Internet Banking News

August 25, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Phishing attacks explode and executives are taking the bait - Phishing attacks are growing off the chart, and while we're not surprised by the numbers of attacks we are seeing, the dirty little secret chief security officers don't want to talk about is that the executive team may be the ones putting the company at risk. http://www.scmagazine.com/phishing-attacks-explode-and-executives-are-taking-the-bait/article/306453/?DCMP=EMC-SCUS_Newswire

FYI - Changing IP address to access public website ruled violation of US law - Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act (CFAA), a judge ruled Friday in a case involving Craigslist and 3taps. http://arstechnica.com/tech-policy/2013/08/changing-ip-address-to-access-public-website-ruled-violation-of-us-law/

FYI - Insurer to Schnucks: We won't pay for lawsuits related to your breach - The insurer for Midwestern supermarket chain Schnucks, whose systems were hacked last winter to steal 2.4 million credit card numbers, is claiming in court that the grocer's policy doesn't cover the cost of lawsuits arising from the breach. http://www.scmagazine.com/insurer-to-schnucks-we-wont-pay-for-lawsuits-related-to-your-breach/article/307960/?DCMP=EMC-SCUS_Newswire

FYI - An ongoing debate: Certification or degree? - There's an ongoing debate in the IT field about whether or not you need certifications or degrees to advance in your career. Frankly, it would be easier to answer the chicken and egg problem! Most of the time people will answer “it depends.” http://www.scmagazine.com/an-ongoing-debate-certification-or-degree/article/308104/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Army Networks: Opportunities Exist to Better Utilize Results from Network Integration Evaluations.   http://www.gao.gov/products/GAO-13-711

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Washington Post, CNN and Time websites hit by pro-Assad hackers - Websites belonging to the Washington Post, CNN, and Time magazine have been attacked by supporters of Syrian President Bashar al-Assad. http://www.bbc.co.uk/news/technology-23712007

FYI - U.S. defense contractor sustains data breach - Employees for and applicants to the linguist program of Virginia-based defense contractor Northrop Grumman may have had their sensitive information compromised when a database was accessed by an unauthorized party. http://www.scmagazine.com/us-defense-contractor-sustains-data-breach/article/307498/#

FYI - ‘Maintenance Update,’ Not Hackers, Felled NY Times - The New York Times’ website and corporate email went down sporadically earlier today, fueling widespread speculation the newspaper of record might have been hacked or went offline for traffic-congestion reasons. http://www.wired.com/threatlevel/2013/08/nyt-maintenance-update/

FYI - Several thousand students and staffers affected in Ferris State breach - Tens of thousands of staffers and students may have had their personal information compromised after an unauthorized person dodged network security and gained access to a database at Ferris State University in Michigan. http://www.scmagazine.com/several-thousand-students-and-staffers-affected-in-ferris-state-breach/article/307759/?DCMP=EMC-SCUS_Newswire

FYI - Department of Energy data breach affects thousands - A number of current and past employees at the U.S. Department of Energy (DOE) are being notified in letters that an unauthorized party gained access to their personally identifiable information (PII) on the agency's network. http://www.scmagazine.com/department-of-energy-data-breach-affects-thousands/article/307752/

FYI - Officials investigate scope of Emory University breach - Health information and Social Security numbers are among data that may have been compromised for faculty, staff and students in a data breach at Emory University in Atlanta. http://www.scmagazine.com/officials-investigate-scope-of-emory-university-breach/article/307854/?DCMP=EMC-SCUS_Newswire

FYI - Prison Computer ‘Glitch’ Blamed for Opening Cell Doors in Maximum-Security Wing - Florida prison officials say a computer “glitch” may be to blame for opening all of the doors at a maximum security wing simultaneously, setting prisoners free and allowing gang members to pursue a rival with weapons. http://www.wired.com/threatlevel/2013/08/computer-prison-door-mishap/

FYI - Fraudsters target "wire payment switch" at banks to steal millions - Instead of targeting the bank accounts of individuals or organizations, criminals recently took over the wire payment switch at several U.S. banks to steal millions from their choice of accounts, according to a security analyst. http://www.scmagazine.com/fraudsters-target-wire-payment-switch-at-banks-to-steal-millions/article/307755/?DCMP=EMC-SCUS_Newswire

FYI - Syrian Electronic Army attacks several sites for the price of one - It only took one attack last week, but it was enough to allow the Syrian Electronic Army (SEA) to compromise The Washington Post, CNN and Time. http://www.scmagazine.com/syrian-electronic-army-attacks-several-sites-for-the-price-of-one/article/307953/?DCMP=EMC-SCUS_Newswire

FYI - Employee fired for stealing external hard drive containing patient data - A external hard drive containing personal medical information on thousands of patients was stolen by a former employee of the North Texas Comprehensive Spine and Pain Center in Sherman. http://www.scmagazine.com/employee-fired-for-stealing-external-hard-drive-containing-patient-data/article/308109/?DCMP=EMC-SCUS_Newswire

FYI - Cybercrooks use DDoS attacks to mask theft of banks' millions - Analyst says three unidentified US banks have been hit with "low powered" DDoS attacks to cover fraudulent wire transfers. http://news.cnet.com/8301-1009_3-57599646-83/cybercrooks-use-ddos-attacks-to-mask-theft-of-banks-millions/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - League of Legends is hacked, with crucial user info accessed - One of the world's most popular online video games falls prey to a security breach involving usernames, e-mail addresses, salted passwords, and 120,000 salted credit card numbers. http://news.cnet.com/8301-1009_3-57599450-83/league-of-legends-is-hacked-with-crucial-user-info-accessed/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

Return to the top of the newsletter

WEB SITE COMPLIANCE - We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 10 of 10)

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY STRATEGY (2 of 2)

Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.

Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:

1) Implementing through ordinary means, such as system administration procedures and acceptable - use policies;

2) Enforcing policy through security tools and sanctions;

3) Delineating the areas of responsibility for users, administrators, and managers;

4) Communicating in a clear, understandable manner to all concerned;

5) Obtaining employee certification that they have read and understood the policy;

6) Providing flexibility to address changes in the environment; and

7) Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice (Part 1 of 2)

8) Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 1 of 2)

a) the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b) the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c) the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d) the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]