Internet Banking News

June 1, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Security pros still grappling with lax password policies - Passwords and cloud security are still causing headaches for IT security professionals, with 13 percent of respondents to Lieberman Software's "2014 Information Security Survey" saying that they can still access systems at a previous place of employment by using old credentials. http://www.scmagazine.com/study-security-pros-still-grappling-with-lax-password-policies/article/348888/

FYI - China bans Windows 8 from government computers - Government ties the decision to security concerns, though it's unclear what will replace the still-widely-used Windows XP. The Chinese government has officially banned Windows 8 from use on all government computers, reports out of the country claim. http://www.cnet.com/news/china-bans-windows-8-from-government-computers/

FYI - Bill Would Let DHS Pay Cyber Workers as Much as the Pentagon Pays - A Senate committee on Wednesday advanced legislation that would empower the Homeland Security Department to pay DHS cyber recruits as much as Pentagon computer security professionals. http://www.nextgov.com/cybersecurity/2014/05/bill-would-let-dhs-pay-cyber-workers-much-pentagon-pays/84958/

FYI - Sailor convicted of hacking websites from aboard aircraft carrier - Leader of “Team Digi7al” was USS Truman’s nuclear reactor department sysadmin. A 27-year-old now-former sailor pleaded guilty in a federal court in Tulsa, Oklahoma on May 20 to charges of conspiracy after leading a band of hackers in the US and Canada from onboard an aircraft carrier. http://arstechnica.com/tech-policy/2014/05/sailor-convicted-of-hacking-websites-from-aboard-aircraft-carrier/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Silent Auction: eBay and FBI Mum on Hack Details - EBay Inc's description of how hackers got access to its entire database of 145 million user records leaves many questions unanswered as to how cyber criminals orchestrated what appears to be the second-biggest data breach in U.S. history. http://www.nbcnews.com/tech/security/silent-auction-ebay-fbi-mum-hack-details-n112186

FYI - Public utility compromised after brute-force attack, DHS says - The utility, which was not identified, had been compromised before - A public utility in the U.S. was compromised after attackers took advantage of a weak password security system, according to a U.S. Department of Homeland Security team that studies cyberattacks against critical infrastructure. http://www.computerworld.com/s/article/9248473/Public_utility_compromised_after_brute_force_attack_DHS_says?taxonomyId=17

FYI - eBay to face formal investigations over data breach - Attorneys general in three states in the US are looking into the hack, and an official in the UK is considering a formal probe. The online auction site revealed Wednesday that hackers had penetrated its corporate network and compromised the credentials of its users. http://www.cnet.com/news/ebay-to-face-formal-investigations-over-data-breach/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Car-Hacking Goes Viral In London - Nearly half the 89,000 vehicles broken into in London last year were hacked with electronic gadgets, according to London’s Metropolitan Police. http://www.forbes.com/sites/williampentland/2014/05/20/car-hacking-goes-viral-in-london/

FYI - Unencrypted USB drive stolen, 3,000 Humana members in Atlanta impacted - In Georgia, nearly 3,000 members of health care provider Humana are being notified that their personal information - including Social Security numbers - may have been compromised after an encrypted laptop and unencrypted USB drive were stolen from an associate's vehicle. http://www.scmagazine.com/unencrypted-usb-drive-stolen-3000-humana-members-in-atlanta-impacted/article/348567/

FYI - Four computers containing patient data stolen in New Hampshire - New Hampshire-based Elliot Hospital is notifying more than 1,200 patients that their personal information was on four computer workstations that were stolen from the vehicle of an employee. http://www.scmagazine.com/four-computers-containing-patient-data-stolen-in-new-hampshire/article/348859/

FYI - About 5,500 impacted in Oklahoma benefits broker laptop theft - About 5,500 staffers with and clients of Oklahoma-based employee benefits broker Maschino, Hudelson & Associates (MHA) are being notified that their personal information - including Social Security numbers - was on a laptop that was stolen from a worker's car. http://www.scmagazine.com/about-5500-impacted-in-oklahoma-benefits-broker-laptop-theft/article/348340/

FYI - Another 3,500 L.A. County patients impacted in Sutherland breach - Los Angeles County officials announced on Thursday that nearly 3,500 more patients have been impacted in the February theft of eight computers from Sutherland Healthcare Solutions (SHS), a billing and collections services provider for Los Angeles County. http://www.scmagazine.com/another-3500-la-county-patients-impacted-in-sutherland-breach/article/348329/

FYI - Former employee accessed Bay Park Hospital patient data for a year - ProMedica, a nonprofit health care system, is notifying nearly 600 patients of Bay Park Hospital in Ohio that a former employee had been accessing their personal information, without authorization, for about a year. http://www.scmagazine.com/former-employee-accessed-bay-park-hospital-patient-data-for-a-year/article/348977/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.

INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:

1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.

2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.

3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.

4) A recovery plan should be established, and in some cases, an incident response team should be identified.

5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - PHYSICAL SECURITY

The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.

The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:

! Aircraft crashes
! Chemical effects
! Dust
! Electrical supply interference
! Electromagnetic radiation
! Explosives
! Fire
! Smoke
! Theft/Destruction
! Vibration/Earthquake
! Water
! Wireless emissions
! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

INTERNET PRIVACY - With this issue, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below.

1) A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2) Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3) A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4) A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.