broad mandate for agencies to perform their information management activities in an efficient, effective, and economical manner...Agencies shall assure an adequate level of security for all agency automated information systems, whether maintained in-house or commercially.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.