R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 12, 2015

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Former Georgia-Pacific sysadmin charged with damaging protected computers - Following his indictment last week by a federal grand jury, a Louisiana man was arrested on Wednesday to face charges of intentionally damaging protected computers belonging to his former employer. http://www.scmagazine.com/louisiana-man-arrested-for-damaging-employers-computers/article/424513/

FYI - Hackers had access to security clearance data for a year - Hackers who breached a database containing highly personal information on government employees with security clearances had access to the system for about a year before being discovered, The Washington Post reported on Friday. http://www.computerworld.com/article/2938654/cybercrime-hacking/hackers-had-access-to-security-clearance-data-for-a-year.html

FYI - OPM Breach Notification Frustrates Hacked Feds - Some victims of the massive hack of federal personnel records expressed fear their privacy might be violated by fraud protection services the government has outsourced to private companies. http://www.nextgov.com/cybersecurity/2015/06/opm-breach-notification-frustrates-hacked-feds/115882/

FYI - Pentagon seeks to hold its IT users more accountable for cyber missteps - The Defense Department has no shortage of regulations designed to encourage and enforce good cybersecurity behavior on its own networks. http://federalnewsradio.com/defense/2015/06/pentagon-seeks-to-hold-its-it-users-more-accountable-for-cyber-missteps/

FYI - Only 27 percent of flaws found in gov't applications fixed - After breaking down application security trends by industry, a security firm found that the government sector ranked lowest in remediating known vulnerabilities. http://www.scmagazine.com/govt-sector-ranks-lowest-in-remediating-vulnerabilities-study-says/article/424861/

FYI - Nearly all Japanese pension system files kept unprotected pre-breach - An investigation into the compromising of Japan's national pension system found that 99 percent of the accessed files were without any sort of password protection. http://www.scmagazine.com/no-passwords-used-in-japanese-pension-system/article/424868/

FYI - FBI updates Most Wanted cyber felons list, offers US$4.2m bounties - Zeus creator has $3m on his head, may be boating on the Black Sea - The mastermind of the Zeus trojan; a car scamming screwball; an identity thief; a malvertiser, and a keylogger monger: nail these five net crims to the wall and the FBI will pay you US$4.2 million. http://www.theregister.co.uk/2015/07/02/42m_for_five_hacker_heads/

FYI - GAO - Information Security: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies - http://www.gao.gov/products/GAO-15-758T


FYI - Harvard University announces network intrusion, possible data exposure - Harvard University announced that on June 19 an intrusion was discovered on the Faculty of Arts and Sciences (FAS) and Central Administration information technology networks, and that Harvard login credentials may have been exposed. http://www.scmagazine.com/harvard-login-credentials-may-have-been-exposed-in-breach/article/424500/

FYI - Skimmer on Santander Bank ATM vestibule door leads to fraud - Following the May 4 discovery of suspicious ATM withdrawals that occurred the day prior, Santander Bank determined that a magnetic stripe skimming device had been placed on the ATM vestibule door at its Woburn, Mass., branch on 19 Pleasant St. http://www.scmagazine.com/skimmer-on-santander-bank-atm-vestibule-door-leads-to-fraud/article/424347/

FYI - FireKeepers confirms breach, says about 85,000 cards and other info are at risk - Following a May announcement that it was replacing point-of-sale (POS) devices while investigating a potential breach, Michigan-based FireKeepers Casino Hotel confirmed Friday that unauthorized access was gained to its computer systems and personal information – as well as payment card data – may have been compromised. http://www.scmagazine.com/firekeepers-casino-notifies-guests-of-breach-possible-data-compromise/article/424830/

FYI - Hacking Team hacked; leaked documents confirm sale of software to Sudan and Ethiopia - An unknown number of hackers accessed and posted at least 400 GB of the “offensive technology” manufacturer Hacking Team's internal documents, emails, slideshow presentations, and more, on Sunday evening. http://www.scmagazine.com/hacking-team-systems-breached-and-docs-posted-online/article/424860/

FYI - Orlando Health employee improperly accesses patient medical records - Orlando Health announced that a former nursing assistant accessed about 3,200 patient medical records outside of their normal job responsibilities. http://www.scmagazine.com/orlando-health-employee-improperly-accesses-patient-medical-records/article/425120/

FYI - NYSE says trading halted due to 'technical issue,' not breach - Trading on the New York Stock Exchange (NYSE) came to a halt Wednesday.

FYI - Computer glitch grounds all United Airlines flights - A glitch in the computer software that manages United Airlines's automated operations brought the airline's flights to a screeching halt - temporarily - Wednesday morning. http://www.scmagazine.com/united-airlines-grounded-nearly-5k-flights-due-to-computer-glitch/article/425342/

FYI - Foreign hackers briefly commandeer German missile systems - A German missile system was reportedly hacked and taken over by unknown foreign attackers who executed “unexplained commands.” http://www.scmagazine.com/patriot-missile-system-vulnerable-to-cyber-attack/article/425609/

FYI - Detroit Zoo, eight others across the county experience POS breach - The Detroit Zoo along with eight other zoos across the country announced that Service Systems Associates (SSA), a third party vendor that handles retail and concession payments, experienced a point-of-sale (POS) breach that affected customers between March 23 and June 25 of this year. http://www.scmagazine.com/pos-breach-at-detroit-zoo-and-eight-other-zoos-nationwide/article/425607/

Return to the top of the newsletter

Risk Management of Outsourced Technology Services ( Part 4 of 4)
 Service Provider Oversight
 Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.
 The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution’s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.

Return to the top of the newsletter

We continue the series  from the FDIC "Security Risks Associated with the Internet." 

 Logical Access Controls 
A primary concern in controlling system access is the safeguarding of user IDs and passwords.  The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism. 
 The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder. 

 Security Flaws and Bugs / Active Content Languages 
Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications. 
 Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.
 Viruses / Malicious Programs 

 Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.4.6 Protection Against Risks from Non-HGA Computer Systems

HGA relies on systems and components that it cannot control directly because they are owned by other organizations. HGA has developed a policy to avoid undue risk in such situations. The policy states that system components controlled and operated by organizations other than HGA may not be used to process, store, or transmit HGA information without obtaining explicit permission from the application owner and the COG Manager. Permission to use such system components may not be granted without written commitment from the controlling organization that HGA's information will be safeguarded commensurate with its value, as designated by HGA. This policy is somewhat mitigated by the fact that HGA has developed an issue-specific policy on the use of the Internet, which allows for its use for e-mail with outside organizations and access to other resources (but not for transmission of HGA's proprietary data).

20.5 Vulnerabilities Reported by the Risk Assessment Team

The risk assessment team found that many of the risks to which HGA is exposed stem from (1) the failure of individuals to comply with established policies and procedures or (2) the use of automated mechanisms whose assurance is questionable because of the ways they have been developed, tested, implemented, used, or maintained. The team also identified specific vulnerabilities in HGA's policies and procedures for protecting against payroll fraud and errors, interruption of operations, disclosure and brokering of confidential information, and unauthorized access to data by outsiders.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated