R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 6, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

- Compliance vs. Cybersecurity - Duking It Out When they Should be Working Together - What should you fear the most� hackers and malicious actors, or auditors for that pesky compliance status? On one hand, you have those that will steal sensitive and crucial data for personal gain. On the other, you have a nitpicky consultant that will comb over every detail looking to fail your compliance. https://www.scmagazine.com/compliance-vs-cybersecurity--duking-it-out-when-they-should-be-working-together/article/761865/

43% businesses, 19% of charities hit by data breaches - In a month from now, the UK will welcome GDPR which will give the ICO more powers to defend consumer interests and issue fines of up to �17 million or four percent of global turnover on organisations in the event of data breaches owing to poor cyber-security credentials. https://www.scmagazine.com/43-businesses-19-of-charities-hit-by-data-breaches-cyber-breach-survey/article/761297/

Equifax data breach cost hits $242 million - The massive data breach that compromised the data of 147.9 million Equifax customers last year has cost the company more than $242 million in related expenses, but luckily for the company, much of this cost has been covered by its cybersecurity insurance. https://www.scmagazine.com/equifax-data-breach-cost-hits-242-million/article/761330/

Ski Lift in Austria Left Control Panel Open on the Internet - Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift's operational settings. https://www.bleepingcomputer.com/news/security/ski-lift-in-austria-left-control-panel-open-on-the-internet/

Fed contractors aren't using DMARC, new study finds - Just one of the 50 biggest federal IT contractors have adopted an important email security measure to guard against phishing, according to a new study. https://www.cyberscoop.com/federal-it-contractors-dmarc-global-cyber-alliance/

NYU and NY Cyber Command team up to offer cheap cybersecurity education and training - Earlier this year NYU Tandon School of Engineering and New York's Cyber Command (NYC3) joined forces to announce one of the country's most affordable Cybersecurity Master's Degree in the form of its NY Cyber Fellows program. https://www.scmagazine.com/the-curriculum-was-designed-with-input-from-an-advisory-council-consisting-of-new-york-city-cyber-command-nyc3-and-top-business-firms/article/763113/

Epidemic of leaky cloud storage 'really frustrating,' says Trend Micro expert - Data breaches stemming from misconfigured cloud-based storage servers are utterly preventable, and it's up to the security community to educate organizations about tools that are readily available to scan for such mistakes. https://www.scmagazine.com/sc-video-epidemic-of-leaky-cloud-storage-really-frustrating-says-trend-micro-expert/article/763103/

Delaware data breach resource site goes live - The state of Delaware launched a website to assist in the compliance of the state's updated data breach laws. https://www.scmagazine.com/delaware-launches-data-breach-compliance-site-for-companies-and-consumers/article/763065/

Cyberattack map shows impacted U.S. school districts - A group called the K-12 Cybersecurity Resource Center has created an interactive incident map that shows all of the school districts in the U.S. that have been affected by a cyberattack since 2016. https://www.scmagazine.com/cyberattack-map-shows-impacted-us-school-districts/article/762885/


FYI - Lock maker offers fixes to prevent hackers from using fake master keys to open hotel locks - Lock maker Assa Abloy has provided fixes to address design vulnerabilities in the Vision by VingCard software for electronic lock systems used by global hotel chains and other hotels around the world that can be exploited to allow hackers access to any room in a hotel. https://www.scmagazine.com/lock-maker-offers-fixes-to-prevent-hackers-from-using-fake-master-keys-to-open-hotel-locks/article/761524/

A Loud Noise Knocked Out Computers That Run Stock Exchanges Across Northern Europe - It seems like computers can do just about anything these days. They write news articles, (almost) drive cars, and trade stocks faster than a human ever could. But our future machine overlords also have weaknesses that makes them seem, in a way, almost human. For one thing, it turns out they don�t like loud noises. http://www.nextgov.com/cybersecurity/2018/04/loud-noise-knocked-out-computers-run-stock-exchanges-across-northern-europe/147727/

Massachusetts school district caves to ransomware demand, pays $10,000 - The Leominster, Mass., school district found itself compelled to pay a $10,000 ransom after the district was hit with ransomware. https://www.scmagazine.com/massachusetts-school-district-caves-to-ransomware-demand-pays-10000/article/762215/

Student loan borrower files sent to unauthorized party in accidental breach - The student loan services company Access Group Education Lending is blaming a third-party business partner for inadvertently sending loan files containing borrowers' personal information to another business that was not authorized to receive them. https://www.scmagazine.com/student-loan-borrower-files-sent-to-unauthorized-party-in-accidental-breach/article/762169/

Zippy's Restaurants suffers POS data breach - The Hawaii-based Zippy's Restaurants reported that for four months its point-of-sale system at 25 of its locations had been compromised exposing customer data. https://www.scmagazine.com/zippys-restaurants-suffers-pos-data-breach/article/762902/

Return to the top of the newsletter

This week continues our series on the FDIC's Supervisory Policy on Identity Theft (Part 3 of  6)
  FDIC Response to Identity Theft
  The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.

