R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 25, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

- DOD continues to buy products it knows have cybersecurity vulnerabilities - The Department of Defense continues to buy millions of dollars in commercial off-the-shelf technology with known cybersecurity vulnerabilities, a watchdog report published last week found. https://www.fedscoop.com/defense-department-known-cyber-vulnerabilities-lenovo-lexmark-gopro/

FYI - Contractors have questions about DOD's cyber requirements - The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base, but so far the department's biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place. https://fcw.com/articles/2019/08/12/dod-contractor-cyber-johnson.aspx

Capital One hacker took data from more than 30 companies, new court docs reveal - New court documents reveal the government is investigating the Capital One hacker for 30+ other breaches. https://www.zdnet.com/article/capital-one-hacker-took-data-from-more-than-30-companies-new-court-docs-reveal/

How to build a successful offensive security research team - Over the last several years, as the threat landscape has continually evolved, the severity and sheer volume of security vulnerabilities and attacks has accelerated dramatically, causing the tech industry across the world to look for new ways to prevent crippling cyber attacks. https://www.scmagazine.com/home/opinion/executive-insight/how-to-build-a-successful-offensive-security-research-team/

First half 2019 sees 4,000 data breaches exposing 4B records - The number of data breaches reported and records exposed both increased by more than 50 percent during the first half of 2019 compared to the same period in 2018. https://www.scmagazine.com/home/security-news/data-breach/first-half-2019-sees-4000-data-breaches-exposing-4b-records/

Delta sues AI vendor over 2017 breach exposing info on 825K - After information on 825,000 Delta Airlines customers was exposed and potentially stolen by at least one hacker in 2017, the airline has filed suit against chatbot vendor [24]7.ai, claiming poor security led to the breach. https://www.scmagazine.com/home/security-news/data-breach/delta-sues-ai-vendor-over-2017-breach-exposing-info-on-825k/

U.S. renews temporary license allowing companies to sell to Huawei, adds 45 to blacklist - The Commerce Department Tuesday renewed a temporary license that allows U.S. companies to sell their products to Huawei but blacklisted exporting products to 45 companies associated with the Chinese technology firm. https://www.scmagazine.com/home/security-news/u-s-renews-temporary-license-allowing-companies-to-sell-to-huawei-adds-45-to-blacklist/


FYI - Cyberattacks hit NCH Healthcare System and Grays Harbor Community Hospital - Two hospital systems began notifying patients and employees of cyber incidents, one ransomware and another a data breach, that took place in June. https://www.scmagazine.com/home/security-news/ransomware/cyberattacks-hit-nch-healthcare-system-and-grays-harbor-community-hospital/

Cracked.to hacking forum user data breached and leaked by rivals - Hacking online forum Cracked.to last July suffered a data breach at the hands of one of its rival communities, resulting in the compromise of roughly 321,000 members, breach reference website site “Have I Been Pwned?” reported this week. https://www.scmagazine.com/home/security-news/data-breach/cracked-to-hacking-forum-user-data-breached-and-leaked-by-rivals/

Ransomware attack hits mostly small, local Texas government orgs - A wide-ranging ransomware attack has hit 23 government entities in Texas, most of them “smaller, local governments,” the Texas Department of Information Resources (DIR) confirmed Saturday. https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-hits-mostly-small-local-texas-government-orgs/

European Central Bank confirms BIRD site hacked, contact info stolen - Unauthorized third parties hacked European Central Bank (ECB) Banks’ Integrated Reporting Dictionary (BIRD) website, nicking email and other contact information on 481 subscribers and prompting the bank to shut down the website indefinitely. https://www.scmagazine.com/home/security-news/european-central-bank-confirms-bird-site-hacked-contact-info-stolen/

Hy-Vee supermarkets report POS cyber incident - The Mid-Western supermarket chain Hy-Vee has issued a warning that the payment card system was breached at several of its locations and services. https://www.scmagazine.com/home/security-news/data-breach/hy-vee-supermarkets-report-pos-cyber-incident/

European Central Bank confirms BIRD site hacked, contact info stolen - Unauthorized third parties hacked European Central Bank (ECB) Banks’ Integrated Reporting Dictionary (BIRD) website, nicking email and other contact information on 481 subscribers and prompting the bank to shut down the website indefinitely. https://www.scmagazine.com/home/security-news/european-central-bank-confirms-bird-site-hacked-contact-info-stolen/

One million Luscious site accounts compromised - Researchers at VPNMentor were able to access almost more than one million user accounts associated with the website Luscious. https://www.scmagazine.com/home/security-news/data-breach/one-million-luscious-porn-site-accounts-compromised/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
Authorization Practices for E-Banking Applications
1. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct e-banking activities.
  2. All e-banking systems should be constructed to ensure that they interact with a valid authorization database.
  3. No individual agent or system should have the authority to change his or her own authority or access privileges in an e-banking authorization database.
  4. Any addition of an individual, agent or system or changes to access privileges in an e-banking authorization database should be duly authorized by an authenticated source empowered with the adequate authority and subject to suitable and timely oversight and audit trails.
  5. Appropriate measures should be in place in order to make e-banking authorization databases reasonably resistant to tampering. Any such tampering should be detectable through ongoing monitoring processes. Sufficient audit trails should exist to document any such tampering.
  6. Any e-banking authorization database that has been tampered with should not be used until replaced with a validated database.
  7. Controls should be in place to prevent changes to authorization levels during e-banking transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.

