R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 12, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Lawmakers Back Down from Pushing NIST into Cyber Auditing Role - House Science Committee lawmakers have pared back a controversial bill that would have tasked the government’s cyber standards agency with auditing federal agencies’ cyber protections. http://www.nextgov.com/cybersecurity/2017/10/lawmakers-back-down-pushing-nist-cyber-auditing-role/142187/

Hilton to pay $700,000 over credit card data breaches - Hilton Worldwide Holdings Inc agreed to pay $700,000 and bolster security to resolve probes into two
data breaches that exposed more than 363,000 credit card numbers, the attorneys general of New York and Vermont announced on Tuesday. http://www.reuters.com/article/us-hilton-wrldwide-settlement/hilton-to-pay-700000-over-credit-card-data-breaches-idUSKBN1D02L3

Third-party contractor may have deactivated Trump's Twitter account - The person that deactivated President Donald Trump's Twitter account briefly Thursday, originally pegged by the company as human error by an employee, reportedly was instead a third-party contractor. https://www.scmagazine.com/third-party-contractor-may-have-deactivated-trumps-twitter-account/article/705389/

Texas National Guard spent $373,000 on stingray equipment - The Texas National Guard last year spent more than $373,000 to install two of its DRT 1301C “portable receiver systems” in two RC-26 surveillance aircraft. https://www.scmagazine.com/texas-national-guard-used-stingrays-on-surveillance-planes/article/705830/

Americans worry about cybercrime more than they worry about car theft - American's are worrying more about becoming cybercrime victims far more so than becoming victims of conventional crimes. https://www.scmagazine.com/american-worry-about-cybercrime-more-than-conventional-crime-study/article/706341/


FYI - Another misconfigured Amazon S3 server leaks data of 50,000 Australian employees - Another misconfigured Amazon server has resulted in the exposure of personal data - this time on 50,000 Australian employees that were left unsecure by a third-party contractor. https://www.scmagazine.com/contractor-misconfigures-aws-exposes-data-of-50000-australian-employees/article/704873/

Malaysia investigating reported leak of 46 million mobile users' data - Malaysia is investigating an alleged attempt to sell the data of more than 46 million mobile phone subscribers online, in what appears to be one of the largest leaks of customer data in Asia. http://www.reuters.com/article/us-malaysia-cyber/malaysia-investigating-reported-leak-of-46-million-mobile-users-data-idUSKBN1D13JM

Trump signs Cyber Crime Fighting Act to train up local and state law enforcement - With a flourish of President Donald Trump's pen Thursday, state and local law enforcement got the tools and training needed to fight cybercrime as the Strengthening State and Local Cyber Crime Fighting Act of 2017 became law. https://www.scmagazine.com/trump-signs-cyber-crime-fighting-act-to-train-up-local-and-state-law-enforcement/article/705171/

Asian content distributor Crunchyroll blames DNS hijack for malicious redirection - Asian entertainment website Crunchyroll.com is blaming a DNS hijack attack after site visitors in the early morning of Nov. 4 were redirected to a malicious website designed to infect them with malware. https://www.scmagazine.com/anime-enemy-asian-content-distributor-crunchyroll-blames-dns-hijack-for-malicious-redirection/article/705510/

Estonia suspends national 760,000 ID cards found prone to encryption vulnerability - Estonia on Friday blocked the certificates of 760,000 national ID cards in response to a cryptographic vulnerability that researchers have discovered is even more dangerous than originally reported. https://www.scmagazine.com/estonia-suspends-national-760000-id-cards-found-prone-to-encryption-vulnerability/article/706134/

Hundreds of school websites redirected pro-ISIS web page - Pro-ISIS hackers hijacked the websites of roughly 800 U.S. schools and educational districts on Monday, after compromising their web hosting provider, various news outlets have reported. https://www.scmagazine.com/hundreds-of-school-websites-redirected-pro-isis-web-page/article/705985/

Return to the top of the newsletter

Risk Management of Outsourced Technology Services
  Due Diligence in Selecting a Service Provider
  Some of the factors that institutions should consider when performing due diligence in selecting a service provider are categorized and listed below. Institutions should review the service provider’s due diligence process for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties). Depending on the services being outsourced and the level of in-house expertise, institutions should consider whether to hire or consult with qualified independent sources. These sources include consultants, user groups, and trade associations that are familiar with products and services offered by third parties. Ultimately, the depth of due diligence will vary depending on the scope and importance of the outsourced services as well as the risk to the institution from these services.

Return to the top of the newsletter

We conclude our series on the FFIEC interagency Information Security Booklet

 Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).
 Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 13.5 Education

 Security education is more in-depth than security training and is targeted for security professionals and those whose jobs require expertise in security.
 Techniques. Security education is normally outside the scope of most organization awareness and training programs. It is more appropriately a part of employee career development. Security education is obtained through college or graduate classes or through specialized training programs. Because of this, most computer security programs focus primarily on awareness and training, as does the remainder of this chapter.
 13.6 Implementation

 An effective computer security awareness and training (CSAT) program requires proper planning, implementation, maintenance, and periodic evaluation. The following seven steps constitute one approach for developing a CSAT program.
 Step 1: Identify Program Scope, Goals, and Objectives.
 Step 2: Identify Training Staff.
 Step 3: Identify Target Audiences.
 Step 4: Motivate Management and Employees.
 Step 5: Administer the Program.
 Step 6: Maintain the Program.
 Step 7: Evaluate the Program.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated