Internet Banking News

November 1, 2015

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI Texas State Banks - Commissioner Cooper - Although the Cybersecurity Assessment Tool is a voluntary method for banks to use, measuring risk and preparedness have never been optional elements of banking. Therefore, due to the advanced and increasing trend of cyber threats to the banking system, the Department is requiring that all banks measure their inherent cyber risks and cybersecurity maturity (preparedness) by December 31, 2015. http://www.dob.texas.gov/public/uploads/files/news/Industrynotices/in2015-08.pdf

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense. To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.

FYI - FBI recommends that victims of ransomware pay up - The Federal Bureau of Investigation (FBI) advises companies that fall victim to hacks involving Cryptolocker, Cryptowall or other forms of ransomware to pay the ransom, said Joseph Bonavolonta, an assistant special agent with FBI, speaking at the Cyber Security Summit 2015 in Boston. http://www.scmagazine.com/cheaper-easier-for-hacked-businesses-to-pay-ransom/article/449489/

FYI - Proposed German law: telecoms must store customer data on airgapped servers - Law must pass upper house, president and Europe at large; it'd also require encryption. The German Bundestag (parliament) has passed a controversial law requiring telecoms and Internet companies to store customers' metadata and to make it available to law enforcement agencies investigating "severe crimes." http://arstechnica.com/tech-policy/2015/10/german-parliament-passes-new-comprehensive-data-retention-law/

FYI - OMB Unveils Major Rewrite of Federal IT Policy - The White House on Wednesday unveiled a broad rewrite of the federal government’s strategy for buying, managing and securing agency IT systems. http://www.nextgov.com/cio-briefing/2015/10/omb-unveils-major-rewrite-federal-it-policy/123005/

FYI - Auto industry debates legislation to outlaw car hacking at congressional hearing - Automotive industry professionals debated proposed legislation to address privacy and security in connected automobiles before the U.S. House of Representatives Committee on Energy and Commerce hearing on Wednesday. http://www.scmagazine.com/automotive-execs-debate-measures-in-legislation-that-includes-a-ban-against-car-hacking/article/448571/

FYI - Undermining Security By Attacking Computer Clocks - A team of researchers at Boston University has developed several attacks against the Network Time Protocol that is used to synchronize internal computer clocks on the Internet. http://www.darkreading.com/vulnerabilities---threats/undermining-security-by-attacking-computer-clocks/d/d-id/1322800

FYI - Millennial IT workers are greatest internal risk to companies - Millennial IT professionals who have worked at a single employer for seven years or more pose the greatest internal risk to their company's security, according to a report. http://www.scmagazine.com/report-millennial-it-workers-are-greatest-internal-risk-to-companies/article/448890/

FYI - Silicon Valley's opposition to cybersecurity bill mounts as US Senate prepares to vote - A controversial bill that aims to thwart hacking highlights the tension between the need for security and the desire for privacy. Which matters more to you: curbing the onslaught of daily cyberattacks or protecting your online privacy? http://www.cnet.com/news/silicon-valleys-opposition-to-cybersecurity-bill-mounts-as-us-senate-prepares-to-vote/

FYI - Study highlights poor employee security habits - Beginning in August, CompTIA arranged for 200 unbranded USB sticks to be dropped in public places in various cities across the nation – over the course of a few weeks, 17 percent of consumers plugged a discovered USB stick into their own device. http://www.scmagazine.com/study-highlights-poor-employee-security-habits/article/449783/

FYI - Officers recommend the Army utilize private sector tactics to battle cyberattacks - Two U.S. Army captains are pushing for the Army, the Department of Defense and the federal government to adopt practices currently used by the private sector to help protect sensitive data. http://www.scmagazine.com/officers-recommend-the-army-utilize-private-sector-tactics-to-battle-cyberattacks/article/449758/

FYI - Lessons from the Experian hack - The recent theft of 15 million T-Mobile customers' personal data from credit checking organisation Experian's servers could easily be dismissed as just another hack hitting our headlines almost every day. http://www.scmagazine.com/lessons-from-the-experian-hack/article/449603/

FYI - LOC allows auto hacking, Congress reaction uncertain - The Library of Congress issued new exemptions allowing researchers to hack a car's internal software. The new rule is one of many exemptions to the Digital Millennium Copyright Act, also making it legal for users to hack a smart TV, access medical devices, modify a video game, or jailbreak a smartphone. http://www.scmagazine.com/loc-allows-auto-hacking-congress-reaction-uncertain/article/450385/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Squealing iKettles reveal owner's Wifi passwords - Adding to the list of insecure IoT devices, security enthusiasts have proven that tweeting-Kettles reveal Wifi passwords, as surprise, surprise, they don't have any built-in security. http://www.scmagazine.com/squealing-ikettles-reveal-owners-wifi-passwords/article/449487/

