Internet Banking News

August 24, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - In wake of hacks, incident response efforts weak in enterprise - Only 9 percent say they have a handle on the issue, according to SANS Institute survey. In the wake of Russian hackers making off with 1.2 billion users names and passwords from 420,000 web sites, many organizations say they have ineffective incident response to deal with such circumstances, according to a SANS Institute survey. http://www.zdnet.com/in-wake-of-hacks-incident-response-efforts-weak-in-enterprise-7000032638/

FYI - Korea introduces security readiness guideline for private sector - Summary: Korea has announced a new information security readiness evaluation index to promote better security awareness in the nation’s private sector, reports ZDNet Korea’s Jaehwan Cho. The Ministry of Science, ICT, and Future Planning and the Korea Internet & Security Agency (KISA) hosted a conference in Seoul on Wednesday 13 August to explain details about the information security readiness system. http://www.zdnet.com/korea-introduces-security-readiness-guideline-for-private-sector-7000032626/

FYI - Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously - Edward Snowden has made us painfully aware of the government’s sweeping surveillance programs over the last year. But a new program, currently being developed at the NSA, suggests that surveillance may fuel the government’s cyber defense capabilities, too. http://www.wired.com/2014/08/nsa-monstermind-cyberwarfare/

FYI - Weak password trend persists in the enterprise, study says - Even though policies may be in place when it comes to password usage in the workplace, they haven't had much of an effect on their strength, according to a recent study. http://www.scmagazine.com/weak-password-trend-persists-in-the-enterprise-study-says/article/366580/

FYI - Delaware becomes first state to give heirs broad digital assets access - Meet the "Fiduciary Access to Digital Assets and Digital Accounts Act." Delaware has become the first state in the US to enact a law that ensures families’ rights to access the digital assets of loved ones during incapacitation or after death. http://arstechnica.com/tech-policy/2014/08/delaware-becomes-first-state-to-give-heirs-broad-digital-assets-access/

FYI - Health care breaches continue to rise, over 30M affected - As breaches hitting the health care industry continue to ramp up, more than 30 million individuals have been affected by these incidents. http://www.scmagazine.com/health-care-breaches-continue-to-rise-over-30m-affected/article/367245/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - SUPERVALU, AB Acquisition announce payment card breaches at grocery chains - Minnesota-based SUPERVALU announced on Thursday that anyone who ran their credit and debit cards through point-of-sale (POS) devices in more than 200 of its nationwide shops may have had personal information – notably payment card data – stolen in a breach. http://www.scmagazine.com/supervalu-ab-acquisition-announce-payment-card-breaches-at-grocery-chains/article/366562/

FYI - Mother sues Rady Children's Hospital, claims daughter's records revealed - A mother is filing a lawsuit against Rady Children's Hospital after a security breach resulted in her daughter's sensitive medical records being exposed, according to the ABC local news affiliate in San Diego. http://www.scmagazine.com/mother-sues-rady-childrens-hospital-claims-daughters-records-revealed/article/366586/

FYI - Russian Prime Minister's Twitter account hacked - On Thursday morning, the Twitter account belonging to Russian Prime Minister Dmitry Medvedev was hacked, according to a Thursday report by The Moscow Times. http://www.scmagazine.com/russian-prime-ministers-twitter-account-hacked/article/366553/

FYI - Community Health Systems breach may impact more than four million patients - The personal information of more than four million patients may be at risk after an attacker hacked into the computer network of hospital operator Community Health Systems sometime in April and June, according to reports. http://www.scmagazine.com/community-health-systems-breach-may-impact-more-than-four-million-patients/article/366811/

FYI - Nuke Regulator Hacked by Suspected Foreign Powers - Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation. http://www.nextgov.com/cybersecurity/2014/08/exclusive-nuke-regulator-hacked-suspected-foreign-powers/91643/?oref=ng-HPtopstory

FYI - Another breach involving Onsite Health Diagnostics, Kansas City hospital impacted - Children's Mercy Hospital in Kansas City is notifying 4,076 individuals that Onsite Health Diagnostics, a vendor used by wellness program provider StayWell Health Management, experienced a breach that affected their personal information. http://www.scmagazine.com/another-breach-involving-onsite-health-diagnostics-kansas-city-hospital-impacted/article/366995/

FYI - FBI begins investigation into 1.2 billion stolen credentials - The U.S. Federal Bureau of Investigation (FBI) has begun looking into the 1.2 billion stolen logins that were discovered earlier this month. http://www.scmagazine.com/fbi-begins-investigation-into-12-billion-stolen-credentials/article/367209/

FYI - Professor hacks University Health Conway in demonstration for class - Louisiana-based University Health Conway is notifying more than 6,000 patients that a computer science professor from the City College of San Francisco gained access to a server with their personal information while demonstrating computer system vulnerabilities to a class. http://www.scmagazine.com/professor-hacks-university-health-conway-in-demonstration-for-class/article/367123/

FYI - UPS Store hacked, possibly compromising user data - The shipping store discovered malware in the computer systems of 51 US stores in 24 states. Customer credit and debit card information may have been leaked. http://www.cnet.com/news/the-ups-store-is-hacked-user-data-possibly-compromised/

FYI - Hackers breach social network MeetMe - Anyone who logged into social network MeetMe between Aug. 5 and Aug. 7 is being asked to change their password because hackers breached the MeetMe network and compromised certain user information. http://www.scmagazine.com/hackers-breach-social-network-meetme/article/367343/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 2 of 2)

Finally, the Board and senior management should ensure that its risk management processes for its e-banking activities are integrated into the bank's overall risk management approach. The bank's existing risk management policies and processes should be evaluated to ensure that they are robust enough to cover the new risks posed by current or planned e-banking activities. Additional risk management oversight steps that the Board and senior management should consider taking include:

1) Clearly establishing the banking organization's risk appetite in relation to e-banking.

2) Establishing key delegations and reporting mechanisms, including the necessary escalation procedures for incidents that impact the bank's safety, soundness or reputation (e.g. networks penetration, employee security infractions and any serious misuse of computer facilities).

3) Addressing any unique risk factors associated with ensuring the security, integrity and availability of e-banking products and services, and requiring that third parties to whom the banks has outsourced key systems or applications take similar measures.

4) Ensuring that appropriate due diligence and risk analysis are performed before the bank conducts cross-border e-banking activities.

The Internet greatly facilitates a bank's ability to distribute products and services over virtually unlimited geographic territory, including across national borders. Such cross-border e-banking activity, particularly if conducted without any existing licensed physical presence in the "host country," potentially subjects banks to increased legal, regulatory and country risk due to the substantial differences that may exist between jurisdictions with respect to bank licensing, supervision and customer protection requirements. Because of the need to avoid inadvertent non-compliance with a foreign country's laws or regulations, as well as to manage relevant country risk factors, banks contemplating cross-border e-banking operations need to fully explore these risks before undertaking such operations and effectively manage them.

Depending on the scope and complexity of e-banking activities, the scope and structure of risk management programs will vary across banking organizations. Resources required to oversee e-banking services should be commensurate with the transactional functionality and criticality of systems, the vulnerability of networks and the sensitivity of information being transmitted.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Security Controls in Application Software

Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).

Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A) For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1) Disclosing the information to the affiliates of the financial institution from which it received the information;

     2) Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and

     3) Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors).

B) For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1) Disclosing the information to the affiliates of the financial institution from which it received the information;

     2) Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3) Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.