R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 9, 2016

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Is your web site compliant with the American Disability Act?  For the past 20 years, our web site audits have included the guidelines of the ADA.  Help reduce any liability, please contact me for more information at examiner@yennik.com.FFIEC Announces Webinars in Observance of Cybersecurity Awareness Month - The Federal Financial Institutions Examination Council will host two webinars for financial institutions in October in recognition of National Cybersecurity Awareness Month. www.ffiec.gov/press/pr100616.htm

End-of-support devices on networks weakening cyberdefenses - Nearly three-quarters of businesses have end-of-support devices operating in their networks and the consequences could prove dire, a new study found. http://www.scmagazine.com/end-of-support-devices-on-networks-weakening-cyberdefenses-report/article/525610/

86% of over-55s worldwide think they're safe from cyber-criminals - Nearly all (86 percent) over-55s don't believe that they're targets for cyber-criminals. http://www.scmagazine.com/86-of-over-55s-worldwide-think-theyre-safe-from-cyber-criminals/article/525439/

GAO -Information Security: FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at Risk.
Report: http://www.gao.gov/products/GAO-16-513 
Highlights: http://www.gao.gov/assets/680/679358.pdf 

ISACA programme aims to attract more women into technology professions - For some time women have been underrepresented in technology, but a new programme seeks to change that by connecting women in technology. http://www.scmagazine.com/isaca-programme-aims-to-attract-more-women-into-technology-professions/article/525769/

Europol's IOCTA report says cyber-crime on a sharp rise - Europol has released its yearly Internet Organised Crime Threat Assessment (IOCTA) report, which this year has highlighted a sharp incline in cyber-crime and identified eight cyber-crime trends. http://www.scmagazine.com/europols-iocta-report-says-cyber-crime-on-a-sharp-rise/article/525770/

NIST offers cyber self-assessment tool, updates email security guidance - The National Institute of Standards and Technology has long been a national resource on cybersecurity, and its Cybersecurity Framework has been widely adopted in both government and private industry.

Vast majority of Americans unsettled about data breaches - A new study found significant concerns around data breaches among 1,200 survey participants. http://www.scmagazine.com/vast-majority-of-americans-unsettled-about-data-breaches/article/526441/

National Cyber Security Centre HQ operational - The UK's new National Cyber Security Centre (NCSC) officially opens for business today as a public-facing part of GCHQ that acts as a focal point for the government to deliver authoritative advice on tackling cyber-security issues. http://www.scmagazineuk.com/ncsc-will-be-based-in-the-nova-office-and-shopping-complex-near-victoria-station-in-london/article/526405/

SANS calls for admins to secure IoT devices as manufacturers drag feet - With the timer set for a potential wave of high powered IoT-botnet fueled DDoS attacks triggered by the release of the Mirai source code, SANS Institute researchers are calling on system administrators to do their part in securing connected devices as they feel manufacturers have dragged their feet to address the issue. http://www.scmagazine.com/sans-calls-admins-to-arms-in-fight-of-iot-botnet-threat/article/527190/


FYI - Yahoo! data breach likely exceeds 500 million records - InfoArmor is reporting that the Yahoo! data breach likely contains millions more records than the 500-million figure now being bandied about and the total number of user records that have been stolen by the various groups involved in this and other recent hacks could total 3.5 billion. http://www.scmagazine.com/yahoo-data-breach-likely-exceeds-500-million-records/article/525990/

Popular Russian boxing website compromised - A cybercriminal could be risking a serious beating by compromising the popular Russian boxing site allboxing[.]ru with a redirect to a third-party site containing a Russian banking trojan. http://www.scmagazine.com/popular-russian-boxing-website-compromised/article/525998/

Record-breaking DDoS reportedly delivered by >145k hacked cameras - Last week, security news site KrebsOnSecurity went dark for more than 24 hours following what was believed to be a record 620 gigabit-per-second denial of service attack brought on by an ensemble of routers, security cameras, or other so-called Internet of Things devices. http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/

NSA contractor nabbed for pilfering agency codes - A National Security Agency (NSA) contractor who worked for the same firm as Edward Snowden was recently arrested for allegedly stealing classified computer codes in 2014 that facilitate hacking into foreign government networks. http://www.scmagazine.com/nsa-contractor-nabbed-for-pilfering-agency-codes/article/527208/

ICO fines TalkTalk 400K for theft of customer data last year - Due to its poor data security, which led to the theft of the personal data of over 150,000 customers last year, TalkTalk has been fined 400,000 by the Information Commissioner's Office (ICO). http://www.scmagazine.com/ico-fines-talktalk-400k-for-theft-of-customer-data-last-year/article/527059/

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  

 Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.
 Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.
 An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.
 Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  

 Stateful Inspection Firewalls
 Stateful inspection firewalls are packet filters that monitor the state of the TCP connection.  Each TCP session starts with an initial handshake communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall.
 Proxy Server Firewalls
 Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. Essentially, they rewrite packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Due to that limited capability, proxy servers are commonly employed behind other firewall devices. The primary firewall receives all traffic, determines which application is being targeted, and hands off the traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and responses, providing potential performance benefits. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE Obtaining the System and Related Security Activities
 During this phase, the system is actually built or bought. If the system is being built, security activities may include developing the system's security aspects, monitoring the development process itself for security problems, responding to changes, and monitoring threat. Threats or vulnerabilities that may arise during the development phase include Trojan horses, incorrect code, poorly functioning development tools, manipulation of code, and malicious insiders.
 If the system is being acquired off the shelf, security activities may include monitoring to ensure security is a part of market surveys, contract solicitation documents, and evaluation of proposed systems. Many systems use a combination of development and acquisition. In this case, security activities include both sets.
 As the system is built or bought, choices are made about the system, which can affect security. These choices include selection of specific off-the-shelf products, finalizing an architecture, or selecting a processing site or platform. Additional security analysis will probably be necessary.
 In addition to obtaining the system, operational practices need to be developed. These refer to human activities that take place around the system such as contingency planning, awareness and training, and preparing documentation. The chapters in the Operational Controls section of this handbook discuss these areas. These areas, like technical specifications, should be considered from the beginning of the development and acquisition phase.
 In federal government contracting, it is often useful if personnel with security expertise participate as members of the source selection board to help evaluate the security aspects of proposals.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated