Internet Banking News

August 11, 2019

wsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FYI - DOD continues to buy products it knows have cybersecurity vulnerabilities - The Department of Defense continues to buy millions of dollars in commercial off-the-shelf technology with known cybersecurity vulnerabilities, a watchdog report published last week found. https://www.fedscoop.com/defense-department-known-cyber-vulnerabilities-lenovo-lexmark-gopro/

THE THREAT OF ONLINE SKIMMING TO PAYMENT SECURITY - The PCI Security Standards Council and the Retail & Hospitality ISAC want to highlight an emerging threat that requires urgent awareness and attention.
https://www.darkreading.com/attacks-breaches/pci-security-council-retail-isac-warn-retailers-on-magecart-attacks/d/d-id/1335420
https://www.pcisecuritystandards.org/pdfs/PCISSC_Magecart_Bulletin_RHISAC_FINAL.pdf

Fiendish Amavaldo banking trojan strikes in Mexico after targeting Brazilians - Researchers this year discovered a pair of malicious campaigns that attempted to distribute the recently discovered Amavaldo banking trojan to Brazilians and Mexicans, respectively. https://www.scmagazine.com/home/security-news/cybercrime/fiendish-amavaldo-banking-trojan-strikes-in-mexico-after-targeting-brazilians/

Flaws in Visa contactless cards allow for bypass of anti-fraud checks, researchers warn - Researchers say they discovered a technique for exploiting Visa contactless cards that could allow attackers to bypass certain a pair of anti-fraud “payment checks” that normally require a purchaser’s verification. https://www.scmagazine.com/home/security-news/vulnerabilities/flaws-in-visa-contactless-cards-allow-for-bypass-of-anti-fraud-checks-researchers-warn/

Cisco to pay $8.6 million for selling vulnerable software to US government - Danish contractor gets $1.6 million of the final settlement for reporting Cisco to the US government. https://www.zdnet.com/article/cisco-to-pay-8-6-million-for-selling-vulnerable-software-to-us-government/

Cabarrus County Government Targeted in Social Engineering Scam - Cabarrus County officials released details of a social engineering scam that diverted a $2,504,601 vendor payment made by the County. Of that total, $1,728,082.60 remains missing. http://www.cabarrusmagazine.com/2019/07/30/211731/cabarrus-county-government-targeted-in-social-engineering-scam

Judge Gives Go-Ahead for Settlement of Premera Breach Case - A federal judge in Oregon has granted preliminary approval for a $74 million settlement of a consolidated class action lawsuit against health insurer Premera Blue Cross stemming from a 2014 data breach that affected 11 million individuals. http://www.govinfosecurity.com/judge-gives-go-ahead-for-settlement-premera-breach-case-a-12865

Pearson data breach impacts thousands of university accounts - London-based educational software maker Pearson reported on Wednesday a data breach involving about 13,000 school and university AIMSweb 1.0 accounts. https://www.scmagazine.com/home/security-news/data-breach/pearson-data-breach-involves-thousands-of-university-accounts/

Two Deer Valley Resort restaurants hit with POS data breach - The Mariposa and the Royal Street Café in Deer Valley, Colo., are informing customers that their payment card information may have been compromised after an unauthorized party hacked the point-of-sale system of a resort operator that runs both restaurants. https://www.scmagazine.com/home/retail/two-deer-valley-resort-restaurants-hit-with-pos-data-breach/

Monzo updates apps after incorrectly storing banking customer PINs - The U.K.-based digital bank Monzo Sunday disclosed that it has fixed an error that caused certain customers’ PIN codes to be stored in a less secure area of its internal systems. https://www.scmagazine.com/home/security-news/monzo-updates-apps-after-incorrectly-storing-banking-customer-pins/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Two Deer Valley Resort restaurants hit with POS data breach - The Mariposa and the Royal Street Café in Deer Valley, Colo., are informing customers that their payment card information may have been compromised after an unauthorized party hacked the point-of-sale system of a resort operator that runs both restaurants. https://www.scmagazine.com/home/retail/two-deer-valley-resort-restaurants-hit-with-pos-data-breach/

