R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 26, 2015

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Alleged JPMorgan hack leaders arrested - The FBI promised to be nearing the official filing of charges against the perpetrators of the JPMorgan Chase data breach, and on Tuesday, they made good on that vow. http://www.scmagazine.com/israeli-and-american-men-arrested-in-connection-to-financial-breach/article/427961/

FYI - United hackers given million free flight miles - US airline United has rewarded two hackers who spotted security holes in its website with a million free flight miles each. http://www.bbc.com/news/technology-33552195

FYI - Israel, US commit to beef up cybersecurity cooperation - US Homeland Security deputy visits Jewish state to bolster ties in high-tech research and development - The US deputy secretary of Homeland Security and the top Israeli official handling cybersecurity have cosigned a statement committing to US-Israel cooperation in the area. http://www.timesofisrael.com/israel-us-commit-to-beef-up-cybersecurity-cooperation/

FYI - Zero-day in Fiat Chrysler feature allows remote control of vehicles - Fiat Chrysler owners should update their vehicles' software after a pair of security researchers were able to exploit a zero-day vulnerability to remotely control the vehicle's the engine, transmission, wheels and brakes among other systems. http://www.scmagazine.com/researchers-discover-an-exploit-in-uconnect-enabled-fiat-chrysler-vehicles-that-allows-control-over-vehicle/article/427651/

FYI - Black Hat 2015 attendees most concerned about targeted attacks - In a survey of 460 management and staff security professionals attending the upcoming Black Hat 2015 conference, 57 percent indicated that sophisticated attacks targeted directly at the organization is their greatest concern. http://www.scmagazine.com/more-than-half-of-460-black-hat-2015-attendees-surveyed-worry-over-targeted-attacks/article/427688/

FYI - Free security tools help detect Hacking Team malware - Sensitive information exposed in the Hacking Team leaks – more than 400 GB worth of zero-day vulnerabilities, other threats and more – has spurred Rook Security and Facebook to each release free security tools. http://www.scmagazine.com/rook-security-facebook-release-free-security-tools-in-response-to-hacking-team-leaks/article/427682/

FYI - OPM rewrites privacy policy to allow for system investigations - Following a pair of massive data breaches, The Office of Personnel Management (OPM) rewrote its privacy regulations to allow legislators and outside entities to look through its databases for signs of data breaches. http://www.scmagazine.com/opm-breaches-lead-to-rewritten-privacy-regulations/article/427653/

FYI - FTC alleges LifeLock violated 2010 settlement by lying about security measures - The Federal Trade Commission (FTC) is investigating LifeLock a second time for allegedly making false claims about its identity protection services and failing to implement the required steps to protect its customers' data. http://www.scmagazine.com/lifelock-investigated-by-ftc-for-second-time-for-making-false-claims-about-security-measures/article/427919/

FYI - Japan to train thousands on cyber-security ahead of 2020 Olympics - According to local newspaper Nikkei, Japan's Ministry of Internal Affairs and Communications has put forward a set of cyber-security proposals in relations to the Games, and intends to request around 20 billion yen (£103 million) in government funding over the four years, starting from fiscal 2016. http://www.scmagazine.com/japan-to-train-thousands-on-cyber-security-ahead-of-2020-olympics/article/428048/


FYI - Ohio inmate caught with prison administrative login credentials - An Ohio inmate was caught on Friday with administrative login credentials for the computer system at Lebanon Correctional Intuition.

FYI - UCLA Health attacked, data on up to 4.5 million individuals at risk - UCLA Health announced on Friday that attackers accessed parts of its network containing personal and medical information on as many as 4.5 million individuals. http://www.scmagazine.com/ucla-health-attacked-data-on-up-to-45-million-individuals-at-risk/article/427119/

FYI - CVS investigating possible payment card breach, shuts down photo website - CVS has shut down its CVSPhoto.com website as it investigates a potential payment card breach.

FYI - Hackers of cheaters' site Ashley Madison threaten to expose user profiles - Hackers who broke into the site are reportedly threatening to post stolen user information every day the "discreet" affair network remains online. Extramarital dating site Ashley Madison has been hacked, with millions of users' information potentially at risk of exposure. http://www.cnet.com/news/hackers-of-cheaters-site-ashley-madison-threaten-to-expose-user-profiles/

FYI - UK data retention scheme ruled unlawful - The UK High Court has ruled that Britain's DRIPA data retention scheme is "inconsistent" with European law. The government warns losing access to metadata could cost lives. Britain's Data Retention and Investigative Powers Act has been ruled unlawful by the UK's High Court of Justice, after the digital surveillance scheme was deemed "inconsistent with European Union Law." http://www.cnet.com/news/uk-dripa-data-retention-scheme-deemed-unlawful-by-high-court/

FYI - Alfa Insurance: data on 86K individuals inadvertently made accessible to internet - Alfa Specialty Insurance Corporation and Alfa Vision Insurance Corporation are notifying around 86,000 individuals that their personal information was inadvertently made accessible to the internet. http://www.scmagazine.com/alfa-insurance-data-on-86k-individuals-inadvertently-made-accessible-to-internet/article/427539/

FYI - Personal data on laptop stolen from attorney with California law firm - A California-based law firm is notifying an undisclosed number of individuals that a personal laptop computer owned by an attorney from the firm was stolen, and their personal information may have been compromised. http://www.scmagazine.com/personal-data-on-laptop-stolen-from-attorney-with-california-law-firm/article/428222/

Return to the top of the newsletter

Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Technical and Industry Expertise

• Assess the service provider’s experience and ability to provide the necessary services and supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or partners that would be used to support the outsourced operations.
• Evaluate the experience of the service provider in providing services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and work are necessary.
• Evaluate the service provider’s ability to respond to service disruptions.
• Contact references and user groups to learn about the service provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned to support the institution.
• Perform on-site visits, where necessary, to better understand how the service provider operates and supports its services.

Return to the top of the newsletter

We continue the series  from the FDIC "Security Risks Associated with the Internet." 

 Encryption, or cryptography, is a method of converting information to an unintelligible code.  The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.

 Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters.  Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.5.2 Vulnerabilities Related to Payroll Errors

HGA's management has established procedures for ensuring the timely submission and interagency coordination of paperwork associated with personnel status changes. However, an unacceptably large number of troublesome payroll errors during the past several years has been traced to the late submission of personnel paperwork. The risk assessment documented the adequacy of HGA's safeguards, but criticized the managers for not providing sufficient incentives for compliance.

20.5.3 Vulnerabilities Related to Continuity of Operations

COG Contingency Planning

The risk assessment commended HGA for many aspects of COG's contingency plan, but pointed out that many COG personnel were completely unaware of the responsibilities the plan assigned to them. The assessment also noted that although HGA's policies require annual testing of contingency plans, the capability to resume HGA's computer-processing activities at another cooperating agency has never been verified and may turn out to be illusory.

Division Contingency Planning

The risk assessment reviewed a number of the application-oriented contingency plans developed by HGA's divisions (including plans related to time and attendance). Most of the plans were cursory and attempted to delegate nearly all contingency planning responsibility to COG. The assessment criticized several of these plans for failing to address potential disruptions caused by lack of access to (1) computer resources not managed by COG and (2) nonsystem resources, such as buildings, phones, and other facilities. In particular, the contingency plan encompassing the time and attendance application was criticized for not addressing disruptions caused by WAN and mainframe outages.

Virus Prevention

The risk assessment found HGA's virus-prevention policy and procedures to be sound, but noted that there was little evidence that they were being followed. In particular, no COG personnel interviewed had ever run a virus scanner on a PC on a routine basis, though several had run them during publicized virus scares. The assessment cited this as a significant risk item.

Accidental Corruption and Loss of Data

The risk assessment concluded that HGA's safeguards against accidental corruption and loss of time and attendance data were adequate, but that safeguards for some other kinds of data were not. The assessment included an informal audit of a dozen randomly chosen PCs and PC users in the agency. It concluded that many PC users store significant data on their PC's hard disks, but do not back them up. Based on anecdotes, the assessment's authors stated that there appear to have been many past incidents of loss of information stored on PC hard disks and predicted that such losses would continue.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated