R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 23, 2016

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
 
NIST Handbook
 
Penetration Testing
 
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
- Is your web site compliant with the American Disability Act?  For the past 20 years, our web site audits have included the guidelines of the ADA.  Help reduce any liability, please contact me for more information at examiner@yennik.com.

Agencies issue advanced notice of proposed rulemaking on enhanced cyber risk management standards - The three federal banking regulatory agencies today approved an advance notice of proposed rulemaking (ANPR) inviting comment on a set of potential enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision. 
Press Release: www.federalreserve.gov/newsevents/press/bcreg/20161019a.htm
Press Release: www.fdic.gov/news/news/press/2016/pr16092.html
Press Release: https://occ.gov/news-issuances/news-releases/2016/nr-ia-2016-131.html
Press Release: www.ncua.gov/newsroom/Pages/news-2016-oct-ffiec-frequently-asked-questions.aspx

Lawmakers question DOJ's appeal of Microsoft Irish data case - Four U.S. lawmakers are questioning a Department of Justice decision to appeal a July court decision quashing a search warrant that would have required Microsoft to disclose contents of emails stored on a server in Ireland. http://computerworld.com/article/3131832/security/lawmakers-question-dojs-appeal-of-microsoft-irish-data-case.html

Enterprises need a culture of cybersecurity, says PCI Security Standards Council - Building a culture of cybersecurity within enterprises is essential in today's fast-paced world of online transactions, according to a blog post on the website of the PCI Security Standards Council. http://www.scmagazine.com/enterprises-need-a-culture-of-cybersecurity-says-pci-security-standards-council/article/560276/

European ATM cyberattacks up 28%, those using dynamite up 30% - The increasing security provided by EMV, or chip cards, may be compelling European criminals to eschew the use of malware in favor of explosives to steal money from ATMs. http://www.scmagazine.com/european-atm-cyberattacks-up-28-those-using-dynamite-up-30/article/560443/

Cybersecurity spending to exceed $100B worldwide by 2020 - nternational Data Corp. (IDC) is forecasting a major uptick in worldwide revenues for companies that produce cybersecurity-related hardware, software and services by 2020. http://www.scmagazine.com/cybersecurity-spending-to-exceed-100b-worldwide-by-2020/article/548358/

Open source products could greatly increase digital risks - Security teams need to focus on keeping their open source libraries up to date after a recent study found that nearly 97 percent of Java applications assessed in the study contained at least one component with a known vulnerability. http://www.scmagazine.com/report-finds-companies-should-manage-application-risks-as-an-enterprise-risks/article/561981/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Personal info on more than 58 million people spills onto the web from data slurp biz - Modern Business Solutions keeping quiet - A US-based data aggregator that trades people's personal information with the automotive industry and real estate companies has seemingly spilled the private information of more than 58 million people online. http://www.theregister.co.uk/2016/10/13/us_data_aggregator_megabreach/

Nearly 6,000 online stores hit by hackers - Thousands of retailers have been hit by credit card detail stealing malware. They way the hackers got in? unpatched software flaws. http://www.scmagazine.com/nearly-6000-online-stores-hit-by-hackers/article/548471/

UK Banks not reporting cyber-attacks - Reuters has reported that UK banks, some of the largest in the world, are not sharing information under reporting attacks by a long way. http://www.scmagazine.com/uk-banks-not-reporting-cyber-attacks/article/561811/

Texas school district's student data potentially compromised - Names, birthdates, social security numbers/state ID numbers, email addresses and zip codes from SunGard students K-12 who attended school in the district during the 2013-2014 school year. http://www.scmagazine.com/texas-school-districts-student-data-potentially-compromised/article/561969/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Legal and Reputational Risk Management 
 
 To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimize operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers' expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.


Return to the top of the newsletter

FFIEC IT SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

 
 Firewall Services and Configuration
 
 Firewalls may provide some additional services:
 
 ! Network address translation (NAT) - NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.
 
 ! Dynamic host configuration protocol (DHCP) - DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.
 
 ! Virtual Private Network (VPN) gateways - A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines.  Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.
 
 One common firewall implementation in financial institutions hosting Internet applications is a DMZ, which is a neutral Internet accessible zone typically separated by two firewalls. One firewall is between the institution's private network and the DMZ and then another firewall is between the DMZ and the outside public network. The DMZ constitutes one logical security domain, the outside public network is another security domain, and the institution's internal network may be composed of one or more additional logical security domains. An adequate and effectively managed firewall can ensure that an institution's computer systems are not directly accessible to any on the Internet. 
 
 Financial institutions have a variety of firewall options from which to choose depending on the extent of Internet access and the complexity of their network. Considerations include the ease of firewall administration, degree of firewall monitoring support through automated logging and log analysis, and the capability to provide alerts for abnormal activity.


Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE

 

 
8.4.3.3 Accreditation
 
 System security accreditation is the formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls. This review may include a detailed technical evaluation (such as a Federal Information Processing Standard 102 certification, particularly for complex, critical, or high-risk systems), security evaluation, risk assessment, audit, or other such review. If the life cycle process is being used to manage a project (such as a system upgrade), it is important to recognize that the accreditation is for the entire system, not just for the new addition.
 
 The best way to view computer security accreditation is as a form of quality control. It forces managers and technical staff to work together to find the best fit for security, given technical constraints, operational constraints, and mission requirements. The accreditation process obliges managers to make critical decisions regarding the adequacy of security safeguards. A decision based on reliable information about the effectiveness of technical and non-technical safeguards and the residual risk is more likely to be a sound decision.
 
 After deciding on the acceptability of security safeguards and residual risks, the accrediting official should issue a formal accreditation statement. While most flaws in system security are not severe enough to remove an operational system from service or to prevent a new system from becoming operational, the flaws may require some restrictions on operation (e.g., limitations on dial-in access or electronic connections to other organizations). In some cases, an interim accreditation may be granted, allowing the system to operate requiring review at the end of the interim period, presumably after security upgrades have been made.
 
 Sample Accreditation Statement
 In accordance with (Organization Directive), I hereby issue an accreditation for (name of system). This accreditation is my formal declaration that a satisfactory level of operational security is present and that the system can operate under reasonable risk. This accreditation is valid for three years. The system will be re-evaluated annually to determine if changes have occurred affecting its security.


PLEASE NOTE:
 
Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated