R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 1, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
- Rate of data compromise revealed: 121 records per sec; defenders lagging - More data records have been breached in the first six months of 2017 than the whole of 2016. The Gemalto Breach Level Index reports that this amounts to an astonishing 121 records lost or stolen every second of every day. https://www.scmagazine.com/rate-of-data-compromise-revealed-121-records-per-sec-defenders-lagging/article/694967/

Manchester police still relies on Windows XP - Greater Manchester Police told the BBC that 1,518 of its PCs ran the ageing operating system, representing 20.3% of all the office computers it used. http://www.bbc.com/news/technology-41306321

Equifax hackers likely in network since March - It took Equifax 141 days to discover a breach that exposed the data of 143 million U.S. consumers with hackers likely accessing the credit monitoring firm's systems in March, a full two months before Equifax originally said they did. https://www.scmagazine.com/equifax-hackers-likely-in-network-since-march/article/690471/

Equifax CEO Richard Smith Resigns After Uproar Over Massive - Equifax Inc. Chief Executive Officer Richard Smith stepped down, joining other senior managers who left the credit-reporting company in the wake of an uproar over the theft of private data on 143 million Americans. https://www.bloomberg.com/news/articles/2017-09-26/equifax-ceo-smith-resigns-barros-named-interim-chief-after-hack

All the Ways Equifax Epically Bungled Its Breach Response - The breach of the credit monitoring firm Equifax, which exposed extensive personal data for 143 million people, is the worst corporate data breach to date. https://www.wired.com/story/equifax-breach-response/

SEC chairman defends timing of agency's breach disclosure to Senators - Chairman of the Securities and Exchange Commission Jay Clayton confirmed in testimony before the Senate Banking Committee on Tuesday that a 2016 breach of the regulatory body's EDGAR document filing system was made possible due to a defect in custom software code that was subsequently remediated. https://www.scmagazine.com/sec-chairman-defends-timing-of-agencys-breach-disclosure-to-senators/article/695870/

Cleartext passwords, and worse found among top 21 financial trading apps - A Senior Security Consultant analyzed 21 of the most used and well-known mobile trading apps available on the Apple and Google Play Store and found serious vulnerabilities, some of which could allow an attacker to compromise a user's account and or view their trading strategies. https://www.scmagazine.com/researcher-finds-top-mobile-trading-apps-plagued-with-vulnerabilities/article/695879/

GAO - Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices
Report: http://www.gao.gov/products/GAO-17-549 
Highlights: http://www.gao.gov/assets/690/687460.pdf 
Podcast: http://www.gao.gov/multimedia/podcasts/687356 


ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - No accounting for this: Deloitte's email server reportedly breached - The email system of accounting giant and professional services firm Deloitte was breached last year, giving unknown actors access to some of its clients' sensitive communications, data, and internal documentation.  That the New York-based company is considered among the premier firms specializing in cybersecurity consulting makes the breach all the more embarrassing and perhaps damaging to Deloitte's brand.
https://www.scmagazine.com/no-accounting-for-this-deloittes-email-server-reportedly-breached/article/695503/
http://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/

Remotely locked Apple devices being held for ransom - Some Apple product owners have found themselves on the receiving end of a new ransom attack that has someone locking their device most likely using stolen iCloud credentials and the initiating the Find My iPhone remote lock feature. https://www.scmagazine.com/remotely-locked-apple-devices-being-held-for-ransom/article/690314/

Paramount Pictures, Comedy Central, MTV and hundreds more exposed in Viacom AWS leak - A mishandling of Viacom's master AWS key has left the credentials of hundreds of digital properties, including Comedy Central, Paramount, MTV and other entertainment companies, exposed. https://www.scmagazine.com/viacom-exposes-paramount-pictures-comedy-central-mtv-and-hundreds-more-in-aws-leak/article/690117/

SEC systems breach may aided have insider trading - Hackers breached the U.S. Security and Exchange Commission's EDGAR document filing system and may have used nonpublic information stored on the database to profit from insider trading, the regulatory body disclosed on Wednesday. https://www.scmagazine.com/sec-systems-breach-may-aided-have-insider-trading/article/690317/

New Verizon leak exposed confidential data on internal systems - Confidential and sensitive documents, including server logs and several instances of credentials for internal systems, were found on an unprotected Amazon S3 storage server controlled by a Verizon Wireless customer. http://www.zdnet.com/article/another-verizon-leak-exposed-confidential-data-on-internal-systems/

Adobe accidentally releases private PGP key - The firm's security team failed in a spectacular fashion. Adobe has earned mockery after accidentally posting its private PGP key on the firm's official security blog. http://www.zdnet.com/article/adobe-accidentally-releases-private-pgp-key/

Sonic Drive-In latest to be hit in POS data breach - Sonic Drive-In is investigating a possible point-of-sale (POS) breach that has led to customer payment card information being sold on a dark web market. https://www.scmagazine.com/sonic-drive-in-latest-to-be-hit-in-pos-data-breach/article/696180/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)
  
  Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
  Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.
  
  In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.
  
  Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
  
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:
  
  !  A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
  !  A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
  !  Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.


Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.
 
 
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
 
 
Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.
 
 Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.
 
 Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 
Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING
 
 12.3.3 Secure Communications Facilities
 
 Incidents can range from the trivial to those involving national security. Often when exchanging information about incidents, using encrypted communications may be advisable. This will help prevent the unintended distribution of incident-related information. Encryption technology is available for voice, fax, and e-mail communications.
 
 12.4 Interdependencies
 
 An incident handling capability generally depends upon other safeguards presented in this handbook. The most obvious is the strong link to other components of the contingency plan. The following paragraphs detail the most important of these interdependencies.
 
 Contingency Planning. As discussed in the introduction to this chapter, an incident handling capability can be viewed as the component of contingency planning that deals with responding to technical threats, such as viruses or hackers. Close coordination is necessary with other contingency planning efforts, particularly when planning for contingency processing in the event of a serious unavailability of system resources.
 
 Support and Operations. Incident handling is also closely linked to support and operations, especially user support and backups. For example, for purposes of efficiency and cost savings, the incident handling capability is often co-operated with a user "help desk." Also, backups of system resources may need to be used when recovering from an incident.
 
 Training and Awareness. The training and awareness program can benefit from lessons learned during incident handling. Incident handling staff will be able to help assess the level of user awareness about current threats and vulnerabilities. Staff members may be able to help train system administrators, system operators, and other users and systems personnel. Knowledge of security precautions (resulting from such training) helps reduce future incidents. It is also important that users are trained what to report and how to report it.
 
 Risk Management. The risk analysis process will benefit from statistics and logs showing the numbers and types of incidents that have occurred and the types of controls that are effective in preventing incidents. This information can be used to help select appropriate security controls and practices.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated