R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 7, 2014

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Remarks of Deputy Secretary Raskin at The Texas Bankers’ Association Executive Leadership Cybersecurity Conference - Cybersecurity for Banks: 10 Questions for Executives and their Boards. http://www.treasury.gov/press-center/press-releases/Pages/jl9711.aspx

FYI - Infosec checklists becoming common, but they're not magic - Security checklists like the Australian Signals Directorate's Top 4 Mitigation Strategies are valuable, but to treat them as universal compliance mechanisms is a mistake. A risk-based approach is essential. http://www.zdnet.com/infosec-checklists-becoming-common-but-theyre-not-magic-7000036219/

FYI - Credit unions urge Congress to enforce security standards for retailers - A credit union trade group is urging Congress to take proactive steps in establishing national data security standards for retailers. http://www.scmagazine.com/credit-unions-urge-congress-to-enforce-security-standards-for-retailers/article/385529/

FYI - Beth Israel medical center to pay $100K over data breach - In addition to bolstering the security of the sensitive information it manages, the Beth Israel Deaconess Medical Center (BIDMC) in Boston has agreed to pay a $100,000 fine related to its 2012 data breach. http://www.scmagazine.com/beth-israel-medical-center-to-pay-100k-over-data-breach/article/385410/

FYI - Bank and account phishing tops list of U.S. SMS attacks - Bank and account phishing has become the top SMS attack in the U.S. in recent months, overtaking spam and other scams targeting mobile devices, according to new research from Cloudmark. http://www.scmagazine.com/bank-and-account-phishing-tops-list-of-us-sms-attacks/article/386546/


FYI - Sony Pictures films leaked online following cyber attack - Nearly a week after its network was hacked, Sony Pictures Entertainment had multiple films leaked online.

FYI - Phishing campaign spoofs emails from Costco, Home Depot - It's no surprise to discover that cybercriminals are leveraging the uptick in holiday shopping to further spread their malicious campaigns. http://www.scmagazine.com/phishing-campaign-spoofs-emails-from-costco-home-depot/article/385979/

FYI - Malware installed at 17 parking facilities, payment cards at risk - Parking facility service provider SP+ announced that customer payment card data may be at risk, including cardholder names, card numbers, expiration dates, and verification codes. http://www.scmagazine.com/malware-installed-at-17-parking-facilities-payment-cards-at-risk/article/385944/

FYI - Shutterfly Inc. websites have user data compromised - Tiny Prints, a cardstock vendor and part of Shutterfly Inc.'s brand portfolio, revealed that its systems were compromised in an attack that exposed user email addresses and encrypted passwords. http://www.scmagazine.com/tiny-prints-data-breached/article/385715/

FYI - Godiva notifies employees of stolen laptop containing their data - Chocolate maker Godiva is notifying an undisclosed number of employees that a suitcase containing a laptop was stolen from the rental car of a human resources employee and their personal information – including Social Security numbers – could be at risk. http://www.scmagazine.com/godiva-notifies-employees-of-stolen-laptop-containing-their-data/article/385982/

FYI - Phishing scam that penetrated Wall Street just might work against you, too - Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information. http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-street-just-might-work-against-you-too/

FYI - Unauthorized intruders gain access to ART Payroll database - Specialized payroll service American Residuals and Talent (ART Payroll) is notifying current and former clients and their employees that unauthorized intruders gained access to an ART Payroll database and may have compromised their data. http://www.scmagazine.com/unauthorized-intruders-gain-access-to-art-payroll-database/article/386223/

FYI - Anonymous takes down Fort Lauderdale city websites in "Operation Lift the Bans" - Upset with the city of Fort Lauderdale's recent ordinances that regulate the city's homeless, hacktivist collective Anonymous launched a denial-of-service attack on city websites Monday. http://www.scmagazine.com/anonymous-takes-down-fort-lauderdale-city-websites-in-operation-lift-the-bans/article/386527/

