R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 16, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

- House Approves DHS Authority to Address Supply Chain Risk, Bar Contractors - The House of Representatives on Tuesday agreed by voice vote to approve HR 6430, the Securing the Homeland Security Supply Chain Act of 2018, which grants the Department of Homeland Security (DHS) Secretary authority to exclude certain contractors from doing business with the Federal government to address “urgent national security interests” and curb supply chain risks. https://www.meritalk.com/articles/dhs-supply-chain-risk-bill-approved/

How did Equifax, a consumer reporting agency, respond to that event? Equifax said that it investigated factors that led to the breach and tried to identify and notify people whose personal information was compromised. https://www.gao.gov/products/GAO-18-559?utm_campaign=usgao_email&utm_content=topci_infosec&utm_medium=email&utm_source=govdelivery

When cybersecurity pros go bad, Silence cybergang makes noise with $800,000 in ATM thefts - A low-profile cybergang appropriately named Silence specializing in ATM bank theft and possibly comprised of two former or current cybersecurity workers has so far stolen more than $800,000 during a two-year-long crime spree.  https://www.scmagazine.com/home/news/when-cybersecurity-pros-go-bad-silence-cybergang-makes-noise-with-800000-in-atm-thefts/

Russian man extradited to U.S. for ‘massive’ financial hacking campaign - A Russian man allegedly part of a series of hacks targeting the financial industry and resulting in the theft of data on more than 80 million people, has been extradited from the nation of Georgia to the U.S., the Manhattan U.S. Attorney’s office said. https://www.scmagazine.com/home/news/russian-man-extradited-to-u-s-for-massive-financial-hacking-campaign/

White House further restricts mobile devices in West Wing - he proclivity of former White House aide Omarosa Manigault Newman to record conversations with colleagues, including the president and her firing in the Situation Room by Chief of Staff John Kelly, has prompted the administration to further restrict staffers use of mobile devices in the West Wing. https://www.scmagazine.com/home/news/white-house-further-restricts-mobile-devices-in-west-wing/

‘Pass’ words: Philadelphia Eagles are the NFL team most often referenced in credentials - Proud Philadelphia Eagles fans might want to think of a more secure way to honor their Super Bowl-winning NFL franchise than using their team name as a user password. https://www.scmagazine.com/home/news/pass-words-philadelphia-eagles-are-the-nfl-team-most-often-referenced-in-credentials/


FYI - Hackers steal data on 380,000 British Airways customers - British Airways has resolved an August breach that resulted in data being stolen from about 380,000 customers and the company is treating a probe of the incident with some “urgency.” https://www.scmagazine.com/home/news/hackers-steal-data-on-380000-british-airways-customers/

Park by Phone data breach affects 5,000 customers - A data breach at Cork City Park by Phone service in Ireland has affected more than 5,000 people. https://www.scmagazine.com/home/news/park-by-phone-data-breach-affects-5000-customers/

Veeam MongoDB left unsecured, 440 million records exposed - The Swiss-based data company Veeam exposed more than 445 million records when it used a misconfigured MongoDB hosted on Amazon Web Services that did not require any password to access. https://www.scmagazine.com/home/news/veeam-mongodb-left-unsecured-440-million-records-exposed/

Canadian town bows to ransomware attack, will pay attackers - The small Canadian town of Midland, Ontario plans to pay off the malicious actors who shut down the municipalities compute system with a ransomware attack on Sept. 1. https://www.scmagazine.com/home/news/canadian-town-bows-to-ransomware-attack-will-pay-attackers/

Return to the top of the newsletter

Fair Housing Act

  A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.
  Home Mortgage Disclosure Act (Regulation C)
  The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.
  In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
17.3.2 External Access Controls
 External access controls are a means of controlling interactions between the system and outside people, systems, and services. External access controls use a wide variety of methods, often including a separate physical device (e.g., a computer) that is between the system being protected and a network. Port Protection Devices
 Fitted to a communications port of a host computer, a port protection device (PPD) authorizes access to the port itself, prior to and independent of the computer's own access control functions. A PPD can be a separate device in the communications stream, or it may be incorporated into a communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a password, in order to access the communications port.
 One of the most common PPDs is the dial-back modem. A typical dial-back modem sequence follows: a user calls the dial-back modem and enters a password. The modem hangs up on the user and performs a table lookup for the password provided. If the password is found, the modem places a return call to the user (at a previously specified number) to initiate the session. The return call itself also helps to protect against the use of lost or compromised accounts. This is, however, not always the case. Malicious hackers can use such advance functions as call forwarding to reroute calls.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.