  The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.5.1 Vulnerabilities Related to Payroll Fraud

Falsified Time Sheets

The primary safeguards against falsified time sheets are review and approval by supervisory personnel, who are not permitted to approve their own time and attendance data. The risk assessment has concluded that, while imperfect, these safeguards are adequate. The related requirement that a clerk and a supervisor must cooperate closely in creating time and attendance data and submitting the data to the mainframe also safeguards against other kinds of illicit manipulation of time and attendance data by clerks or supervisors acting independently.

Unauthorized Access

When a PC user enters a password to the server during I&A, the password is sent to the server by broadcasting it over the LAN "in the clear." This allows the password to be intercepted easily by any other PC connected to the LAN. In fact, so-called "password sniffer" programs that capture passwords in this way are widely available. Similarly, a malicious program planted on a PC could also intercept passwords before transmitting them to the server. An unauthorized individual who obtained the captured passwords could then run the time and attendance application in place of a clerk or supervisor. Users might also store passwords in a log-on script file.

Bogus Time and Attendance Applications

The server's access controls are probably adequate for protection against bogus time and attendance applications that run on the server. However, the server's operating system and access controls have only been in widespread use for a few years and contain a number of security-related bugs. And the server's access controls are ineffective if not properly configured, and the administration of the server's security features in the past has been notably lax.

Unauthorized Modification of Time and Attendance Data

Protection against unauthorized modification of time and attendance data requires a variety of safeguards because each system component on which the data are stored or transmitted is a potential source of vulnerabilities.

First, the time and attendance data are entered on the server by a clerk. On occasion, the clerk may begin data entry late in the afternoon, and complete it the following morning, storing it in a temporary file between the two sessions. One way to avoid unauthorized modification is to store the data on a diskette and lock it up overnight. After being entered, the data will be stored in another temporary file until reviewed and approved by a supervisor. These files, now stored on the system, must be protected against tampering. As before, the server's access controls, if reliable and properly configured, can provide such protection (as can digital signatures, as discussed later) in conjunction with proper auditing.

Second, when the Supervisor approves a batch of time and attendance data, the time and attendance application sends the data over the WAN to the mainframe. The WAN is a collection of communications equipment and special-purpose computers called "switches" that act as relays, routing information through the network from source to destination. Each switch is a potential site at which the time and attendance data may be fraudulently modified. For example, an HGA PC user might be able to intercept time and attendance data and modify the data enroute to the payroll application on the mainframe. Opportunities include tampering with incomplete time and attendance input files while stored on the server, interception and tampering during WAN transit, or tampering on arrival to the mainframe prior to processing by the payroll application.

Third, on arrival at the mainframe, the time and attendance data are held in a temporary file on the mainframe until the payroll application is run. Consequently, the mainframe's I&A and access controls must provide a critical element of protection against unauthorized modification of the data.

According to the risk assessment, the server's access controls, with prior caveats, probably provide acceptable protection against unauthorized modification of data stored on the server. The assessment concluded that a WAN-based attack involving collusion between an employee of HGA and an employee of the WAN service provider, although unlikely, should not be dismissed entirely, especially since HGA has only cursory information about the service provider's personnel security practices and no contractual authority over how it operates the WAN.

The greatest source of vulnerabilities, however, is the mainframe. Although its operating system's access controls are mature and powerful, it uses password-based I&A. This is of particular concern, because it serves a large number of federal agencies via WAN connections. A number of these agencies are known to have poor security programs. As a result, one such agency's systems could be penetrated (e.g., from the Internet) and then used in attacks on the mainframe via the WAN. In fact, time and attendance data awaiting processing on the mainframe would probably not be as attractive a target to an attacker as other kinds of data or, indeed, disabling the system, rendering it unavailable. For example, an attacker might be able to modify the employee data base so that it disbursed paychecks or pensions checks to fictitious employees. Disclosure-sensitive law enforcement databases might also be attractive targets.

The access control on the mainframe is strong and provides good protection against intruders breaking into a second application after they have broken into a first. However, previous audits have shown that the difficulties of system administration may present some opportunities for intruders to defeat access controls.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.