R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 7, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

- National Cybersecurity Awareness Month kicks off - Everyone may enjoy tricks or treats in October, but in order to cut down on the tricks, at least of the cyber variety, this is also the start of the 15th annual National Cybersecurity Awareness Month. https://www.scmagazine.com/home/news/national-cybersecurity-awareness-month-kicks-off/

Exposed! Open and misconfigured servers in the cloud - Tesla had one. Robocent had one. Walmart had one. GoDaddy had one. Misconfigured servers and databases in the cloud – exposing with critical information – are trending on the internet. https://www.scmagazine.com/home/news/exposed/

White House touts release of National Cyber Strategy - Eager to demonstrate a commitment to cybersecurity amidst criticisms over vulnerable election infrastructure, the White House yesterday unveiled its National Cyber Strategy. https://www.scmagazine.com/home/news/white-house-touts-release-of-national-cyber-strategy/

Uber efforts to hide breach, delayed notification leads to $148M fine, settlement - A yearlong delay in notifying its drivers that their personal information was stolen by hackers will cost Uber $148 million, according to a settlement reached by the ride-sharing service and all 50 states and the District of Columbia. https://www.scmagazine.com/home/news/uber-efforts-to-hide-breach-delayed-notification-leads-to-148m-fine-settlement/

Do you know where your data is? - Protecting data on overseas cloud servers and navigating aggressive regulation promise to keep tech lawyers employed for years to come, if the EU’s quick succession of Privacy Shield, GDPR and the forthcoming ePrivacy Regulation provides any indication of what’s in store. https://www.scmagazine.com/home/news/do-you-know-where-your-data-is-2/

Secret Service warns banks of ATM ‘Wiretapping’ attacks - Just over a month after the FBI began warning global banks to be on the lookout for the “Unlimited” ATM Cashout Blitz attacks that could drain the machines of all their holdings, the Secret Service is warning financial institutions of a surge in ATM “Wiretapping” attacks. https://www.scmagazine.com/home/news/secret-service-warns-banks-of-atm-wiretapping-attacks/

SaaS application security architectures are broken - Throughout 2017 and 2018 cyberattackers have attacked and successfully breached a wide variety of cloud infrastructure and software-as-a-service (SaaS) applications. https://www.scmagazine.com/home/opinions/saas-application-security-architectures-are-broken/

Financial Conduct Authority fines Tesco Bank £16.4m over 2016 security breach - The Financial Conduct Authority (FCA) has slapped a £16.4m fine on Tesco Bank for the security vulnerabilities that led to millions of pounds being pilfered from thousands of customers’ online accounts two years ago. https://www.theregister.co.uk/2018/10/01/fca_fines_tesco_bank_164m_for_2016_security_breach/

DOD has lost 4,000 civilian cyber workers in the past year - The Defense Department lost thousands of civilian cyber workers in the past year, mainly in IT management and computer science-related positions, a senior defense official testified at a Sept. 26 Senate hearing. https://defensesystems.com/articles/2018/09/28/cyber-workforce-dod-williams.aspx

Halt, who goes there? Identity access management - In the heady days of the 1970s, no one passed through the doors of Studio 54 without famously being vetted by the trendy club’s bouncers – and with good reason. https://www.scmagazine.com/home/news/halt-who-goes-there-identity-access-management/


FYI - Port of San Diego investigating cyberattack - The Port of San Diego is probing a cyberattack similar to the costly SamSam attack that crippled systems and services in Atlanta earlier this year. https://www.scmagazine.com/home/news/port-of-san-diego-probing-cyberattack/

DDoS attacks against NATO likely DNS amplification or NTP reflection, expert suggests - A distributed denial-of-service (DDoS) attack carried out against various NATO websites on Sunday was likely a Domain Name Server (DNS) amplification attack or a Network Time Protocol (NTP) reflection attack – or possibly some combination of both – according to a DDoS expert. https://www.scmagazine.com/home/news/ddos-attacks-against-nato-likely-dns-amplification-or-ntp-reflection-expert-suggests/

Facebook breach exposes info on 50M users - A breach at Facebook that was uncovered Tuesday has exposed information on almost 50 million users, forcing 90 million users to log out of their accounts to safeguard their data. https://www.scmagazine.com/home/news/facebook-breach-exposes-info-on-50m-users/

Chegg forces password reset on 40 million users - Educational technology company Chegg is resetting the passwords for 40 million of its users after news broke last week that the firm was breached in April of this year. https://www.scmagazine.com/home/news/chegg-forces-password-reset-on-40-million-users/

Exploited server in SingHealth cyber attack did not get security update for 14 months, COI finds - A server exploited by hackers to ultimately reach SingHealth's critical system, leading to Singapore's worst data breach in June, had not received the necessary security software updates for more than a year. https://www.straitstimes.com/singapore/hacked-singhealth-server-had-not-had-security-update-for-14-months-cyber-attack-coi-finds

Canada’s Recipe Unlimited hit with cyberattack forcing some locations to close - The Canadian restaurant chains owned by Recipe Unlimited were hit late last week with a cyberattack that has forced some of its locations to temporarily close. https://www.scmagazine.com/home/news/canadas-recipe-unlimited-hit-with-cyberattack-forcing-some-locations-to-close/

Return to the top of the newsletter

Disclosures/Notices (Part 2 of 2)
  In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

  Action Summary - Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include
  1)  Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
  2)  Layered controls that establish multiple control points between threats and organization assets, and
  3)  Policies that guide officers and employees in implementing the security program.
  An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.
  The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation. The cost comparison typically contrasts the costs of various approaches with the perceived gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data. Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance. Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
17.4 Administration of Access Controls
 17.4.2 Decentralized Administration
 In decentralized administration, access is directly controlled by the owners or creators of the files, often the functional manager. This keeps control in the hands of those most accountable for the information, most familiar with it and its uses, and best able to judge who needs what kind of access. This may lead, however, to a lack of consistency among owners/creators as to procedures and criteria for granting user accesses and capabilities. Also, when requests are not processed centrally, it may be much more difficult to form a systemwide composite view of all user accesses on the system at any given time. Different application or data owners may inadvertently implement combinations of accesses that introduce conflicts of interest or that are in some other way not in the organization's best interest. It may also be difficult to ensure that all accesses are properly terminated when an employee transfers internally or leaves an organization.
 17.4.3 Hybrid Approach
 A hybrid approach combines centralized and decentralized administration. One typical arrangement is that central administration is responsible for the broadest and most basic accesses, and the owners/creators of files control types of accesses or changes in users' abilities for the files under their control. The main disadvantage to a hybrid approach is adequately defining which accesses should be assignable locally and which should be assignable centrally.
 17.5 Coordinating Access Controls
 It is vital that access controls protecting a system work together. At a minimum, three basic types of access controls should be considered: physical, operating system, and application. In general, access controls within an application are the most specific. However, for application access controls to be fully effective they need to be supported by operating system access controls. Otherwise access can be made to application resources without going through the application. Operating system and application access controls need to be supported by physical access controls.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.