Cyberattack forces Houston County schools to postpone opening day - Several thousand school children in Alabama had their summer vacation extended by two weeks as the Houston County School District was forced for the second time to delay opening day due to a cyberattack. https://www.scmagazine.com/home/security-news/malware/cyberattack-forces-houston-county-schools-to-postpone-opening-day/

Pearson data breach impacts thousands of university accounts - London-based educational software maker Pearson reported on Wednesday a data breach involving about 13,000 school and university AIMSweb 1.0 accounts. https://www.scmagazine.com/home/security-news/data-breach/pearson-data-breach-involves-thousands-of-university-accounts/

We've, um, changed our password policy, says CafePress amid reports of 23m pwned accounts - Three-quarters of email addys already in breach database - Twee T-shirts 'n' merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy. https://www.theregister.co.uk/2019/08/05/cafebreach_breach_23m_user_records/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

   Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 2 of 3)

   3. Banks should adopt appropriate procedures for ensuring the adequacy of contracts governing e-banking. Contracts governing outsourced e-banking activities should address, for example, the following:

   a) The contractual liabilities of the respective parties as well as responsibilities for making decisions, including any sub-contracting of material services are clearly defined.

   b) Responsibilities for providing information to and receiving information from the service provider are clearly defined. Information from the service provider should be timely and comprehensive enough to allow the bank to adequately assess service levels and risks. Materiality thresholds and procedures to be used to notify the bank of service disruptions, security breaches and other events that pose a material risk to the bank should be spelled out.

   c) Provisions that specifically address insurance coverage, the ownership of the data stored on the service provider's servers or databases, and the right of the bank to recover its data upon expiration or termination of the contract should be clearly defined.

   d) Performance expectations, under both normal and contingency circumstances, are defined.

   e) Adequate means and guarantees, for instance through audit clauses, are defined to insure that the service provider complies with the bank's policies.

   f) Provisions are in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider.

   g) For cross-border outsourcing arrangements, determining which country laws and regulations, including those relating to privacy and other customer protections, are applicable.

   h) The right of the bank to conduct independent reviews and/or audits of security, internal controls and business continuity and contingency plans is explicitly defined.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  SECURITY CONTROLS - IMPLEMENTATION

  PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)

  Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.

  Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.

  Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.

  Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.5 Protection Against Network-Related Threats

HGA's current set of external network safeguards has only been in place for a few months. The basic approach is to tightly restrict the kinds of external network interactions that can occur by funneling all traffic to and from external networks through two interfaces that filter out unauthorized kinds of interactions. As indicated in Figure 20.1, the two interfaces are the network router and the LAN server. The only kinds of interactions that these interfaces allow are (1) e-mail and (2) data transfers from the server to the mainframe controlled by a few special applications (e.g., the time and attendance application).

Figure 20.1 shows that the network router is the only direct interface between the LAN and the Internet. The router is a dedicated special-purpose computer that translates between the protocols and addresses associated with the LAN and the Internet. Internet protocols, unlike those used on the WAN, specify that packets of information coming from or going to the Internet must carry an indicator of the kind of service that is being requested or used to process the information. This makes it possible for the router to distinguish e-mail packets from other kinds of packets--for example, those associated with a remote login request. The router has been configured by COG to discard all packets coming from or going to the Internet, except those associated with e-mail. COG personnel believe that the router effectively eliminates Internet-based attacks on HGA user accounts because it disallows all remote log-in sessions, even those accompanied by a legitimate password.

The LAN server enforces a similar type of restriction for dial-in access via the public-switched network. The access controls provided by the server's operating system have been configured so that during dial-in sessions, only the e-mail utility can be executed. (HGA policy, enforced by periodic checks, prohibits installation of modems on PCs, so that access must be through the LAN server.) In addition, the server's access controls have been configured so that its WAN interface device is accessible only to programs that possess a special access-control privilege. Only the System Administrator can assign this privilege to server programs, and only a handful of special-purpose applications, like the time and attendance application, have been assigned this privilege.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.