FYI - Wichita schools investigates possible cyber attack - The Wichita, Kansas public school system is investigating a possible hacking attempt on one of its networks that took place on Oct. 23. http://www.scmagazine.com/wichita-schools-investigates-possible-cyber-attack/article/449481/

FYI - Scottish hair salon pays hackers after ransomware attack - Ellen Conlin Hair & Beauty, a Scottish chain of hair salons owned by a husband-wife team, reportedly paid hackers € 1,000 in Bitcoin to recover the salon's data. http://www.scmagazine.com/scottish-hair-salon-pays-hackers-after-ransomware-attack/article/450123/

FYI - 13M clients compromised in 000webhost.com hack - The free web hosting site 000webhost.com informed customers yesterday that one of its servers was hacked compromising its entire data base of about 13.5 million clients and an executive at a security firm pinned the problem on outdated software. http://www.scmagazine.com/13m-clients-compromised-in-000webhostcom-hack/article/450383/

FYI - Maine's Yellowfront Grocery hit by breach, other stores may be affected - Yellowfront Grocery in Damariscotta, Maine, notified its customers via Facebook that it had experienced a point-of-sale (POS) breach on Oct 23. http://www.scmagazine.com/yellowfront-grocery-notified-customers-via-facebook-of-pos-breach/article/450345/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

nature of the third-party product or service;
trade name of the third party; and
website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review part two of three regarding controls to prevent and detect intrusions.

4) Attack Profile. Frequently systems are installed with more available components and services than are required for the performance of necessary functions. Banks maintaining unused features may unwittingly enable network penetration by increasing the potential vulnerabilities. To reduce the risk of intrusion, institutions should use the minimum number of system components and services to perform the necessary functions.

5) Modem Sweep. While access to a system is typically directed through a firewall, sometimes modems are attached to the system directly, perhaps without the knowledge of personnel responsible for security. Those modems can provide an uncontrolled and unmonitored area for attack. Modems that present such vulnerabilities should be identified and either eliminated, or monitored and controlled.

6) Intrusion Identification. Real-time identification of an attack is essential to minimize damage. Therefore, management should consider the use of real-time intrusion detection software. Generally, this software inspects for patterns or "signatures" that represent known intrusion techniques or unusual system activities. It may not be effective against new attack methods or modified attack patterns. The quality of the software and sophistication of an attack also may reduce the software's effectiveness. To identify intrusions that escape software detection, other practices may be necessary. For example, banks can perform visual examinations and observations of systems and logs for unexpected or unusual activities and behaviors as well as manual examinations of hardware. Since intrusion detection software itself is subject to compromise, banks should take steps to ensure the integrity of the software before it is used.

7) Firewalls. Firewalls are an important component of network security and can be effective in reducing the risk of a successful attack. The effectiveness of a firewall, however, is dependent on its design and implementation. Because misconfigurations, operating flaws, and the means of attack may render firewalls ineffective, management should consider additional security behind the firewall, such as intrusion identification and encryption.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 2 - ELEMENTS OF COMPUTER SECURITY

2.7 Computer Security Should Be Periodically Reassessed.

Computers and the environments they operate in are dynamic. System technology and users, data and information in the systems, risks associated with the system and, therefore, security requirements are ever-changing. Many types of changes affect system security: technological developments (whether adopted by the system owner or available for use by others); connecting to external networks; a change in the value or use of information; or the emergence of a new threat.

In addition, security is never perfect when a system is implemented. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare, and procedures become outdated over time. All of these issues make it necessary to reassess the security of computer systems.

2.8 Computer Security is Constrained by Societal Factors.

The ability of security to support the mission of the organization(s) may be limited by various factors, such as social issues. For example, security and workplace privacy can conflict. Commonly, security is implemented on a computer system by identifying users and tracking their actions. However, expectations of privacy vary and can be violated by some security measures. (In some cases, privacy may be mandated by law.)

Although privacy is an extremely important societal issue, it is not the only one. The flow of information, especially between a government and its citizens, is another situation where security may need to be modified to support a societal goal. In addition, some authentication measures, such as retinal scanning, may be considered invasive in some environments and cultures.

The underlying idea is that security measures should be selected and implemented with a recognition of the rights and legitimate interests of others. This many involve balancing the security needs of information owners and users with societal goals. However, rules and expectations change with regard to the appropriate use of security controls. These changes may either increase or decrease security.

The relationship between security and societal norms is not necessarily antagonistic. Security can enhance the access and flow of data and information by providing more accurate and reliable information and greater availability of systems. Security can also increase the privacy afforded to an individual or help achieve other goals set by society.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.