Internet Banking News

December 17, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for banks in Texas, New Mexico, Colorado, and Oklahoma. For more information go to On-site FFIEC IT .

Trump signs bill banning Kaspersky products into law - President Donald Trump on Tuesday signed into law the National Defense Authorization Act for Fiscal Year 2018 (H.R.2810), which contains a section prohibiting federal use of products and services from Russia-based cybersecurity firm Kaspersky Lab. https://www.scmagazine.com/trump-signs-bill-banning-kaspersky-products-into-law/article/718219/

NIST Releases Second Draft of Cybersecurity Framework - The US National Institute of Standards and technology (NIST) has released the second draft of its Framework for Improving Critical Infrastructure Cybersecurity.
https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_framework-v1-1_without-markup.pdf
http://www.darkreading.com/cloud/nist-releases-new-cybersecurity-framework-draft/d/d-id/1330579

Stanford U. official ousted after keeping quiet about huge exposure of sensitive data - The chief digital officer at Stanford University’s Graduate School of Business is out of a job after failing to disclose a data breach that included confidential student financial aid records and sensitive information from 10,000 employees. https://www.cyberscoop.com/stanford-u-executive-loses-job-after-failure-to-disclose-14-terabyte-sensitive-data-exposure/

Army launches direct commissioning program for civilian cybersecurity experts - The Army has approved a program to recruit experienced cybersecurity experts directly into the service as cyber officers in an attempt to bolster a growing field that military leaders see as vital to national security. https://www.stripes.com/news/army-launches-direct-commissioning-program-for-civilian-cybersecurity-experts-1.500949

How to use data forensics to secure enterprise networks - The three key stages of the security lifecycle are prevention, detection and remediation. Why state the obvious? Because something is seriously skewed in how enterprises currently approach security and in particular, security spending. https://www.scmagazine.com/how-to-use-data-forensics-to-secure-enterprise-networks/article/710052/

How to use data forensics to secure enterprise networks - The three key stages of the security lifecycle are prevention, detection and remediation. Why state the obvious? Because something is seriously skewed in how enterprises currently approach security and in particular, security spending. https://www.scmagazine.com/how-to-use-data-forensics-to-secure-enterprise-networks/article/710052/

Top selling handgun safe vulnerable to remote cracks - A top selling electronic gun safe was found to be vulnerable to brute force attacks that could allow someone nearby to remotely open the unit. https://www.scmagazine.com/vaultek-vt20i-handgun-safe-can-be-opened-using-bluetooth-attacks/article/713415/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - WordPress hit with keylogger, 5,400 sites infected - The cryptomining malware that has been pushed from cloudflare.solutions since earlier this year has been modified with the addition of keylogger functionality to its mix with PublicWWW reporting that more than 5,400 Wordpress sites are now infected. https://www.scmagazine.com/wordpress-hit-with-keylogger-5400-sites-infected/article/712733/

Henry Ford Health System data breach compromised data of nearly 20,000 patients - What type of information? Patient names birthdates, medical record numbers, provider names, dates of service, department names, locations, medical conditions and health insurers were compromised in the incident. https://www.scmagazine.com/henry-ford-health-system-data-breach-compromised-data-of-nearly-20000-patients/article/713052/

Data breach exposes PII of 700 Texas school children - A Texas Department of Agriculture laptop was hit with ransomware in late October possibly exposing the personal information of 700 students spread over 39 school districts, but some school officials are miffed because they were not promptly informed about the attack. https://www.scmagazine.com/data-breach-exposes-pii-of-700-texas-school-children/article/713226/

New Ruski hacker clan exposed: They're called MoneyTaker, and they're gonna take your money - Subtly named group has gone largely unnoticed until now - Security researchers have lifted the lid on a gang of Russian-speaking cybercrooks, dubbed MoneyTaker. http://www.theregister.co.uk/2017/12/11/russian_bank_hackers_moneytaker/

DDoS attack paralyzes Bitfinex - Shortly after the Securities and Exchange Commission (SEC) warned investors to question cryptocurrency exchanges about the “substantial risks” of loss or theft of cryptocurrency, including those associated with hacking, Bitfinex reportedly experienced a distributed denial of service (DDoS) attack that paralyzed the exchange. https://www.scmagazine.com/ddos-attack-paralyzes-bitfinex/article/718191/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Audit

The institution should generally include in the contract the types of audit reports the institution is entitled to receive (e.g., financial, internal control and security reviews). The contract can specify audit frequency, cost to the institution associated with the audits if any, as well as the rights of the institution and its agencies to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation regarding the resolution of audit
disclosed deficiencies and inspect the processing facilities and operating practices of the service provider. Management should consider, based upon the risk assessment phase, the degree to which independent internal audits completed by service provider audit staff can be used and the need for external audits and reviews (e.g., SAS 70 Type I and II reviews). (AICPA Statement of Auditing Standards 70 “Reports of Processing of Transactions by Service Organizations,” known as SAS 70 Reports, are one commonly used form of external review. Type I SAS 70 reports review the service provider’s policies and procedures. Type II SAS 70 reports provide tests of actual controls against policies and procedures.)

For services involving access to open networks, such as Internet-related services, special attention should be paid to security. The institution may wish to include contract terms requiring periodic audits to be performed by an independent party with sufficient expertise. These audits may include penetration testing, intrusion detection, and firewall configuration. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to adequately assess security without compromising the service provider’s security. It can be beneficial to both the service provider and the institution to contract for such ongoing tests on a coordinated basis given the number of institutions that may contract with the service provider and the importance of the test results to the institution.

Reports

Contractual terms should discuss the frequency and type of reports the institution will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports). Guidelines and fees for obtaining custom reports should also be discussed.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

  Part II. Risks Associated with Wireless Internet Devices

  As wireless Internet devices become more prevalent in the marketplace, financial institutions are adopting wireless application technologies as a channel for reaching their customers. Wireless Internet services are becoming available in major cities across the United States. Through wireless banking applications, a financial institution customer could access account information and perform routine non-cash transactions without having to visit a branch or ATM.

  The wireless Internet devices available today present attractive methods for offering and using financial services. Customers have access to financial information from anywhere they can receive wireless Internet access. Many of the wireless devices have built-in encryption through industry-standard encryption methods. This encryption has its limits based on the processing capabilities of the device and the underlying network architecture.

  A popular standard for offering wireless applications is through the use of the Wireless Application Protocol (WAP). WAP is designed to bring Internet application capabilities to some of the simplest user interfaces. Unlike the Web browser that is available on most personal computer workstations, the browser in a wireless device (such as a cell phone) has a limited display that in many cases can provide little, if any, graphical capabilities. The interface is also limited in the amount of information that can be displayed easily on the screen. Further, the user is limited by the keying capabilities of the device and often must resort to many key presses for simple words.

  The limited processing capabilities of these devices restrict the robustness of the encryption network transmissions. Effective encryption is, by nature, processing-intensive and often requires complex calculations. The time required to complete the encryption calculations on a device with limited processing capabilities may result in unreasonable delays for the device's user. Therefore, simpler encryption algorithms and smaller keys may be used to speed the process of obtaining access.

  WAP is an evolving protocol. The most recent specification of WAP (WAP 2.0 - July 2001) offers the capability of encrypting network conversations all the way from the WAP server (at the financial institution) to the WAP client (the financial institution customer). Unfortunately, WAP 2.0 has not yet been fully adopted by vendors that provide the building blocks for WAP applications. Previous versions of WAP provide encryption between the WAP client and a WAP gateway (owned by the Wireless Provider). The WAP gateway then must re-encrypt the information before it is sent across the Internet to the financial institution. Therefore, sensitive information is available at the wireless provider in an unencrypted form. This limits the financial institution's ability to provide appropriate security over customer information.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 13 - AWARENESS, TRAINING, AND EDUCATION

13.6.6 Maintain the Program

Computer technology is an ever-changing field. Efforts should be made to keep abreast of changes in computer technology and security requirements. A training program that meets an organization's needs today may become ineffective when the organization starts to use a new application or changes its environment, such as by connecting to the Internet. Likewise, an awareness program can become obsolete if laws or organization policies change. For example, the awareness program should make employees aware of a new policy on e-mail usage. Employees may discount the CSAT program, and by association the importance of computer security, if the program does not provide current information.

13.6.7 Evaluate the Program

It is often difficult to measure the effectiveness of an awareness or training program. Nevertheless, an evaluation should attempt to ascertain how much information is retained, to what extent computer security procedures are being followed, and general attitudes toward computer security. The results of such an evaluation should help identify and correct problems. Some evaluation methods (which can be used in conjunction with one another) are:

1) Use student evaluations.

2) Observe how well employees follow recommended security procedures.

3) Test employees on material covered.

4) Monitor the number and kind of computer security incidents reported before and after the program is implemented.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.