FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com. 

FYI - The FDIC and the OCC do not have a requirement that financial institutions change third-party vendors on a periodic basis.  Any such decision is a management decision not a regulatory decision.  Refer to http://www.yennik.com/occ_10-12-16_rotation_letter.pdf and at http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf.

OCC To Consider Fintech Charter Applications, Seeks Comment - Comptroller of the Currency Thomas J. Curry today announced that the Office of the Comptroller of the Currency would move forward with considering applications from financial technology companies to become special purpose national banks. https://occ.gov/news-issuances/news-releases/2016/nr-occ-2016-152.html

Banking malware allows bad guys to lock, reset phone passwords - Cybercriminals have updated a two-year old banking app scam that grabs control of a victim's smartphone, locks them out and then drains their bank account while the person struggles to regain control of their device. https://www.scmagazine.com/banking-malware-allows-bad-guys-to-lock-reset-phone-passwords/article/576470/

Back to basics.....Why cybersecurity must start over before it can move forward - Cybersecurity as a field is only 20 years old. With that, it's not surprising that the current state of maturity is not where we, as professionals, expect it to be. https://www.scmagazine.com/back-to-basicswhy-cybersecurity-must-start-over-before-it-can-move-forward/article/576459/

Mastercard and Visa push EMV liability deadline to 2020 for automated fuel pumps - Citing technological and regulatory challenges, Mastercard and Visa have postponed their liability deadlines for merchants to employ EMV chip card technology at automated fuel pumps, from October 2017 to October 2020. https://www.scmagazine.com/mastercard-and-visa-push-emv-liability-deadline-to-2020-for-automated-fuel-pumps/article/576439/

'Fatal' flaws found in medical implant software - Security flaws found in 10 different types of medical implants could have "fatal" consequences, warn researchers. http://www.bbc.com/news/technology-38169102

Russia accuses hostile foreign powers of plot to undermine its banks - Russia has accused unnamed foreign spies of launching a concerted effort to undermine its domestic banking system. http://www.theregister.co.uk/2016/12/02/russia_bank_cyberattack_plot/

Insurers grapple with cyber-attacks that spill over into physical damage - AS HACKERS wreak havoc with depressing regularity, the insurance industry finds itself forced to contemplate a whole new set of risks. http://www.economist.com/news/finance-and-economics/21711086-only-cyber-calamity-will-reveal-how-ready-industry-insurers-grapple

White House Plans to Retire Outdated Cyber Regulations - White House cyber officials have identified 63 different policy directives, regulations or other requirements they plan to retire, the government’s chief information security officer said Wednesday. http://www.nextgov.com/security/2016/12/white-house-plans-retire-outdated-cyber-regs/133542/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Erasmus University breach wider than first announced - Rotterdam, Netherlands-based Erasmus University announced a breach a few weeks ago, but at that time it was believed not much more than student names, addresses and logins were stolen. However, yesterday further details were announced. https://www.scmagazine.com/erasmus-university-breach-wider-than-first-announced/article/576445/

Misconfigured drive exposes locations of explosives used by oil industry - Oil company Allied-Horizontal Wireline Services (AHWS) are reported to have misconfigured a storage device, which has resulted in the leak of the locations where it stores the explosives it uses. https://www.scmagazine.com/misconfigured-drive-exposes-locations-of-explosives-used-by-oil-industry/article/576906/

Japan's Shiheido cosmetics firm hit with breach - A Japanese press agency reported that stolen data includes customers' names and addresses, as well as financial data – including credit card information – of as many as 56,000 customers. https://www.scmagazine.com/japans-shiheido-cosmetics-firm-hit-with-breach/article/576900/

Ransomware blamed for cyber attack which forced hospitals to cancel operations and shut down systems - An NHS hospital trust which was forced to shut down systems and cancel operations as a result of a cyberattack has revealed that a ransomware infection was the source of the problem. http://www.zdnet.com/article/ransomware-blamed-for-cyber-attack-which-forced-hospitals-to-cancel-operations-and-shut-down-systems/

Russian central bank, private banks lose $31 mln in cyber attacks - Hackers stole more than 2 billion rubles ($31 million) from correspondent accounts at the Russian central bank and from accounts in commercial banks, the bank said on Friday, the latest example of an escalation of cyber attacks on financial institutions around the globe. http://www.reuters.com/article/us-russia-cenbank-cyberattack-idUSKBN13R1TO

DailyMotion breached, 85 million accounts made off with - One of the internet's foremost video hosting platforms has been breached and hackers have made off with tens of millions of account details. https://www.scmagazine.com/dailymotion-breached-85-million-accounts-made-off-with/article/577203/

Ohio's Henry County hit with ransomware, 17,000 residents affected - Ohio's Henry County was hit with a ransomware attack on Oct. 31 with more than 17,000 voting records might have been compromised. https://www.scmagazine.com/ohios-henry-county-hit-with-ransomware-17000-residents-affected/article/577546/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 1 of 2)
 
 Vigilant management oversight is essential for the provision of effective internal controls over e-banking activities. In addition to the specific characteristics of the Internet distribution channel discussed in the Introduction, the following aspects of e-banking may pose considerable challenge to traditional risk management processes:
 
 1) Major elements of the delivery channel (the Internet and related technologies) are outside of the bank's direct control.
 
 2) The Internet facilitates delivery of services across multiple national jurisdictions, including those not currently served by the institution through physical locations.
 
 3) The complexity of issues that are associated with e-banking and that involve highly technical language and concepts are in many cases outside the traditional experience of the Board and senior management.
 
 In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis. Without adequate up-front strategic review and ongoing performance to plan assessments, banks are at risk of underestimating the cost and/or overestimating the payback of their e-banking initiatives.
 
 In addition, the Board and senior management should ensure that the bank does not enter into new e-banking businesses or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the bank's e-banking applications and underlying technologies. Adequate expertise is essential regardless of whether the bank's e-banking systems and services are managed in-house or outsourced to third parties. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material e-banking systems problems or security breaches that may occur. The increased reputational risk associated with e-banking necessitates vigilant monitoring of systems operability and customer satisfaction as well as appropriate incident reporting to the Board and senior management.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)
 
 Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:
 
 ! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
 ! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
 ! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
 ! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
 ! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
 ! Logging access and events.
 ! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 9 - Assurance

9.1.2 Selecting Assurance Methods

The accrediting official makes the final decision about how much and what types of assurance are needed for a system. For this decision to be informed, it is derived from a review of security, such as a risk assessment or other study (e.g., certification), as deemed appropriate by the accrediting official.  The accrediting official needs to be in a position to analyze the pros and cons of the cost of assurance, the cost of controls, and the risks to the organization. At the end of the accreditation process, the accrediting official will be the one to accept the remaining risk. Thus, the selection of assurance methods should be coordinated with the accrediting official.

In selecting assurance methods, the need for assurance should be weighed against its cost. Assurance can be quite expensive, especially if extensive testing is done. Each method has strengths and weaknesses in terms of cost and what kind of assurance is actually being delivered. A combination of methods can often provide greater assurance, since no method is foolproof, and can be less costly than extensive testing.
 
The accrediting official is not the only arbiter of assurance. Other officials who use the system should also be consulted. (For example, a Production Manager who relies on a Supply System should provide input to the Supply Manager.) In addition, there may be constraints outside the accrediting official's control that also affect the selection of methods. For instance, some of the methods may unduly restrict competition in acquisitions of federal information processing resources or may be contrary to the organization's privacy policies. Certain assurance methods may be required by organizational policy or directive.

9.2 Planning and Assurance

Assurance planning should begin during the planning phase of the system life cycle, either for new systems or a system upgrades. Planning for assurance when planning for other system requirements makes sense. If a system is going to need extensive testing, it should be built to facilitate such testing.
Planning for assurance helps a manager make decisions about what kind of assurance will be cost-effective. If a manager waits until a system is built or bought to consider assurance, the number of ways to obtain assurance may be much smaller than if the manager had planned for it earlier, and the remaining assurance options may be more expensive.