R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 4, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

- FTC Offers Small Businesses Free Cybersecurity Resources - Cybersecurity for Small Businesses campaign kicks off. The Federal Trade Commission's (FTC) newly launched national initiative to educate small business owners about cybersecurity threats and defenses began with a "listening tour" last year. http://www.darkreading.com/vulnerabilities---threats/ftc-offers-small-businesses-free-cybersecurity-resources/d/d-id/1333134

City Pays $2K in Ransomware, Stirs ‘Never Pay’ Debate - Many municipalities hit with ransomware don’t have much of a choice when it comes to paying up, experts say. https://threatpost.com/city-pays-2k-in-ransomware-stirs-never-pay-debate/138527/

Yahoo agrees to $50 million breach settlement, victims eligible for compensation - Yahoo agreed to pay a $50 million settlement and provide two years of credit monitoring services to 200 million people whose information was compromised in the 2013-2014 breach. https://www.scmagazine.com/home/security-news/yahoo-agrees-to-50-million-breach-settlement-victims-eligible-for-compensation/

1 billion reasons why compliance matters - The European Union’s General Data Protection Regulation (GDPR) is starting to show its teeth as regulators evaluate penalties for Facebook after a high-profile security breach of user data. https://www.scmagazine.com/home/opinions/1-billion-reasons-why-compliance-matters/

Court orders Mirai developer to shell out $8.6 million in damages - A federal court last Friday ordered one of the co-developers of the Mirai IoT botnet to pay $8.6 million in restitution and serve six months of home incarceration as punishment for using the malware to launch DDoS attacks against Rutgers University, where he was studying at the time. https://www.scmagazine.com/home/security-news/court-orders-mirai-developer-to-shell-out-8-6-million-in-damages/


FYI - Cathay Pacific data breach exposes PII of 9.4 million customers - Cathay Pacific airline reported a data breach today that affected 9.4 million customers exposing a large range of personally identifiable information and a limited amount of credit card data. https://www.scmagazine.com/home/security-news/cathay-pacific-data-breach-exposes-pii-of-9-4-million-customers/

British Airways data breach victim list grows - British Airways discovered an additional 185,000 customer payment cards had been compromised while investigating an earlier data breach that affected 380,000 customers. https://www.scmagazine.com/home/security-news/british-airways-data-breach-victim-list-grows/

Data breach compromises 64,000 Tomorrowland festival attendees - Threat actors managed to access the information of 64,000 Tomorrowland festival-goers who attended the 2014 event in Boom, Antwerp, Belgium. https://www.scmagazine.com/home/security-news/data-breach-compromises-64000-tomorrowland-festival-attendees/

Federal employee infects gov’t network with Russian malware through adult video websites - An employee at the U.S. Geological Survey (USGS) infected his agency’s network with Russian malware delivered via adult websites. https://www.scmagazine.com/home/security-news/federal-employee-infects-govt-network-with-russian-malware-though-adult-video-websites/

Eurostar customers forced to reset passwords after breach - Eurostar is forcing all of its customers to reset their passwords following an incident in which an unauthorized individual attempted to access user accounts. https://www.scmagazine.com/home/security-news/eurostar-customers-forced-to-reset-passwords-after-breach/

Return to the top of the newsletter

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

A financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate information security program. A comprehensive information security policy should outline a proactive and ongoing program incorporating three components: 
1) Prevention 
 2) Detection 
 3) Response 
 Prevention measures include sound security policies, well-designed system architecture, properly configured firewalls, and strong authentication programs. This paper discusses two additional prevention measures: vulnerability assessment tools and penetration analyses. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment tools and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems. 
 Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.

 Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

  Access Rights Administration (3 of 5)
The enrollment process establishes the user's identity and anticipated business needs to information and systems. New employees, IT outsourcing relationships, and contractors may also be identified, and the business need for access determined during the hiring or contracting process.
  During enrollment and thereafter, an authorization process determines user access rights. In certain circumstances the assignment of access rights may be performed only after the manager responsible for each accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of rights may be established by the employee's role or group membership, and managed by pre - established authorizations for that group. Customers, on the other hand, may be granted access based on their relationship with the institution.
  Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include
  ! Identifying each privilege associated with each system component,
  ! Implementing a process to allocate privileges and allocating those privileges either on a need - to - use or an event - by - event basis,! Documenting the granting and administrative limits on privileges,
  ! Finding alternate ways of achieving the business objectives,
  ! Assigning privileges to a unique user ID apart from the one used for normal business use,
  ! Logging and auditing the use of privileged access,
  ! Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and
  ! Prohibiting shared privileged access by multiple users.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 18 - AUDIT TRAILS
8.1 Benefits and Objectives
 Audit trails can provide a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem analysis.
 An event is any action that happens on a computer system. Examples include logging into a system, executing a program, and opening a file.
 18.1.1 Individual Accountability
 Audit trails are a technical mechanism that help managers maintain individual accountability. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log.
 For example, audit trails can be used in concert with access controls to identify and provide information about users suspected of improper modification of data (e.g., introducing errors into a database). An audit trail may record "before" and "after" versions of records. (Depending upon the size of the file and the capabilities of the audit logging tools, this may be very resource-intensive.) Comparisons can then be made between the actual changes made to records and what was expected. This can help management determine if errors were made by the user, by the system or application software, or by some other source.
 Audit trails work in concert with logical access controls, which restrict use of system resources. Granting users access to particular resources usually means that they need that access to accomplish their job. Authorized access, of course, can be misused, which is where audit trail analysis is useful. While users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions. For example, consider a personnel office in which users have access to those personnel records for which they are responsible.
 Audit trails can reveal that an individual is printing far more records than the average user, which could indicate the selling of personal data. Another example may be an engineer who is using a computer for the design of a new product. Audit trail analysis could reveal that an outgoing modem was used extensively by the engineer the week before quitting. This could be used to investigate whether proprietary data files were sent to an unauthorized party.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.