Internet Banking News

May 22, 2016

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Criminal investigation underway into banking regulator data breach - A criminal investigation is underway over the removal of tens of thousands of taxpayers' personally identifiable information from the Federal Deposit Insurance Corporation (FDIC), the agency’s internal watchdog said Thursday.
http://thehill.com/policy/cybersecurity/279752-criminal-investigation-open-in-fdic-data-breach
https://www.washingtonpost.com/news/powerpost/wp/2016/05/09/fdic-reports-five-major-incidents-of-cybersecurity-breaches-since-fall/

FYI - 6 Shocking Intellectual Property Breaches - Not all breaches involve lost customer data. Sometimes the most damaging losses come when intellectual property is pilfered. http://www.darkreading.com/vulnerabilities---threats/6-shocking-intellectual-property-breaches/d/d-id/1325487

FYI - 89% of surveyed health care orgs breached in last two years; cybercrime top cause - For the second consecutive year, Ponemon Institute's annual study on the state of security and privacy in health care found that cybercrime was the leading cause of data breaches among hospitals and other medical providers. http://www.scmagazine.com/ponemon-89-of-surveyed-health-care-orgs-breached-in-last-two-years-cybercrime-top-cause/article/496530/

FYI - Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities - Every day, billions of people around the world use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues. https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-economic-and-other-online-activities

FYI - Updated banking malware turns entire ATM into a skimmer - Kaspersky Lab researchers discovered a new and improved version of the ATM malware dubbed “Skimmer” which targets banks and turns entire ATM machines into payment card skimmers. http://www.scmagazine.com/researchers-spotted-a-malware-that-turns-entire-atms-into-card-skimmers/article/496871/

FYI - 77% of organisations unprepared for cyber-security incidents - Roughly 77 percent of organisations are unprepared for cyber-security incidents according to research by NTT Com in its 2016 Global Threat Intelligence Report. http://www.scmagazine.com/77-of-organisations-unprepared-for-cyber-security-incidents/article/497147/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Wendy’s: Breach Affected 5% of Restaurants - Wendy’s said today that an investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the company’s 5,500 franchised stores. http://krebsonsecurity.com/2016/05/wendys-breach-affected-5-of-restaurants/

FYI - FBI suspects an inside job in $81M Bangladesh bank hack - Evidence points to at least one suspect who is an employee of the bank, people familiar with the matter said. “A handful” of others may have helped hackers navigate the bank’s computer system, according to the Journal. http://thehill.com/policy/cybersecurity/279348-fbi-suspects-an-inside-job-in-81m-bangladesh-bank-hack

FYI - Second bank hit with SWIFT-based hack, experts say patches failed - The Society for Worldwide Interbank Financial Telecommunication (SWIFT) revelation that another bank was victimized using the same modus operandi as that in the Bangladesh bank hack has the security industry believing the SWIFT system is flawed and possibly still vulnerable to another attack. http://www.scmagazine.com/second-bank-hit-with-swift-based-hack-experts-say-patches-failed/article/496448/

FYI - Not OK, data on 70K OKCupid users exposed - A database consisting of the identities of nearly 70,000 users of dating website OKCupid has been published on the internet. http://www.scmagazine.com/not-ok-data-on-70k-okcupid-users-exposed/article/496434/

FYI - Japanese teen's DoS attack takes out 444 school websites - A Japanese teenager was charged on May 11 for allegedly launching a DoS attack against the Osaka Board of Education, which shut down 444 school websites. http://www.scmagazine.com/japanese-teen-launches-massive-dos-attack-to-remind-teachers-they-are-incompetent/article/496756/

FYI - Vietnamese bank thwarts hack made through SWIFT messaging system - Vietnam's Tien Phong Bank came forward claiming to be the second bank that was attacked with a fake message sent through The Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system. http://www.scmagazine.com/vietnamese-bank-thwarts-hack-made-through-swift-messaging-system/article/496584/

FYI - Hacker doxes Nulled cybercrime forum, exposes data on 536,000 user accounts - An unidentified hacker turned the tables on Nulled.io, a popular online forum that facilitates cybercriminal activity, by compromising its website and publicly dumping its sensitive user data and communications. http://www.scmagazine.com/hacker-doxes-nulled-cybercrime-forum-exposes-data-on-536000-user-accounts/article/496755/

