Internet Banking News

August 6, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - The FDIC, NCUA, and the OCC do not have a requirement that financial institutions change third-party vendors on a periodic basis. Any such decision would be up to the bank's management. Refer to http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf, http://www.yennik.com/ncua_12-21-16_rotation_letter.pdf, and at http://www.yennik.com/occ_10-12-16_rotation_letter.pdf.

FYI - What's a Good Cybersecurity Budget & How Do I Get It? - Fighting for a departmental budget is never easy — and when your team is responsible for the company's cybersecurity, it feels all the more vital. https://www.scmagazine.com/whats-a-good-cybersecurity-budget-how-do-i-get-it/article/672371/

Chip to be embedded in employees can't be hacked, co. says - A company looking to embed chips in the hands of employees so they can use snack kiosks, log into computers and gain entry into company facilities says it will use encryption to protect data and that GPS data won't be collected. https://www.scmagazine.com/a-plan-to-embed-chips-in-employees-hands-raises-privacy-concerns/article/678052/

Diagnosing employee phishing weaknesses key to improving email security - Administering a phishing test and training without knowing an employee's weakness is not only ineffective and expensive, but unlikely to teach workers how to avoid a phishing attack. https://www.scmagazine.com/diagnosing-employee-phishing-weaknesses-key-to-improving-email-security/article/678080/

Election tech hacked within hours at DEF CON Voting Village - In response to growing fears that future U.S. elections could be altered by nation-state hackers, DEF CON 25 this year hosted its first-ever Voting Village, where attendees were invited to tinker with election technology and exploit their vulnerabilities. https://www.scmagazine.com/election-tech-hacked-within-hours-at-def-con-voting-village/article/678454/

Two Swedish officials resign over data breach fallout - Two senior Swedish government officials have resigned in response to a data breach stemming from the country's Transport Agency. https://www.scmagazine.com/two-swedish-officials-resign-over-data-breach-fallout/article/678191/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - IRS fails to resolve dozens of information security deficiencies, GAO says - The IRS's ability to protect sensitive financial and taxpayer data is limited by its failure to resolve numerous information security deficiencies identified by the Government Accountability Office (GAO). http://thehill.com/policy/cybersecurity/344127-irs-fails-to-resolve-dozens-of-information-security-deficiencies-gao

Hack on Italy's largest bank affects 400,000 customers - Data about loan accounts belonging to 400,000 customers of Italy's largest bank has been put at risk by two security breaches. http://www.bbc.com/news/technology-40728447

Virgin America data breach hits employees and contractors - An unauthorized third party managed to gained access to certain Virgin America information systems containing employee and contractor data. https://www.scmagazine.com/virgin-america-data-breach-hits-employees-and-contractors/article/678201/

Anthem reports 18,500 members involved in new data breach - Anthem Health Insurance is once again reporting a data breach, this time 18,500 members had their records emailed to the private email address of a staffer at a third-party vendor. https://www.scmagazine.com/anthem-reports-18500-members-involved-in-new-data-breach/article/678483/

HBO hacked: Game of Thrones, Ballers, Room 104 content involved - Updated! HBO has been targeted by hackers who have reportedly uploaded to the web upcoming episodes of Ballers, Room 104 along with some written material allegedly from next week's Game of Thrones with a promise to release more shortly. https://www.scmagazine.com/hbo-hacked-game-of-thrones-ballers-room-104-content-involved/article/678678/

Hackers steal Copyfish app from developer's Google Play account - The Chrome version the app Copyfish was compromised to push out ads and spam after an employee for its publisher A9t9 fell for a phishing scam and gave access to the company's Play Store developers account to an unauthorized individual. https://www.scmagazine.com/hackers-steal-copyfish-app-from-developers-google-play-account/article/678654/

Ransomware Attack on Merck Caused Widespread Disruption to Operations - Pharmaceutical giant's global manufacturing, research and sales operations have still not be full restored since the June attacks. http://www.darkreading.com/attacks-breaches/ransomware-attack-on-merck-caused-widespread-disruption-to-operations/d/d-id/1329503

Hackers post info stolen from Mandiant analyst, threaten similar attacks - After leaking data stolen from an analyst working for Mandiant, a hacking group or individual going by the name "31337" is threatening to victimize other cybersecurity experts in similar fashion. https://www.scmagazine.com/hackers-post-info-stolen-from-mandiant-analyst-threaten-similar-attacks/article/679498/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (11 of 12)

Last week's best practices focused on the more common criteria that have been noted in actual IRPs, but some banks have developed other effective incident response practices. Examples of these additional practices are listed below. Organizations may want to review these practices and determine if any would add value to their IRPs given their operating environments.

Additional IRP Best Practices

1) Test the incident response plan (via walkthrough or tabletop exercises) to assess thoroughness.
2) Implement notices on login screens for customer information systems to establish a basis for disciplinary or legal action.
3) Develop an incident grading system that quantifies the severity of the incident, helps determine if the incident response plan needs to be activated, and specifies the extent of notification escalation.
4) Provide periodic staff awareness training on recognizing potential indicators of unauthorized activity and reporting the incident through proper channels. Some institutions have established phone numbers and e-mail distribution lists for reporting possible incidents.
5) Inform users about the status of any compromised system they may be using.
6) Establish a list of possible consultants, in case the bank does not have the expertise to handle or investigate the specific incident (especially regarding technical compromises).
7) Establish evidence-gathering and handling procedures aimed at preserving evidence of the incident and aiding in prosecution activities.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Operational Anomalies

Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

11.7 Interdependencies

Since all controls help to prevent contingencies, there is an interdependency with all of the controls in the handbook.

Risk Management provides a tool for analyzing the security costs and benefits of various contingency planning options. In addition, a risk management effort can be used to help identify critical resources needed to support the organization and the likely threat to those resources. It is not necessary, however, to perform a risk assessment prior to contingency planning, since the identification of critical resources can be performed during the contingency planning process itself.

Physical and Environmental Controls help prevent contingencies. Although many of the other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing breaks, or natural disasters.

Incident Handling can be viewed as a subset of contingency planning. It is the emergency response capability for various technical threats. Incident handling can also help an organization prevent future incidents.

Support and Operations in most organizations includes the periodic backing up of files. It also includes the prevention and recovery from more common contingencies, such as a disk failure or corrupted data files.

Policy is needed to create and document the organization's approach to contingency planning. The policy should explicitly assign responsibilities.

11.8 Cost Considerations

The cost of developing and implementing contingency planning strategies can be significant, especially if the strategy includes contracts for backup services or duplicate equipment. There are too many options to discuss cost considerations for each type.
One contingency cost that is often overlooked is the cost of testing a plan. Testing provides many benefits and should be performed, although some of the less expensive methods (such as a review) may be sufficient for less critical resources.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.