R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 12, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

- Trump issues executive order to help grow the U.S. cybersecurity workforce - President Trump today issued an executive order directing the creation of various programs to help eliminate the cybersecurity labor shortage, promote cybersecurity work within the government and encourage widespread adoption of the cybersecurity workforce framework created by the National Initiative for Cybersecurity Education (NICE). https://www.scmagazine.com/home/security-news/government-and-defense/trump-issues-executive-order-to-help-grow-the-u-s-cybersecurity-workforce/

World Password Day: Are we in the Last Days? - As authentication methods improve and companies like Microsoft declare the end of the password era is here, some cybersecurity experts argue this may be one of the last Global Password days to be held. https://www.scmagazine.com/home/security-news/privacy-compliance/some-cybersecurity-experts-argue-this-may-be-one-of-the-last-global-password-days/

Cybersecurity executive changes - https://www.scmagazine.com/home/security-news/corporate-news/cybersecurity-executive-changes-2/

From paper compliance to operational compliance - Data privacy has become an overarching issue top of mind to organizations across industries and geographies over the past several years. https://www.scmagazine.com/home/opinion/from-paper-compliance-to-operational-compliance/

When’s the last time you looked at your incident response plan? - Security is broad. That is evident in, for example, the Security Rule within the Health Insurance Portability and Accountability Act, a central compliance concern for any organization handling the health data of U.S. citizens. https://www.scmagazine.com/home/opinion/executive-insight/whens-the-last-time-you-looked-at-your-incident-response-plan/


FYI - Wolters Kluwer still down from May 6 cyberattack - The information services firm Wolters Kluwer has been battling to recover from a cyberattack that forced the company to shut down many of its tax and accounting software applications, which is causing issues for those using the affected products. https://www.scmagazine.com/home/security-news/malware/wolters-kluwer-still-down-from-may-6-cyberattack/

Man-in-the-Middle vulnerabilities in D-Link cameras - A series of vulnerabilities in the D-Link DCS-2132L cloud camera allow attackers to remotely tap into the video streams of the devices and also manipulate the device’s firmware. https://www.scmagazine.com/home/security-news/vulnerabilities/a-series-of-vulnerabilities-in-the-d-link-dcs-2132l-cloud-camera-allow-attackers-to-remotely-tap-into-the-video-streams-of-the-devices-and-also-manipulate-the-devices-firmware/

Job seeker’s data exposed on open Ladders database - The employment website Ladders exposed almost 14 million user records when it left an Amazon Elasticsearch database unprotected. https://www.scmagazine.com/home/security-news/cloud-security/job-seekers-data-exposed-on-open-ladders-database/

Mystery Database Exposed Info on 80 Million US Households - Researchers Locate an Unprotected 24 GB Database With Names, Addresses and Incomes - A mysterious, unsecured database hosted on Microsoft's cloud platform contained personal information on nearly 80 million U.S. households, according to two researchers who found it. http://www.bankinfosecurity.com/mystery-database-exposed-info-on-80-million-us-households-a-12432

Denial of service event impacted U.S. power utility last month - An apparent cyberattack on March 5 caused disruptions at a western U.S. electric utility by creating a denial of service condition, according to an official summary of Electric Disturbance Events reports processed by the U.S. Department of Energy (DOE) this year. https://www.scmagazine.com/home/security-news/denial-of-service-event-impacted-u-s-power-utility-last-month/

‘Mirrorthief’ card-skimming attack steals card data from online college stores - A total of 201 online college stores in the U.S. and Canada have fallen victim to a Magecart-style card-skimming attack that appears to be the work of a new cybercrime group with no clear ties to past Magecart activity. https://www.scmagazine.com/home/security-news/mirrorthief-card-skimming-attack-steals-card-data-from-online-college-stores/

Buena Vista Horace Mann student data compromised - An unknown number of students at Buena Vista Horace Mann (BVHM) school in San Francisco had their information exposed when a district worker emailed their information to an unauthorized individual. https://www.scmagazine.com/home/security-news/data-breach/buena-vista-horace-mann-student-data-compromised/

Baltimore struck with Robbinhood ransomware, city servers down - Baltimore’s government computer system was hit reportedly with Robbinhood ransomware yesterday shutting down most of the city’s servers and forcing the city council to cancel meetings. https://www.scmagazine.com/home/security-news/ransomware/baltimore-struck-with-robbinhood-ransomware-city-servers-down/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)
   The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.
   Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.
   As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:
   1)  Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.
   2)  Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.
   3)  Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.
   4)  Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

  Application - Level Firewalls
  Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.
  The primary disadvantages of application - level firewalls are:
  ! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.
  ! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.2.1 System Architecture

Most of HGA's staff (a mix of clerical, technical, and managerial staff) are provided with personal computers (PCs) located in their offices. Each PC includes hard-disk and floppy-disk drives.

The PCs are connected to a local area network (LAN) so that users can exchange and share information. The central component of the LAN is a LAN server, a more powerful computer that acts as an intermediary between PCs on the network and provides a large volume of disk storage for shared information, including shared application programs. The server provides logical access controls on potentially sharable information via elementary access control lists. These access controls can be used to limit user access to various files and programs stored on the server. Some programs stored on the server can be retrieved via the LAN and executed on a PC; others can only be executed on the server.

To initiate a session on the network or execute programs on the server, users at a PC must log into the server and provide a user identifier and password known to the server. Then they may use files to which they have access.

One of the applications supported by the server is electronic mail (e-mail), which can be used by all PC users. Other programs that run on the server can only be executed by a limited set of PC users.

Several printers, distributed throughout HGA's building complex, are connected to the LAN. Users at PCs may direct printouts to whichever printer is most convenient for their use.

Since HGA must frequently communicate with industry, the LAN also provides a connection to the Internet via a router. The router is a network interface device that translates between the protocols and addresses associated with the LAN and the Internet. The router also performs network packet filtering, a form of network access control, and has recently been configured to disallow non-e-mail (e.g., file transfer, remote log-in) between LAN and Internet computers.

The LAN server also has connections to several other devices.

  • A modem pool is provided so that HGA's employees on travel can "dial up" via the public switched (telephone) network and read or send e-mail. To initiate a dial-up session, a user must successfully log in. During dial-up sessions, the LAN server provides access only to e-mail facilities; no other functions can be invoked.

    A special console is provided for the server administrators who configure the server, establish and delete user accounts, and have other special privileges needed for administrative and maintenance functions. These functions can only be invoked from the administrator console; that is, they cannot be invoked from a PC on the network or from a dial-up session.
  • A connection to a government agency X.25-based wide-area network (WAN) is provided so that information can be transferred to or from other agency systems. One of the other hosts on the WAN is a large multiagency mainframe system. This mainframe is used to collect and process information from a large number of agencies while providing a range of access controls.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.