FYI - N.C. hospital patient info accessible via internet for longer than two years - Highlands-Cashiers Hospital in North Carolina is notifying about 25,000 patients that their personal information – including Social Security numbers – was accessible via the internet for longer than two years. http://www.scmagazine.com/nc-hospital-patient-info-accessible-via-internet-for-longer-than-two-years/article/386513/

FYI - Retailer Bebe suffers breach, stolen cards sold online - Bebe, a woman's clothing chain, is apparently the latest retailer targeted in a data breach, with fraudulent charges showing up on credit cards. http://www.scmagazine.com/retailer-bebe-suffers-breach-stolen-cards-sold-online/article/386771/

FYI - Visionworks announces second data incident affecting 48K Florida customers - Less than two weeks after issuing a similar statement in November, Texas-based eye care services provider Visionworks announced it is notifying approximately 48,000 customers who received services at its Mall of the Avenues location in Jacksonville, FL that a database server containing their personal information is missing. http://www.scmagazine.com/second-breach-hits-texas-eye-care-services-provider/article/386635/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

 Sound Security Control Practices for E-Banking
 1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.
 2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.
 3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.
 4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.
 5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:
 a)  Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
 b)  Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
 c)  Penetration testing of internal and external networks.
 6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Automated Intrusion Detection Systems
(IDS) (Part 1 of 4)
 Automated intrusion detection systems (IDS) use one of two methodologies, signature and heuristics. An IDS can target either network traffic or a host. The signature-based methodology is generally used on network traffic. An IDS that uses a signature-based methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks and known anomalous network traffic. When a match is recognized between current readings and a signature, the IDS generates an alert.
 A general weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Attacks that generate different signatures from what the institution includes in its IDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks, rather than both known attacks and anomalous traffic. Another general weakness is in the capacity of the IDS to read traffic. If the IDS falls behind in reading network traffic, traffic may be allowed to bypass the IDS. That traffic may contain attacks that would otherwise cause the IDS to issue an alert.
 Proper placement of network IDS is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.
 Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the IDS less sensitive than if it is placed inside the firewall. An IDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. IDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple IDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the IDS is to sensitive data, the more important the tuning, monitoring, and response to IDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
Chapter 18 - AUDIT TRAILS
18.4 Interdependencies
The ability to audit supports many of the controls presented in this handbook. The following paragraphs describe some of the most important interdependencies.
 Policy. The most fundamental interdependency of audit trails is with policy. Policy dictates who is authorized access to what system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.
 Assurance. System auditing is an important aspect of operational assurance. The data recorded into an audit trail is used to support a system audit. The analysis of audit trail data and the process of auditing systems are closely linked; in some cases, they may even be the same thing. In most cases, the analysis of audit trail data is a critical part of maintaining operational assurance.
 Identification and Authentication. Audit trails are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, as mentioned earlier, audit trails record events and associate them with the perceived user (i.e., the user ID). If a user is impersonated, the audit trail will establish events but not the identity of the user.
 Logical Access Control. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity in two ways. First, they may be used to identify breakdowns in logical access controls or to verify that access control restrictions are behaving as expected, for example, if a particular user is erroneously included in a group permitted access to a file. Second, audit trails are used to audit use of resources by those who have legitimate access. Additionally, to protect audit trail files, access controls are used to ensure that audit trails are not modified.
 Contingency Planning. Audit trails assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).
 Incident Response. If a security incident occurs, such as hacking, audit records and other intrusion detection methods can be used to help determine the extent of the incident. For example, was just one file browsed, or was a Trojan horse planted to collect passwords?
 Cryptography. Digital signatures can be used to protect audit trails from undetected modification. (This does not prevent deletion or modification of the audit trail, but will provide an alert that the audit trail has been altered.) Digital signatures can also be used in conjunction with adding secure time stamps to audit records. Encryption can be used if confidentiality of audit trail information is important.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated