R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 25, 2016

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Sixth Circuit: Nationwide insurance co.'s breach victims have standing to sue - A federal Appeals Court has reinstated a class-action lawsuit against Nationwide Mutual Insurance Company after concluding that individuals whose whose personal data was exposed in a 2012 breach have sufficient standing to sue for damages. http://www.scmagazine.com/sixth-circuit-nationwide-insurance-cos-breach-victims-have-standing-to-sue/article/523571/

Cybersecurity unemployment rate at zero - A Cybersecurity Ventures study stated there will be 1 million cybersecurity jobs open worldwide in 2016, with the vast majority of the these being in the United States. This figure is expected to rise to 1.5 million by 2019. http://www.scmagazine.com/cybersecurity-unemployment-rate-at-zero/article/523542/

Cyber-attacks now cost enterprises US $861K per security incident - On average, a single cyber-security incident now costs large businesses US $861,000 (£652,000). Meanwhile, small and medium businesses (SMBs) pay $86,500 (£65,500). http://www.scmagazine.com/cyber-attacks-now-cost-enterprises-us-861k-per-security-incident/article/522461/

Ponemon study: business innovation and IT security often do not go hand in hand - Micro Focus has released research in partnership with the Ponemon Institute which claims business innovation and IT security often do not go hand in hand. http://www.scmagazine.com/ponemon-study-business-innovation-and-it-security-often-do-not-go-hand-in-hand/article/523991/

Krebs website withstands historically large DDoS attack; enormous botnet suspected - Cybersecurity blog site KrebsOnSecurity, a frequent target of hackers, was barraged on Tuesday evening by an extraordinary distributed denial of service (DDoS) attack boasting a bandwidth between 620 and 665 Gbps – one of the largest such attacks in history. http://www.scmagazine.com/krebs-website-withstands-historically-large-ddos-attack-enormous-botnet-suspected/article/524285/

76% of security pros believe threat intelligence should be shared - Many security professionals believe that they have a moral responsibility to share threat intelligence. http://www.scmagazine.com/76-of-security-pros-believe-threat-intelligence-should-be-shared/article/524265/

Global data breaches up 15 percent in first half of 2016 - Data breaches were up 15 percent during the first half of 2016 compared to the previous six months, Gemalto researchers reported, noting there was a total of 974 worldwide breaches compromising more that 554 million combined data records. http://www.scmagazine.com/researchers-spot-global-uptick-in-data-breaches-in-first-half-of-2016/article/524451/


FYI - ClixSense breached through old server, 6.6M users potentially affected - ClixSense, a company that pays people to take surveys, reported it was breached with several million users being affected. http://www.scmagazine.com/clixsense-breached-through-old-server-66m-users-potentially-affected/article/522622/

Eurekalert news service attacked - Scientific news service EurekAlert suffered a breach which saw the login details of thousands of journalists stolen. The company has now reformed the technology behind its website and is promising a brand new login system. http://www.scmagazine.com/eurekalert-news-service-attacked/article/523266/

Hairy situation: Just For Men website rigged to redirect to RIG Exploit Kit - Executives at Combe Incorporated may have sprung a few new gray hairs after learning that the website for its Just for Men brand of hair coloring products was compromised to serve up malware. http://www.scmagazine.com/hairy-situation-just-for-men-website-rigged-to-redirect-to-rig-exploit-kit/article/524173/

324K Regpack users' info compromised when decrypted files placed on public-facing server - Independent Security Researcher Troy Hunt spotted a database containing the information of nearly 324,000 Regpack accounts. http://www.scmagazine.com/324k-regpack-users-info-compromised-when-decrypted-files-placed-on-public-facing-server/article/524144/

Yahoo breach; State-sponsored actors suspected, at least 500 million accounts affected - On the cusp of a $4.8 billion acquisition by Verizon, Internet company Yahoo today disclosed an immense data breach in which a state-sponsored actor is believed to have broken into the company's network in late 2014 and stolen a copy of account information belonging to at least 500 million users. http://www.scmagazine.com/yahoo-breach-state-sponsored-actors-suspected-at-least-500-million-accounts-affected/article/524464/

Return to the top of the newsletter

We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.
 INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:
 1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.
 2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.
 3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.
 4) A recovery plan should be established, and in some cases, an incident response team should be identified.
 5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.
 FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail your company a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  

 A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as a choke point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network IDS systems.
 Financial institutions have four primary firewall types from which to choose: packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types. The selection of firewall type is dependent on many characteristics of the security zone, such as the amount of traffic, the sensitivity of the systems and data, and applications.  Over the next few weeks we will discussed the different types of firewalls.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.


8.4.2 Development/Acquisition

 For most systems, the development/acquisition phase is more complicated than the initiation phase. Security activities can be divided into three parts:
 !  determining security features, assurances, and operational practices;
 !  incorporating these security requirements into design specifications; and
 !  actually acquiring them.
 These divisions apply to systems that are designed and built in house, to systems that are purchased, and to systems developed using a hybrid approach.
 During the phase, technical staff and system sponsors should actively work together to ensure that the technical designs reflect the system's security needs.  As with development and incorporation of other system requirements, this process requires an open dialogue between technical staff and system sponsors. It is important to address security requirements effectively in synchronization with development of the overall system. Determining Security Requirements
 During the first part of the development / acquisition phase, system planners define the requirements of the system. Security requirements should be developed at the same time. These requirements can be expressed as technical features (e.g., access controls), assurances (e.g., background checks for system developers), or operational practices (e.g., awareness and training). System security requirements, like other system requirements, are derived from a number of sources including law, policy, applicable standards and guidelines, functional needs of the system, and cost-benefit tradeoffs.
 Law. Besides specific laws that place security requirements on information, such as the Privacy Act of 1974, there are laws, court cases, legal options, and other similar legal material that may affect security directly or indirectly.
 Policy. As discussed in Chapter 5, management officials issue several different types of policy. System security requirements are often derived from issue-specific policy.
 Standards and Guidelines. International, national, and organizational standards and guidelines are another source for determining security features, assurances, and operational practices. Standards and guidelines are often written in an "if…then" manner (e.g., if the system is encrypting data, then a particular cryptographic algorithm should be used). Many organizations specify baseline controls for different types of systems, such as administrative, mission- or business- critical, or proprietary. As required, special care should be given to interoperability standards.
 Functional Needs of the System. The purpose of security is to support the function of the system, not to undermine it. Therefore, many aspects of the function of the system will produce related security requirements.
 Cost-Benefit Analysis. When considering security, cost-benefit analysis is done through risk assessment, which examines the assets, threats, and vulnerabilities of the system in order to determine the most appropriate, cost-effective safeguards (that comply with applicable laws, policy, standards, and the functional needs of the system). Appropriate safeguards are normally those whose anticipated benefits outweigh their costs. Benefits and cost include monetary and nonmonetary issues, such as prevented losses, maintaining an organization's reputation, decreased user friendliness, or increased system administration.
 Risk assessment, like cost-benefit analysis, is used to support decision-making. It helps managers select cost-effective safeguards. The extent of the risk assessment, like that of other cost-benefit analyses, should be commensurate with the complexity and cost (normally an indicator of complexity) of the system and the expected benefits of the assessment.
 Risk assessment can be performed during the requirements analysis phase of a procurement or the design phase of a system development cycle. Risk should also normally be assessed during the development/acquisition phase of a system upgrade. The risk assessment may be performed once or multiple times, depending upon the projects methodology.
 Care should be taken in differentiating between security risk assessment and project risk analysis. Many system development and acquisition projects analyze the risk of failing to successfully complete the project - a different activity from security risk assessment.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated