R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 2, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

- How CISOs can tell a better security story to their board - Historically, when CISOs have been called to speak to their organization’s board of directors, it was an uncommon event. Just a decade ago, the CISO who presented more than once per year was a rare bird. https://www.scmagazine.com/home/opinions/how-cisos-can-tell-a-better-security-story-to-their-board/

Microsoft details the causes of its recent multi-factor authentication meltdown - Microsoft has posted a root cause analysis of the multifactor authentication issue which hit a number of its customers worldwide last week. Here's what happened. https://www.zdnet.com/article/microsoft-details-the-causes-of-its-recent-multi-factor-authentication-meltdown/

We must inspire more talent into cybersecurity careers - As the skills shortage worsens and cyber attacks soar to new heights, there’s a tangible need to attract fresh and experienced talent to careers in cybersecurity or catastrophe looms. https://www.scmagazine.com/home/opinions/we-must-inspire-more-talent-into-cybersecurity-careers/

U.K., Dutch fine Uber $1.2 million over data breach violations - The U.K. and Netherland’s government fined Uber a combined $1.2 million over for the data breach the company endured in 2016 that exposed the data on many of its customers and drivers. https://www.scmagazine.com/home/security-news/u-k-dutch-fine-uber-1-2-million-over-data-breach-violations/


FYI - ETSU breached after phishing scam - Two employees at East Tennessee State University fell for an email phishing scam and paved the way for a breach at the school. https://www.scmagazine.com/home/security-news/etsu-breached-after-phishing-scam/

Furry site ‘High Tail Hall’ exposed data of nearly 500K users - An furry site High Tail Hall suffered a data breach exposing the information of 411,755 fury fans. https://www.scmagazine.com/home/security-news/an-adult-furry-erotica-site-high-tail-hall-suffered-a-data-breach-exposing-the-information-of-411755-fury-fans/

Amazon website glitch exposes customer data - Amazon customer service reportedly sent an unknown number of customers an email today, warning that a technical error on its website had exposed their data. https://www.scmagazine.com/home/security-news/amazon-website-glitch-exposes-customer-data/

USPS fixes ‘Informed Delivery’ flaw that exposed 60M users - A couple of weeks after the Secret Service issued an alert that cybercriminals were using the U.S. Postal Service’s Informed Delivery feature for identity theft and other forms of fraud, the USPS has fixed a flaw that exposed the personal details of 60 million users who have usps.com accounts. https://www.scmagazine.com/home/security-news/usps-fixes-informed-delivery-flaw-that-exposed-60m-users/

ETSU breached after phishing scam - Two employees at East Tennessee State University fell for an email phishing scam and paved the way for a breach at the school. https://www.scmagazine.com/home/security-news/etsu-breached-after-phishing-scam/

Drake’s Fortnite account hacked, Travis Scott may also be affected - After taking home a Soul Train Award Toronto rapper Drake may be looking to change his Fortnite account password after someone hijacked his account to spew racial slurs during a charity livestream event. https://www.scmagazine.com/home/security-news/after-taking-home-a-soul-train-award-toronto-rapper-drake-may-be-looking-to-change-his-fortnite-account-password-after-someone-hijacked-his-account-to-spew-racial-slurs/

Smash Bros. Ultimate leaks, Nintendo struggles to contain breach - Nintendo is struggling to contain leaks surround the release of Smash Bros. Ultimate after reports of the game being sold early in Mexico and pirated copies being released online being trawled by data miners for hidden info. https://www.scmagazine.com/home/security-news/nintendo-is-struggling-to-contain-leaks-surround-the-release-of-smash-bros-ultimate-after-reports-of-the-game-being-sold-early-in-mexico/

ElasticSearch server exposed data of nearly 57M U.S. residents - An ElasticSearch server database containing the information of nearly 57 million U.S. residents was found to have been left exposed without a password. https://www.scmagazine.com/home/security-news/elasticsearch-server-exposed-data-of-nearly-57m-u-s-residents/

London-based Urban Massage app leaks data on 300K customers, including misconduct claims - A data breach of London-based startup Urban Massage exposed the personal records of more than 309,000 users including data on clients accused of misconduct. https://www.scmagazine.com/home/security-news/a-data-breach-of-london-based-startup-urban-massage-exposed-the-personal-records-of-hundreds-of-thousands-of-users-including-data-on-clients-accused-of-sexual-misconduct/

Database breach affects 2.6 million Atrium Health patients - Atrium Health has reported a massive data breach exposing the PII of more than 2.6 million clients after someone gained access to a database belonging to a third-party vendor. https://www.scmagazine.com/home/security-news/database-breach-affects-2-6-million-atrium-health-patients/

Return to the top of the newsletter

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
Potential Threats To Consider
  Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat.
  Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information.
  Systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential e-mail, or initiate unauthorized e-mails or transactions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

Shared Secret Systems (Part 1 of 2)
  Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.
  A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.
  Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.
  Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.
  Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 18 - AUDIT TRAILS
 18.2 Audit Trails and Logs System-Level Audit Trails
 If a system-level audit capability exists, the audit trail should capture, at a minimum, any attempt to log on (successful or unsuccessful), the log-on ID, date and time of each log-on attempt, date and time of each log-off, the devices used, and the function(s) performed once logged on (e.g., the applications that the user tried, successfully or unsuccessfully, to invoke). System-level logging also typically includes information that is not specifically security-related, such as system operations, cost-accounting charges, and network performance.
 A system audit trail should be able to identify failed log-on attempts, especially if the system does not limit the number of failed log-on attempts. Unfortunately, some system-level audit trails cannot detect attempted log-ons, and therefore, cannot log them for later review. These audit trails can only monitor and log successful log-ons and subsequent activity. To effectively detect intrusion, a record of failed log-on attempts is required.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.