R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 27, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- The Empire State Lays Down the Marker on Cybersecurity - The New York Department of Financial Services 23 NYCRR 500 Cybersecurity Requirements for Financial Companies went into effect on March 1st of this year. While the requirements are New York based, given the state's concentration of financial services firms, the regulation reaches far beyond the Hudson River. https://www.scmagazine.com/the-empire-state-lays-down-the-marker-on-cybersecurity/article/682038/

Top 10 Security Challenges for 2017 - The first half of 2017 has not exactly been a ride in the park for cybersecurity professionals. https://www.scmagazine.com/top-10-security-challenges-for-2017/article/682314/

How Cybersecurity Became 2017’s Hot New Major - If recent headlines about attacks on our privacy make one thing clear, it’s that there is a lot of work to do in the world of cybersecurity. https://www.villagevoice.com/2017/08/15/how-cybersecurity-became-2017s-hot-new-major/

Over the past year or so, there’s been an explosion of interest in vulnerability disclosure policy - the question of what to do about flaws in software found by security researchers that need patching lest they get used by hackers. https://www.cyberscoop.com/carnegie-mellon-sei-cert-vulnerability-disclosure/

NIST Releases Updated Cyber and Privacy Guidance Draft - The government’s cybersecurity standards agency published a draft version of a major revision to its guidance on security and privacy controls for government and industry Tuesday. http://www.nextgov.com/cybersecurity/2017/08/nist-releases-updated-cyber-and-privacy-guidance-draft/140265/

Cyber Command elevated to Unified Combatant Command - United States Cyber Command will become one of 10 Unified Combatant Commands that will focus on cyberspace operations. https://www.scmagazine.com/cyber-command-elevated-to-unified-combatant-command/article/682924/

Sinopec's Shengli Oilfield cuts Internet for some offices after cyber attack - Sinopec's (600028.SS) Shengli Oilfield said it will cut its Internet connection for some of its offices after a malicious ransom software attacked of 21 of its Internet terminals, the company said on its official website on Monday. http://www.reuters.com/article/us-china-cyberattack-idUSKCN1B11AM

10 ways to improve your employee notification system - Today, many organizations view mass notification systems through the lens of emergency and disaster events, such as evacuations, severe weather, terrorist incidents or active shooter situations when the ability to deliver real-time alerts to employees, customers, partners and consumers is critical. https://www.scmagazine.com/10-ways-to-improve-your-employee-notification-system/article/682951/

Navy probe of warship collision will consider cyberattacks - It has all the makings of intrigue or a conspiracy theory – the U.S. Navy will add cyber incident to the scope of its investigation of the collision, the second in recent months, between a warship and another vessel. https://www.scmagazine.com/navy-probe-of-warship-collision-will-consider-cyberattacks/article/683728/


FYI - HBO hacked again, this time on Facebook, Twitter - Hackers are refusing to give HBO a break as the cable TV network's social media channels have been breached in yet another incident. https://www.scmagazine.com/hbos-facebook-and-twitter-pages-hacked-by-gray-hats/article/682423/

Google Chrome under attack: Have you used one of these hijacked extensions? - Recent versions of several Chrome extensions have been compromised to spread malicious ads. http://www.zdnet.com/article/google-chrome-under-attack-have-you-used-one-of-these-hijacked-extensions/

Voter data on 1.8M Chicagoans left exposed on online storage service - Personal data on more than 1.8 million Chicagoan voters was found exposed on a cloud-based storage site, available to anyone for downloading. https://www.scmagazine.com/voter-data-on-18m-chicagoans-left-exposed-on-online-storage-service/article/682933/

Hackers steal nearly $500K from Enigma virtual currency platform's ICO investors - Hackers on Sunday stole close to $500,000 in Ethereum from Enigma, a cryptocurrency trading platform provider, after compromising the company's digital assets in order to advertise a fraudulent crypto wallet address where users could buy tokens for an Initial Coin Offering. https://www.scmagazine.com/hackers-steal-nearly-500k-from-enigma-virtual-currency-platforms-ico-investors/article/683070/

State Department experiences email outage - State Department email service has been restored after a nearly 12-hour worldwide outage hit its entire unclassified system. https://www.washingtonpost.com/world/national-security/officials-state-dept-suffers-worldwide-email-outage/2017/08/18/0a024ac2-8429-11e7-9e7a-20fa8d7a0db6_story.html?utm_term=.99efbcdb8cdc

Online role-playing games on unofficial websites caught dispensing 'Joao' downloader - Attackers have been compromising popular online role-playing games from Aeria Games on unofficial websites, in order to infect players with a newly discovered malware downloader called Joao. https://www.scmagazine.com/online-role-playing-games-on-unofficial-websites-caught-dispensing-joao-downloader/article/683573/

Fuze fixes security lapses in portal site that could have exposed sensitive user data, credentials - Cloud-based unified communications services provider Fuze earlier this year repaired three vulnerabilities in a customer web portal that, if exploited, could have exposed sensitive user data and credentials. https://www.scmagazine.com/fuze-fixes-security-lapses-in-portal-site-that-could-have-exposed-sensitive-user-data-credentials/article/683390/

Latest leak of hacked celebrity photos includes images of Tiger Woods and Lindsay Vonn - A website known for publishing images stolen from celebrity's hacked accounts has struck again, according to multiple reports. https://www.scmagazine.com/latest-leak-of-hacked-celebrity-photos-includes-images-of-tiger-woods-and-lindsay-vonn/article/683590/

Business Email Compromise phishing scam found targeting diverse array of industries - An organized phishing scam operation likely based out of West Africa has been attempting to steal the business email credentials of users across a broad spectrum of industries, in hopes of compromising their accounts and leveraging them for even more targeted spear phishing scams. https://www.scmagazine.com/business-email-compromise-phishing-scam-found-targeting-diverse-array-of-industries/article/683908/

Return to the top of the newsletter

OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)
 Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks.  The following is a list of possible indicators of Web-site spoofing:
 *  E-mail messages returned to bank mail servers that were not originally sent by the bank.  In some cases, these e-mails may contain links to spoofed Web sites;
 *  Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
 *  An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.
 Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank.  Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name.  The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site.  Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.
 Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.
 Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.
 Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.
 Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 12.1.2 Preventing Future Damage

 An incident handling capability also assists an organization in preventing (or at least minimizing) damage from future incidents. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities so more effective safeguards can be implemented. Additionally, through outside contacts (established by the incident handling capability) early warnings of threats and vulnerabilities can be provided. Mechanisms will already be in place to warn users of these risks.
 The incident handling capability allows an organization to learn from the incidents that it has experienced. Data about past incidents (and the corrective measures taken) can be collected. The data can be analyzed for patterns -- for example, which viruses are most prevalent, which corrective actions are most successful, and which systems and information are being targeted by hackers. Vulnerabilities can also be identified in this process -- for example, whether damage is occurring to systems when a new software package or patch is used. Knowledge about the types of threats that are occurring and the presence of vulnerabilities can aid in identifying security solutions. This information will also prove useful in creating a more effective training and awareness program -- and thus help reduce the potential for losses. The incident handling capability assists the training and awareness program by providing information to users as to (1) measures that can help avoid incidents (e.g., virus scanning) and (2) what should be done in case an incident does occur.
 Of course, the organization's attempts to prevent future losses does not occur in a vacuum. With a sound incident handling capability, contacts will have been established with counterparts outside the organization. This allows for early warning of threats and vulnerabilities that the organization may have not yet experienced. Early preventative measures (generally more cost-effective than repairing damage) can then be taken to reduce future losses. Data is also shared outside the organization to allow others to learn from the organization's experiences.
 The sharing of incident data among organizations can help at both the national and the international levels to prevent and respond to breaches of security in a timely, coordinated manner.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated