R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 14, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

IT network administrator job in the Houston area
- If
you know of someone that would like to work as a network administrator in a community bank, please contact me Kinney Williams at examiner@yennik.com.  All inquires will be kept confidential.

FYI - GAO report slams Department of Defense cybersecurity practices - Securing the upcoming election against cyberattack or influence is rightfully garnering a great deal of attention, but a recent General Accounting Office (GAO) report indicates the United States is doing a poor job building weapon systems resistant to cyberattack. https://www.scmagazine.com/home/news/gao-report-slams-department-of-defense-cybersecurity-practices/

Alabama Gov. Kay Ivey announces state's first security operations center - The state becomes one of about a dozen that have opened a SOC, creating a "one-stop shop" for cybersecurity resources and talent. https://statescoop.com/alabama-gov-kay-ivey-announces-states-first-security-operations-center

Augmented reality could help solve the cybersecurity talent gap - The threat of increasing cyberattacks has driven up demand for talented and experienced security professionals. By next year, PwC predicts there will be 1.5 million unfilled job openings. https://www.scmagazine.com/home/news/augmented-reality-could-help-solve-the-cybersecurity-talent-gap/

Weak passwords outlawed out West, California law aims to secure IoT devices - California passed has just passed a law effectively banning weak passwords and enforcing other security measures to more effectively secure connected devices. https://www.scmagazine.com/home/news/weak-passwords-outlawed-out-west-california-law-aims-to-secure-iot-devices/

Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO - Operator fined £120k by UK data watchdog - Heathrow Airport Limited (HAL) has been fined £120,000 by the UK's data watchdog for the loss of an unencrypted USB memory stick reportedly containing airport security data. https://www.theregister.co.uk/2018/10/08/ico_fines_heathrow_airport_over_lost_memory_stick/


FYI - China inserts microchips into motherboards used by Apple, CIA, Amazon - A microchip planted by China on Supermicro motherboards used by organizations, including the CIA, the U.S. military, Amazon and Apple, left sensitive information vulnerable to hacking and underscores the importance of locking down the security of the supply chain whose vast tentacles reach out to touch organizations around the globe.

Burgerville discloses year-long data breach, courtesy of FIN7 cybergang - Add fast-casual restaurant chain Burgerville to the list of retail and hospitality companies victimized by the Eastern European cybercrime group FIN7. https://www.scmagazine.com/home/news/burgerville-discloses-year-long-data-breach-courtesy-of-fin7-cybergang/

DDoS Attacks Target Multiple Games including Final Fantasy XIV - A set of DDoS attacks plagued a series of gaming publishers including Final Fantasy XIVís creator Square Enix and Ubisoft, respectively. https://www.scmagazine.com/home/news/ddos-attacks-target-multiple-games-including-final-fantasy-xiv/

Return to the top of the newsletter

Expedited Funds Availability Act (Regulation CC)

  Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

  Any particular approach should consider: (1) policies, standards, and procedures; (2) technology and architecture; (3) resource dedication; (4) training; and (5) testing.

  For example, an institution's management may be assessing the proper strategic approach to intrusion detection for an Internet environment. Two potential approaches were identified for evaluation. The first approach uses a combination of network and host intrusion detection sensors with a staffed monitoring center. The second approach consists of daily access log review. The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost. The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment. The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.
  Strategies should consider the layering of controls. Excessive reliance on a single control could create a false sense of confidence. For example, a financial institution that depends solely on a firewall can still be subject to numerous attack methodologies that exploit authorized network traffic. Financial institutions should design multiple layers of security controls and testing to establish several lines of defense between the attacker and the asset being attacked. To successfully attack the data, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.
  Policies are the primary embodiment of strategy, guiding decisions made by users, administrators, and managers, and informing those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance in acquiring, configuring, and auditing information systems. Key actions that contribute to the success of a security policy are:
  1)  Implementing through ordinary means, such as system administration procedures and acceptable - use policies;
  2)  Enforcing policy through security tools and sanctions;
  3)  Delineating the areas of responsibility for users, administrators, and managers;
  4)  Communicating in a clear, understandable manner to all concerned;
  5)  Obtaining employee certification that they have read and understood the policy;
  6)  Providing flexibility to address changes in the environment; and
  7)  Conducting annually a review and approval by the board of directors.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
17.4 Administration of Access Controls
 17.6 Interdependencies
 Logical access controls are closely related to many other controls. Several of them have been discussed in the chapter.
 Policy and Personnel. The most fundamental interdependencies of logical access control are with policy and personnel. Logical access controls are the technical implementation of system-specific and organizational policy, which stipulates who should be able to access what kinds of information, applications, and functions. These decisions are normally based on the principles of separation of duties and least privilege.
 Audit Trails. As discussed earlier, logical access controls can be difficult to implement correctly. Also, it is sometimes not possible to make logical access control as precise, or fine-grained, as would be ideal for an organization. In such situations, users may either deliberately or inadvertently abuse their access. For example, access controls cannot prevent a user from modifying data the user is authorized to modify, even if the modification is incorrect. Auditing provides a way to identify abuse of access permissions. It also provides a means to review the actions of system or security administrators.
 Identification and Authentication. In most logical access control scenarios, the identity of the user must be established before an access control decision can be made. The access control process then associates the permissible forms of accesses with that identity. This means that access control can only be as effective as the I&A process employed for the system.
 Physical Access Control. Most systems can be compromised if someone can physically access the machine (i.e., CPU or other major components) by, for example, restarting the system with different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key).

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.