R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 2, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI
- In a first, Moody’s downgrades Equifax’s rating outlook due to cyberattack - Credit ratings agency Moody’s this week revised its rating outlook for Equifax, downgrading it from stable to negative as a result of financial losses stemming from a 2017 data breach. http://www.scmagazine.com/home/security-news/data-breach/in-a-first-moodys-downgrades-equifaxs-rating-outlook-due-to-cyberattack/

FEC Gives Green Light for Free Cybersecurity Help in Federal Elections - Official opinion issued by the Federal Election Commission to nonprofit Defending Digital Campaigns is good news for free and reduced-cost security offerings to political candidates and committees. https://www.darkreading.com/application-security/fec-gives-green-light-for-free-cybersecurity-help-in-federal-elections/d/d-id/1334797

7 Critical Security Steps to Protect You From an Office 365 Compromise - In August 2018, security researchers announced that cybercriminals were successfully bypassing Office 365’s Advanced Threat Protection via a new evolution of phishing – inserting malware links into SharePoint documents. https://www.scmagazine.com/home/opinion/executive-insight/7-critical-security-steps-to-protect-you-from-an-office-365-compromise/

Exposed files saw 50 percent uptick in last year - In the year since the Digital Shadows Photon Research Team released its “Too Much Information” report, the volume data exposed through online files stores like Amazon S3 buckets, SMB-enabled file shares, and network attached storage (NAS) drives increased 50 percent – or 750 million files – in with researchers finding 2.3 billion files exposed. https://www.scmagazine.com/home/security-news/privacy-compliance/exposed-files-saw-50-percent-uptick-in-last-year/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - HCL employee, customer files found open to public - The digital solutions firm HCL left accessible information belonging to some of its employees and customers. https://www.scmagazine.com/home/security-news/data-breach/hcl-employee-customer-files-found-open-to-public/

First American Financial website leaked 885 million documents - About 885 million documents, including bank account numbers, mortgage records, Social Security numbers, drivers’ license images and tax records, have been leaked by First American Financial Corp.’s website.’ https://www.scmagazine.com/home/security-news/first-american-financial-website-leaked-885-million-documents/

Shubert theater company organization shines spotlight on customer data breach - Theater company The Shubert Organization has reportedly disclosed a data breach that compromised the personal information of its theater customers. https://www.scmagazine.com/home/security-news/data-breach/shubert-theater-company-organization-shines-spotlight-on-customer-data-breach/

Computer virus prompts city to shut down court websites, programs - Websites and computer programs linked to Philadelphia’s court system have been shut down since Tuesday afternoon, according to sources. https://www.philly.com/news/philadelphia-computer-virus-first-judicial-district-court-system-20190523.html

License plate reader firm breached, data leaked - A threat actor by the alias “Boris Bullet-Dodger” broke into the database of a company that provides license plate readers for the U.S. government to use at the Mexican border. https://www.scmagazine.com/home/security-news/data-breach/license-plate-reader-firm-breached-data-leaked/

Events planning company database exposes more than 200,000 records - Australia-based events planning company Amazingco leaked more than 200,000 records after an Elastic database was left unprotected and accessible by anybody with a browser. https://www.scmagazine.com/home/security-news/events-planning-company-database-exposes-more-than-200000-records/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
 
Board and Management Oversight Principle 7: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.
   
   In order to maintain segregation of duties, banks need to strictly control authorization and access privileges. Failure to provide adequate authorization control could allow individuals to alter their authority, circumvent segregation and gain access to e-banking systems, databases or applications to which they are not privileged.
   
   In e-banking systems, the authorizations and access rights can be established in either a centralized or distributed manner within a bank and are generally stored in databases. The protection of those databases from tampering or corruption is therefore essential for effective authorization control.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

  
  Firewall Policy (Part 2 of 3)
  
  Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:
  
  ! Spoofing trusted IP addresses;
  ! Denial of service by overloading the firewall with excessive requests or malformed packets;
  ! Sniffing of data that is being transmitted outside the network;
  ! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
  ! Attacks on unpatched vulnerabilities in the firewall hardware or software;
  ! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and

  ! Attacks against machines and communications used for remote administration.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.3.3 Interruption of Operations

HGA's building facilities and physical plant are several decades old and are frequently under repair or renovation. As a result, power, air conditioning, and LAN or WAN connectivity for the server are typically interrupted several times a year for periods of up to one work day. For example, on several occasions, construction workers have inadvertently severed power or network cables. Fires, floods, storms, and other natural disasters can also interrupt computer operations, as can equipment malfunctions.

Another threat of small likelihood, but significant potential impact, is that of a malicious or disgruntled employee or outsider seeking to disrupt time-critical processing (e.g., payroll) by deleting necessary inputs or system accounts, misconfiguring access controls, planting computer viruses, or stealing or sabotaging computers or related equipment. Such interruptions, depending upon when they occur, can prevent time and attendance data from getting processed and transferred to the mainframe before the payroll processing deadline.

20.3.4 Disclosure or Brokerage of Information

Other kinds of threats may be stimulated by the growing market for information about an organization's employees or internal activities. Individuals who have legitimate work-related reasons for access to the master employee database may attempt to disclose such information to other employees or contractors or to sell it to private investigators, employment recruiters, the press, or other organizations. HGA considers such threats to be moderately likely and of low to high potential impact, depending on the type of information involved.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.