FYI - 117 million LinkedIn email credentials found for sale on the dark web - The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords. http://www.scmagazine.com/117-million-linkedin-email-credentials-found-for-sale-on-the-dark-web/article/497162/

FYI - Children's National Health System breached, data of 4K patients compromised - More than 4,000 patients of Washington, D.C.-based Children's National Health System (CNHS) received notices of a data breach following a former vendor disclosing patient health information on an FTP site viewable on the web. http://www.scmagazine.com/childrens-national-health-system-breached-data-of-4k-patients-compromised/article/497475/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Token Systems (1 of 2)

Token systems typically authenticate the token and assume that the user who was issued the token is the one requesting access. One example is a token that generates dynamic passwords every X seconds. When prompted for a password, the user enters the password generated by the token. The token's password - generating system is identical and synchronized to that in the system, allowing the system to recognize the password as valid. The strength of this system of authentication rests in the frequent changing of the password and the inability of an attacker to guess the seed and password at any point in time.

Another example of a token system uses a challenge/response mechanism. In this case, the user identifies him/herself to the system, and the system returns a code to enter into the password - generating token. The token and the system use identical logic and initial starting points to separately calculate a new password. The user enters that password into the system. If the system's calculated password matches that entered by the user, the user is authenticated. The strengths of this system are the frequency of password change and the difficulty in guessing the challenge, seed, and password.

Other token methods involve multi - factor authentication, or the use of more than one authentication method. For instance, an ATM card is a token. The magnetic strip on the back of the card contains a code that is recognized in the authentication process. However, the user is not authenticated until he or she also provides a PIN, or shared secret. This method is two - factor, using both something the user has and something the user knows. Two - factor authentication is generally stronger than single - factor authentication. This method can allow the institution to authenticate the user as well as the token.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT

6.5 Elements of Effective System-Level Programs

Like the central computer security program, many factors influence how successful a system-level computer security program is. Many of these are similar to the central program. This section addresses some additional considerations.

Security Plans. The Computer Security Act mandates that agencies develop computer security and privacy plans for sensitive systems. These plans ensure that each federal and federal interest system has appropriate and cost-effective security. System-level security personnel should be in a position to develop and implement security plans. Chapter 8 discusses the plans in more detail.

System-Specific Security Policy. Many computer security policy issues need to be addressed on a system-specific basis. The issues can vary for each system, although access control and the designation of personnel with security responsibility are likely to be needed for all systems. A cohesive and comprehensive set of security policies can be developed by using a process that derives security rules from security goals, as discussed in Chapter 5.
Life Cycle Management. As discussed in Chapter 8, security must be managed throughout a system's life cycle. This specifically includes ensuring that changes to the system are made with attention to security and that accreditation is accomplished.

Integration With System Operations. The system-level computer security program should consist of people who understand the system, its mission, its technology, and its operating environment. Effective security management usually needs to be integrated into the management of the system. Effective integration will ensure that system managers and application owners consider security in the planning and operation of the system. The system security manager/officer should be able to participate in the selection and implementation of appropriate technical controls and security procedures and should understand system vulnerabilities. Also, the system-level computer security program should be capable of responding to security problems in a timely manner.

For large systems, such as a mainframe data center, the security program will often include a manager and several staff positions in such areas as access control, user administration, and contingency and disaster planning. For small systems, such as an officewide local-area-network (LAN), the LAN administrator may have adjunct security responsibilities.

Separation From Operations. A natural tension often exists between computer security and operational elements. In many instances, operational components -- which tend to be far larger and therefore more influential -- seek to resolve this tension by embedding the computer security program in computer operations. The typical result of this organizational strategy is a computer security program that lacks independence, has minimal authority, receives little management attention, and has few resources. As early as 1978, GAO identified this organizational mode as one of the principal basic weaknesses in federal agency computer security programs. System-level programs face this problem most often.

This conflict between the need to be a part of system management and the need for independence has several solutions. The basis of many of the solutions is a link between the computer security program and upper management, often through the central computer security program. A key requirement of this setup is the existence of a reporting structure that does not include system management. Another possibility is for the computer security program to be completely independent of system management and to report directly to higher management. There are many hybrids and permutations, such as co-location of computer security and systems management staff but separate reporting (and supervisory) structures. Figure 6.4 presents one example of placement of the computer security program within a typical Federal agency.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.