Return to the top of the newsletter

FFIEC IT SECURITY - Over the next few weeks, we will cover the OCC Bulletin about Infrastructure Threats and Intrusion Risks. 
  This bulletin provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.
  The prevalence and risk of computer intrusions are increasing as information systems become more connected and interdependent and as banks make greater use of Internet banking services and other remote access devices. Recent e-mail-based computer viruses and the distributed denial of service attacks earlier this year revealed that the security of all Internet-connected networks are increasingly intertwined. The number of reported incidences of intrusions nearly tripled from 1998 to 1999, according to Carnegie Mellon University's CERT/CC. 
  Management can reduce a bank's risk exposure by adopting and regularly reviewing its risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. This bulletin provides guidance in each of these critical areas and also highlights information-sharing mechanisms banks can use to keep abreast of current attack techniques and potential vulnerabilities.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.


16.1.1 Passwords

Problems With Passwords. The security of a password system is dependent upon keeping passwords secret. Unfortunately, there are many ways that the secret may be divulged. All of the problems discussed below can be significantly mitigated by improving password security, as discussed in the sidebar. However, there is no fix for the problem of electronic monitoring, except to use more advanced authentication (e.g., based on cryptographic techniques or tokens).

Guessing or finding passwords. If users select their own passwords, they tend to make them easy to remember. That often makes them easy to guess. The names of people's children, pets, or favorite sports teams are common examples. On the other hand, assigned passwords may be difficult to remember, so users are more likely to write them down. Many computer systems are shipped with administrative accounts that have preset passwords. Because these passwords are standard, they are easily "guessed." Although security practitioners have been warning about this problem for years, many system administrators still do not change default passwords. Another method of learning passwords is to observe someone entering a password or PIN. The observation can be done by someone in the same room or by someone some distance away using binoculars. This is often referred to as shoulder surfing.

Giving passwords away. Users may share their passwords. They may give their password to a co-worker in order to share files. In addition, people can be tricked into divulging their passwords. This process is referred to as social engineering.

Electronic monitoring. When passwords are transmitted to a computer system, they can be electronically monitored. This can happen on the network used to transmit the password or on the computer system itself. Simple encryption of a password that will be used again does not solve this problem because encrypting the same password will create the same ciphertext; the ciphertext becomes the password.

Accessing the password file. If the password file is not protected by strong access controls, the file can be downloaded. Password files are often protected with one-way encryption so that plain-text passwords are not available to system administrators or hackers (if they successfully bypass access controls). Even if the file is encrypted, brute force can be used to learn passwords if the file is downloaded (e.g., by encrypting English words and comparing them to the file).

Passwords Used as Access Control. Some mainframe operating systems and many PC applications use passwords as a means of restricting access to specific resources within a system. Instead of using mechanisms such as access control lists, access is granted by entering a password. The result is a proliferation of passwords that can reduce the overall security of a system. While the use of passwords as a means of access control is common, it is an approach that is often less than optimal and not cost-effective.

Improving Password Security

Password generators
. If users are not allowed to generate their own passwords, they cannot pick easy-to-guess passwords. Some generators create only pronounceable nonwords to help users remember them. However, users tend to write down hard-to-remember passwords.
Limits on log-in attempts. Many operating systems can be configured to lock a user ID after a set number of failed log-in attempts. This helps to prevent guessing of passwords.

Password attributes. Users can be instructed, or the system can force them, to select passwords (1) with a certain minimum length, (2) with special characters, (3) that are unrelated to their user ID, or (4) to pick passwords, which are not in an on-line dictionary. This makes passwords more difficult to guess (but more likely to be written down).

Changing passwords. Periodic changing of passwords can reduce the damage done by stolen passwords and can make brute-force attempts to break into systems more difficult. Too frequent changes, however, can be irritating to users.

Technical protection of the password file. Access control and one-way encryption can be used to protect the password file itself.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.