R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 13, 2015

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
 
NIST Handbook
 
Penetration Testing
 
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
- State Department Wants to Compile Cybersecurity 'Playbook' - The State Department, fresh off the heels of a highly publicized cyberintrusion, is picking industry's brain for tactics to block and perhaps strike back at hackers, according to new contracting documents. http://www.nextgov.com/cybersecurity/2015/09/state-department-wants-compile-cybersecurity-playbooks/120251/

FYI - Court tosses suit against UCLA health system over exposed patient data - The University of California Los Angeles Health System is not to blame for Norma Lozano's medical records being accessed without authorization and distributed to her ex-boyfriend among others, a California court ruled Thursday. http://www.scmagazine.com/patient-accused-ucla-health-of-lax-security-after-unauthorized-access-to-medical-records/article/436861/

FYI - Arrests Tied to Citadel, Dridex Malware - Authorities in Europe have arrested alleged key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex. http://krebsonsecurity.com/2015/09/arrests-tied-to-citadel-dridex-malware/

FYI - DHS awards Univ. of Houston $2.6M contract for DDoS research - The University of Houston was awarded a $2.6 million contract from the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate to develop technologies to defend emergency response systems from distributed denial-of-service (DDoS) attacks. http://www.scmagazine.com/university-of-houstons-26m-contract-part-of-dhs-ddosd-program/article/437395/

FYI - How corporate fears of hacks just created Silicon Valley's newest $1 billion startup - Okta receives a $75 million investment, the latest sign companies are scrambling for cybersecurity software that can prevent them from becoming the next Ashley Madison, Sony or Target. Don't want to become the next Ashley Madison? Silicon Valley thinks you need to upgrade your security. http://www.cnet.com/news/how-corporate-fears-of-hacks-just-created-silicon-valleys-newest-1-billion-startup/

FYI - Cyber-crime empties pockets of UK businesses about £2.8bn per year - Allianz Global has claimed in its report that cyber-crime costs UK businesses about £2.8 billion annually, and also accounts for 16 percent of gross domestic product (GDP). The global economy also feels the impact with £289.6 billion annual costs. http://www.scmagazine.com/cyber-crime-empties-pockets-of-uk-businesses-about-28bn-per-year/article/437761/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Former Tesla engineer charged with hacking and leaking data - A former Tesla Motors mechanical engineer is facing federal charges in a San Jose District Court on two counts of felony computer intrusion, and one count of misdemeanor computer intrusion. http://www.scmagazine.com/ex-tesla-employee-faces-computer-intrusion-charges/article/437059/

FYI - Fiat Chrysler recalls 7,810 SUVs for software issues - Customers have been asked to check on the software updates site of the UConnect telematics system. http://www.computerworld.com/article/2980348/telematics/fiat-chrysler-recalls-7810-suvs-for-software-issues.html

FYI - Firefox zero-days exposed after attacker compromises privileged account - An attacker compromised a privileged Mozilla account to break into the company's Bugzilla bug tracker tool and steal “security-sensitive information,” the company disclosed in a Friday blog post. http://www.scmagazine.com/mozilla-firefox-confirms-breach-of-bugzilla-data/article/437077/

FYI - Excellus BlueCross BlueShield announces breach, 10.5M records at risk - Rochester, NY-based Excellus Bluecross BlueShield (BCBS) and affiliate Lifetime Healthcare Companies (LTHC) have been breached. http://www.scmagazine.com/excellus-bluecross-blueshield-announces-breach-105m-records-at-risk/article/437651/

FYI - Eight Cal State campuses, 79K students impacted in vendor breach - About 79,000 California State University (CSU) students in eight campuses are being notified that their data could have been exposed in a breach of We End Violence, a violence prevention education organization. http://www.scmagazine.com/eight-cal-state-campuses-79k-students-impacted-in-vendor-breach/article/437779/

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
 
 Due Diligence in Selecting a Service Provider - Contract Issues
 
 Dispute Resolution
 

 The institution should consider including in the contract a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period.
 
 Indemnification
 

 Indemnification provisions generally require the financial institution to hold the service provider harmless from liability for the negligence of the institution, and vice versa. These provisions should be reviewed to reduce the likelihood of potential situations in which the institution may be liable for claims arising as a result of the negligence of the service provider.
 
 Limitation of Liability
 
 Some service provider standard contracts may contain clauses limiting the amount of liability that can be incurred by the service provider. If the institution is considering such a contract, consideration should be given to whether the damage limitation bears an adequate relationship to the amount of loss the financial institution might reasonably experience as a result of the service provider’s failure to perform its obligations.


Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 
Product Certification and Security Scanning Products
 
 
Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.
 
 Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.7 Summary

This chapter has illustrated how many of the concepts described in previous chapters might be applied in a federal agency. An integrated example concerning a Hypothetical Government Agency (HGA) has been discussed and used as the basis for examining a number of these concepts. HGA's distributed system architecture and its uses were described. The time and attendance application was considered in some detail.

For context, some national and agency-level policies were referenced. Detailed operational policies and procedures for computer systems were discussed and related to these high-level policies. HGA assets and threats were identified, and a detailed survey of selected safeguards, vulnerabilities, and risk mitigation actions were presented. The safeguards included a wide variety of procedural and automated techniques, and were used to illustrate issues of assurance, compliance, security program oversight, and inter-agency coordination.

As illustrated, effective computer security requires clear direction from upper management. Upper management must assign security responsibilities to organizational elements and individuals and must formulate or elaborate the security policies that become the foundation for the organization's security program. These policies must be based on an understanding of the organization's mission priorities and the assets and business operations necessary to fulfill them. They must also be based on a pragmatic assessment of the threats against these assets and operations. A critical element is assessment of threat likelihoods. These are most accurate when derived from historical data, but must also anticipate trends stimulated by emerging technologies.

A good security program relies on an integrated, cost-effective collection of physical, procedural, and automated controls. Cost-effectiveness requires targeting these controls at the threats that pose the highest risks while accepting other residual risks. The difficulty of applying controls properly and in a consistent manner over time has been the downfall of many security programs. This chapter has provided numerous examples in which major security vulnerabilities arose from a lack of assurance or compliance. Hence, periodic compliance audits, examinations of the effectiveness of controls, and reassessments of threats are essential to the success of any organization's security program.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated