R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 7, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

- NIST Updates SP 800-171 to Help Defend Sensitive Information from Cyberattack - An update to one of the National Institute of Standards and Technology’s (NIST) information security documents offers strategies to help protect sensitive information that is stored in computers supporting critical government programs and high value assets. https://www.nist.gov/news-events/news/2019/06/nist-updates-sp-800-171-help-defend-sensitive-information-cyberattack

FYI - Ransomware attacks: Why and when it makes sense to pay the ransom - Whether you pay ransomware actors or not really comes down to some straightforward business calculations. Sometimes the ransom is worth it. https://www.zdnet.com/article/why-and-when-it-makes-sense-to-pay-the-ransom-in-ransomware-attacks/

Need more evidence that IoT security is a big deal? Here's what NIST has to say - If your organization isn’t thinking about internet of things (IoT) security, it could soon face a rude awakening, according to the influential agency that sets cybersecurity standards for the federal government.

Hong Kong protesters fear gov’t use of facial recognition, surveillance tech - Fear that the government will draw facial recognition technology from its arsenal of digital surveillance tools to identify protesters in Hong Kong has prompted some to take evasive action to diminish or eliminate their digital footprints. https://www.scmagazine.com/home/security-news/hong-kong-protesters-fear-govt-use-of-facial-recognition-surveillance-tech/

Ransomware Hits Georgia Courts As Municipal Attacks Spread - Ransomware has no shortage of cautionary tales and wakeup calls from the past decade. But for local governments, this past year has been a particularly brutal reminder of the threat. https://www.wired.com/story/ransomware-hits-georgia-courts-municipal-attacks-spread/

Women in Security - A new take on the old adage “you’re known by the company you keep,” might aptly apply to women in security who’ve found success, progress and opportunities in organizations that know their value. http://www.scmagazine.com/home/security-news/women-in-security/

New York Legislature passes bill that toughens breach notification standards - The New York State Legislature last month passed The Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which is intended to strengthen the state’s data security laws by more explicitly defining when and how businesses must notify the public and attorney general of a data breach incident. https://www.scmagazine.com/home/security-news/new-york-legislature-passes-bill-that-toughens-breach-notification-standards/

Lake City, Fla. IT manager pays the price for ransomware attack - The Lake City, Fla., city council fired the municipality’s IT director just one week after that body voted to pay the cybercriminals behind a ransomware attack that knocked they city offline $460,000. https://www.scmagazine.com/home/security-news/ransomware/lake-city-fla-it-manager-pays-the-price-for-ransomware-attack/


FYI - Cloud provider PCM hacked, customer info likely stolen for gift card scam - Hackers accessed emails and file sharing systems of some customers of cloud provider PCM Inc. https://www.scmagazine.com/home/security-news/cloud-security/cloud-provider-pcm-hacked-customer-info-likely-stolen-for-gift-card-scam/

5M records exposed by misconfigured MedicareSupplement.com MongoDB - A MedicareSupplment.com MongoDB containing more than five million records was found open to the public containing a wide range of PII. https://www.scmagazine.com/home/security-news/data-breach/5-million-exposed-by-misconfigured-medicaresupplement-com-mongodb/

Village of Key Biscayne hit with a cyberattack - The small Florida municipality of the Village of Key Biscayne has found itself with the dubious honor of joining Baltimore, Atlanta and several other Sunshine State cities by being victimized with by a cyberattack. https://www.scmagazine.com/home/security-news/village-of-key-biscayne-hit-with-a-cyberattack/

Data management firm exposed client info on open Amazon S3 buckets: researchers - Data from Netflix, TD Bank, Ford and other companies was left exposed for an unknown period of time on publicly configured cloud storage buckets operated by data integration and management company Attunity, according to the research team that discovered the error. https://www.scmagazine.com/home/security-news/cloud-security/data-management-firm-exposed-client-info-on-open-amazon-s3-buckets-researchers/

Medtronic recalls insulin pumps due to potential of hacker sabotage - Medical device manufacturer Medtronic plc took the unusual step of issuing a recall for several of its insulin pump products due to serious hacking concerns that were detailed in a pair of security alerts from the Food and Drug Administration (FDA) and ICS-CERT. https://www.scmagazine.com/home/security-news/vulnerabilities/medtronic-recalls-insulin-pumps-due-to-potential-of-hacker-sabotage/

Baltimore approves $10M for ransomware relief, expects $18M in damages - Baltimore officials approved using $10 million in excess revenue to cover ongoing expenses related to a ransomware attack that immobilized several of the cities computer systems in early May. https://www.scmagazine.com/home/security-news/ransomware/baltimore-city-officials-approved-of-using-10-million-in-excess-revenue-to-cover-ongoing-expenses-related-to-the-ransomware-attack/

Exposed Orvibo database leaks two billion records - More than 2 billion user logs containing information on Chinese home solutions company Orvibo’s customers were leaked after a database was left exposed. https://www.scmagazine.com/database-security/exposed-orvibo-database-leaks-two-billion-records/

U.S. Virgin Islands hit with ransomware and BEC attack - The U.S. Virgin Islands Police department was hit with a ransomware attack in April that targeted servers housing internal affairs records and citizen complaints while the territory’s water department was separately hit with a business email compromise (BEC). https://www.scmagazine.com/home/security-news/ransomware/the-u-s-virgin-island-police-department-was-hit-with-a-ransomware-attack-in-april-that-targeted-servers-housing-internal-affairs-records-and-citizen-complaints/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

 Board and Management Oversight - Principle 12: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.
   Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:
   1)  The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.
   2)  Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.
   3)  Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.
   4)  Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.
   5)  The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

  Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:
  ! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
  ! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
  ! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
  ! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
  ! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
  ! Logging access and events.
  ! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.4.2 Protection Against Payroll Fraud and Errors: Time and Attendance Application (1 of 2)

The time and attendance application plays a major role in protecting against payroll fraud and errors. Since the time and attendance application is a component of a larger automated payroll process, many of its functional and security requirements have been derived from both governmentwide and HGA-specific policies related to payroll and leave. For example, HGA must protect personal information in accordance with the Privacy Act. Depending on the specific type of information, it should normally be viewable only by the individual concerned, the individual's supervisors, and personnel and payroll department employees. Such information should also be timely and accurate.

Each week, employees must sign and submit a time sheet that identifies the number of hours they have worked and the amount of leave they have taken. The Time and Attendance Clerk enters the data for a given group of employees and runs an application on the LAN server to verify the data's validity and to ensure that only authorized users with access to the Time and Attendance Clerk's functions can enter time and attendance data. The application performs these security checks by using the LAN server's access control and identification and authentication (I&A) mechanisms. The application compares the data with a limited database of employee information to detect incorrect employee identifiers, implausible numbers of hours worked, and so forth. After correcting any detected errors, the clerk runs another application that formats the time and attendance data into a report, flagging exception/out-of-bound conditions (e.g., negative leave balances).

Department supervisors are responsible for reviewing the correctness of the time sheets of the employees under their supervision and indicating their approval by initialing the time sheets. If they detect significant irregularities and indications of fraud in such data, they must report their findings to the Payroll Office before submitting the time sheets for processing. In keeping with the principle of separation of duty, all data on time sheets and corrections on the sheets that may affect pay, leave, retirement, or other benefits of an individual must be reviewed for validity by at least two authorized individuals (other than the affected individual).

Protection Against Unauthorized Execution

Only users with access to Time and Attendance Supervisor functions may approve and submit time and attendance data -- or subsequent corrections thereof -- to the mainframe. Supervisors may not approve their own time and attendance data.

Only the System Administrator has been granted access to assign a special access control privilege to server programs. As a result, the server's operating system is designed to prevent a bogus time and attendance application created by any other user from communicating with the WAN and, hence, with the mainframe.

The time and attendance application is supposed to be configured so that the clerk and supervisor functions can only be carried out from specific PCs attached to the LAN and only during normal working hours. Administrators are not authorized to exercise functions of the time and attendance application apart from those concerned with configuring the accounts, passwords, and access permissions for clerks and supervisors. Administrators are expressly prohibited by policy from entering, modifying, or submitting time and attendance data via the time and attendance application or other mechanisms.

Protection against unauthorized execution of the time and attendance application depends on I&A and access controls. While the time and attendance application is accessible from any PC, unlike most programs run by PC users, it does not execute directly on the PC's processor. Instead, it executes on the server, while the PC behaves as a terminal, relaying the user's keystrokes to the server and displaying text and graphics sent from the server. The reason for this approach is that common PC systems do not provide I&A and access controls and, therefore, cannot protect against unauthorized time and attendance program execution. Any individual who has access to the PC could run any program stored there.

Another possible approach is for the time and attendance program to perform I&A and access control on its own by requesting and validating a password before beginning each time and attendance session. This approach, however, can be defeated easily by a moderately skilled programming attack, and was judged inadequate by HGA during the application's early design phase.

Recall that the server is a more powerful computer equipped with a multiuser operating system that includes password-based I&A and access controls. Designing the time and attendance application program so that it executes on the server under the control of the server's operating system provides a more effective safeguard against unauthorized execution than executing it on the user's PC.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.