R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 27, 2016

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Is your web site compliant with the American Disability Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com

Cybercrime lab debuts in Manhattan DA's office - Being touted as the first of its kind in the country, a cybercrime lab has opened in the office of the Manhattan district attorney. https://www.scmagazine.com/cybercrime-lab-debuts-in-manhattan-das-office/article/573810/

Inadequate cyber-security budgets 'putting NHS patients at risk' - Some NHS trusts were spending as much as 100,000 a year on cyber-security in 2015 while others were spending nothing, according to figures collated by Sky News. https://www.scmagazine.com/inadequate-cyber-security-budgets-putting-nhs-patients-at-risk/article/573637/

Britain has passed the 'most extreme surveillance law ever passed in a democracy' - The law forces UK internet providers to store browsing histories -- including domains visited -- for one year, in case of police investigations. http://www.zdnet.com/article/snoopers-charter-expansive-new-spying-powers-becomes-law/

CyberSec skills shortage poses risk to African businesses - African businesses a particular cyber-security risk due to skills shortages, with expenditure expected to rise, especially in S Africa and Nigeria. https://www.scmagazine.com/cybersec-skills-shortage-poses-risk-to-african-businesses/article/574214/

Scaling up federal cyberdefenses - Forget about World War III, when it comes to cybersecurity it might just be World War II all over again. https://www.scmagazine.com/scaling-up-federal-cyberdefenses/article/574247/


FYI - Amn3s1a Team breaches and dumps MEGA source code - The Amn3s1a Team hacking group has released a data dump containing what the group claims is nearly 2GB of source code stolen from several Mega.nz servers. https://www.scmagazine.com/mega-breach-results-in-2gb-source-code-dump/article/574118/

Chicago Public School data improperly shared - Chicago Public School student information was improperly shared with a third party. https://www.scmagazine.com/chicago-public-school-data-improperly-shared/article/573961/

Nebraska irrigation district thwarts ransomware attack with automatic backup - A scheme by hackers who disabled antivirus software on a computer system for the Central Platte Natural Resources District in Nebraska, then infected it with ransomware, was thwarted by an automated program that backed up the systems every 15 minutes. https://www.scmagazine.com/irrigation-district-breached-refuses-to-pay-ransom/article/574443/

Three mobile data breach: Company confirms data from 133,827 accounts could have been accessed - Information including names, addresses, and DOBs of some Three customers obtained in data breach. http://www.zdnet.com/article/three-mobile-data-breach-company-confirms-data-from-133827-accounts-could-have-been-accessed/

Data breach hits MSG: Rangers, Knicks, Rockettes fans hacked - Madison Square Garden Company (MSG) reported payment card information was stolen from potentially hundreds of thousands of customers who attended shows or sporting events at the organization's five major venues during the last year. https://www.scmagazine.com/data-breach-hits-msg-rangers-knicks-rockettes-fans-hacked/article/574880/

Leaks discovered containing info from State Farm, U.S. military, others - Security researchers disclosed a series of leaky databases on Monday that the researchers said includes data from State Farm, Sheet Metal Workers Union, Anchor Loans, and the U.S. military. https://www.scmagazine.com/leaks-discovered-containing-info-from-state-farm-us-military-others/article/574529/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this Report fall into three broad, and often overlapping, categories of issues. However, these principles are not weighted by order of preference or importance. If only because such weighting might change over time, it is preferable to remain neutral and avoid such prioritization.
 A. Board and Management Oversight (Principles 1 to 3): 
 1. Effective management oversight of e-banking activities. 
 2. Establishment of a comprehensive security control process. 
 3. Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies. 
 B. Security Controls (Principles 4 to 10):
 4. Authentication of e-banking customers. 
 5. Non-repudiation and accountability for e-banking transactions. 
 6. Appropriate measures to ensure segregation of duties. 
 7. Proper authorization controls within e-banking systems, databases and applications. 
 8. Data integrity of e-banking transactions, records, and information. 
 9. Establishment of clear audit trails for e-banking transactions. 
 10. Confidentiality of key bank information.
 C. Legal and Reputational Risk Management (Principles 11 to 14):
 11. Appropriate disclosures for e-banking services. 
 12. Privacy of customer information. 
 13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems and services. 
 14. Incident response planning.
 Each of the above principles will be cover over the next few weeks, as they relate to e-banking and the underlying risk management principles that should be considered by banks to address these issues.

Return to the top of the newsletter

- W
e continue our series on the FFIEC interagency Information Security Booklet.  

 Additional operating system access controls include the following actions:
 ! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
 ! Ensure effective authentication methods are used to restrict system access to both users and applications.
 ! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
 ! Restrict operating system access to specific terminals in physically secure and monitored locations.
 ! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
 ! Restrict and log access to system utilities, especially those with data altering capabilities.
 ! Restrict access to operating system parameters.
 ! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
 ! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
 ! Segregate operating system access, where possible, to limit full or root - level access to the system.
 ! Monitor operating system access by user, terminal, date, and time of access.
 ! Update operating systems with security patches and using appropriate change control mechanisms.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 9 - Assurance


 Computer security assurance is the degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes. Assurance is not, however, an absolute guarantee that the measures work as intended. Like the closely related areas of reliability and quality, assurance can be difficult to analyze; however, it is something people expect and obtain (though often without realizing it).  For example, people may routinely get product recommendations from colleagues but may not consider such recommendations as providing assurance.
 Assurance is a degree of confidence, not a true measure of how secure the system actually is. This distinction is necessary because it is extremely difficult -- and in many cases virtually impossible -- to know exactly how secure a system is.
 Assurance is a challenging subject because it is difficult to describe and even more difficult to quantify. Because of this, many people refer to assurance as a "warm fuzzy feeling" that controls work as intended. However, it is possible to apply a more rigorous approach by knowing two things: (1) who needs to be assured and (2) what types of assurance can be obtained. The person who needs to be assured is the management official who is ultimately responsible for the security of the system. Within the federal government, this person is the authorizing or accrediting official.
 There are many methods and tools for obtaining assurance. For discussion purposes, this chapter categorizes assurance in terms of a general system life cycle. The chapter first discusses planning for assurance and then presents the two categories of assurance methods and tools: (1) design and implementation assurance and (2) operational assurance. Operational assurance is further categorized into audits and monitoring.
 The division between design and implementation assurance and operational assurance can be fuzzy. While such issues as configuration management or audits are discussed under operational assurance, they may also be vital during a system's development. The discussion tends to focus more on technical issues during design and implementation assurance and to be a mixture of management, operational, and technical issues under operational assurance. The reader should keep in mind that the division is somewhat artificial and that there is substantial overlap.
 Security assurance is the degree of confidence one has that the security controls operate correctly and protect the system as intended.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated