R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 6, 2015

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- More than 80% of healthcare IT leaders say their systems have been compromised - Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey. http://www.computerworld.com/article/2975988/healthcare-it/more-than-80-of-healthcare-it-leaders-say-their-systems-have-been-compromised.html

FYI - Pentagon Unveils New Rules Requiring Contractors to Disclose Data Breaches - New sweeping defense contractor rules on hack notifications take effect today, adding to a flurry of Pentagon IT security policies issued in recent years. http://www.nextgov.com/cybersecurity/2015/08/pentagon-tries-harmonize-contractor-data-breach-rules/119498/

FYI - U.S. agency warns electric utilities to bolster authentication - U.S. electric utilities should pay close attention to their authentication systems and access controls to reduce data breaches, a government agency says in a new cybersecurity guide. http://www.computerworld.com/article/2975934/security/us-agency-warns-electric-utilities-to-bolster-authentication.html

FYI - Hacking number one consumer fear, others not worried - A study found some consumers are tremendously worried about hacking and malware, while almost half are not concerned at all and others simply believe they are not of interest to cybercriminals. http://www.scmagazine.com/report-finds-some-consumers-believe-not-target-of-cybercriminals/article/435521/

FYI - Cyberarmies rising? - With government officials and executives in the U.S. reeling from sophisticated hacks traced to China and other state-backed entities, American spies and soldiers are sharpening the ongoing debate over if – and when – an online action. http://www.scmagazine.com/cyberarmies-rising/article/436067/

FYI - Barclays first bank to accept bitcoin - After experimenting with bitcoin in its London “labs,” Barclays is set to become the first major bank to accept the digital currency. http://www.scmagazine.com/barclays-testing-bitcoin-for-charitable-donations/article/435926/

FYI - Sony Pictures reaches settlement with ex-employees over hacking - The hack revealed the inner workings of the studio, as well as the personal information of more than 47,000 celebrities, freelancers, and current and former Sony employees. http://www.cnet.com/news/sony-pictures-reaches-settlement-with-ex-employees-over-hacking/

FYI - Hackers could use baby monitors to watch your kids too, security experts warn - Some video-streaming baby monitors aren't safe from hackers, a security researcher finds, and it doesn't matter how much you paid either. Experts say this is part of a trend indicating poor security in Net-connected household devices. http://www.cnet.com/news/several-baby-monitors-easily-hacked-security-researcher-finds/


FYI - GitHub combats DDoS cyberattack - The code repository has mitigated a new DDoS attack following a crippling salvo experienced in March. http://www.zdnet.com/article/github-combats-ddos-cyberattack/

FYI - More than 10,000 Utah Food Bank donors notified of breach - Utah Food Bank is notifying more than 10,000 individuals that their personal information – including payment card data – may have been exposed during a possible data security incident involving the donation webpage. http://www.scmagazine.com/more-than-10000-utah-food-bank-donors-notified-of-breach/article/435812/

FYI - New 'Pawn Storm' attack spoofs EFF website - A newly registered domain disguises itself as an official Electronic Frontier Foundation (EFF) website and is being used in various spear phishing attacks. http://www.scmagazine.com/operation-pawn-storm-uses-spear-phishing-attack/article/435766/

FYI - London clinic leaks status of 780 patients in newsletter - A London sexual health clinic accidentally sent status, names, and email addresses of 780 patients in a newsletter email Tuesday. http://www.scmagazine.com/london-sexual-health-clinic-compromises-hiv-status-of-780-patients-in-newsletter/article/436507/

FYI - Malware on Maine hotel computer targets guest payment cards - Olympia Hotel Management, which manages Maine-based Brunswick Hotel & Tavern, is notifying an undisclosed number of guests that malware was discovered on the hotel's computer systems and payment card information could be at risk. http://www.scmagazine.com/malware-on-maine-hotel-computer-targets-guest-payment-cards/article/435900/

FYI - ReverbNation notifies users of breach, recommends changing passwords - ReverbNation – an online platform that currently assists more than three million musicians in building their careers – experienced a breach in 2014, and is now notifying an undisclosed number of users and asking them to change their passwords. http://www.scmagazine.com/2014-breach-prompts-reverbnation-to-notify-customers/article/436757/

Return to the top of the newsletter

Risk Management of Outsourced Technology Services
 Due Diligence in Selecting a Service Provider - Contract Issues
 Ownership and License
 The contract should address ownership and allowable use by the service provider of the institution’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution’s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.
 Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions’ intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Return to the top of the newsletter

We continue the series  from the FDIC "Security Risks Associated with the Internet." 
Data Transmission and Types of Firewalls 
 Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration. 
 There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.


 When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter


We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.6.5 Mitigating Network-Related Threats

The assessment recommended that HGA:

  • require stronger I&A for dial-in access or, alternatively, that a restricted version of the mail utility be provided for dial-in, which would prevent a user from including files in outgoing mail messages;
  • replace its current modem pool with encrypting modems, and provide each dial-in user with such a modem; and
  • work with the mainframe agency to install a similar encryption capability for server-to-mainframe communications over the WAN.

As with previous risk assessment recommendations, HGA's management tasked COG to analyze the costs, benefits, and impacts of addressing the vulnerabilities identified in the risk assessment. HGA eventually adopted some of the risk assessment's recommendations, while declining others. In addition, HGA decided that its policy on handling time and attendance information needed to be clarified, strengthened, and elaborated, with the belief that implementing such a policy would help reduce risks of Internet and dial-in eavesdropping. Thus, HGA developed and issued a revised policy, stating that users are individually responsible for ensuring that they do not transmit disclosure-sensitive information outside of HGA's facilities via e-mail or other means. It also prohibited them from examining or transmitting e-mail containing such information during dial-in sessions and developed and promulgated penalties for noncompliance.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated