|
FYI
- Is your web site compliant with the American Disability Act?
For the past 20 years, our bank web site audits have covered the
ADA guidelines. Help reduce any liability, please
contact me for more information at
examiner@yennik.com.
FYI - The FDIC and
the OCC do not have a requirement that financial institutions
change third-party vendors on a periodic basis. Any such
decision is a management decision not a regulatory decision.
Refer to
http://www.yennik.com/occ_10-12-16_rotation_letter.pdf and
at
http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf.
NIST report: Approaches to reduce software vulnerabilities - A
just-released report from the National Institute of Standards and
Technology (NIST) offers advice for how coders could adopt their
approaches to make software less vulnerable.
https://www.scmagazine.com/nist-report-approaches-to-reduce-software-vulnerabilities/article/577211/
Only 25% of businesses can effectively detect and respond to data
breaches - A survey that shows businesses might not be as well
prepared as they think they are for a data breach.
https://www.scmagazine.com/only-25-of-businesses-can-effectively-detect-and-respond-to-data-breaches/article/577867/
Sony kills off secret backdoor in 80 internet-connected CCTV models
- Magic 'secret key' HTTP request opens up admin control - Sony has
killed off what, charitably, looks like a debug backdoor in 80 of
its web-connected surveillance cameras that can be exploited to
hijack the devices.
http://www.theregister.co.uk/2016/12/06/sony_ip_camera_backdoor/
WA Auditor General recommends inter-agency cooperation to counter
malware - The state's Office of the Auditor General has made six
recommendations to prevent the threat of malware after investigating
six West Australian government agencies.
http://www.zdnet.com/article/wa-auditor-general-recommends-inter-agency-cooperation-to-counter-malware/
House Homeland Security Committee Chairman Michael McCaul announced
plans Wednesday to push for the creation of a new federal agency
during the Trump administration that would consolidate the
government’s disjoined cybersecurity efforts.
https://www.cyberscoop.com/mccaul-new-cybersecurity-agency/
Attacks continue to impact SWIFT banking network - Attacks on bank
systems using SWIFT are only evolving, although officials at the
global bank transfer system say their security processes have
toughened.
https://www.scmagazine.com/attacks-continue-to-impact-swift-banking-network/article/579271/
Uber sued over unfettered use of "God View" and poor security
practices - A former Uber employee is suing the ride sharing tech
firm claiming that Uber allowed staff to abuse the “God View”
feature to spy on high-profile individuals such as Beyoncé as well
as private citizens.
https://www.scmagazine.com/uber-sued-over-unfettered-use-of-god-view-and-poor-security-practices/article/579275/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Hacker claims army of 3.2M home routers seized via malicious
firmware update - After apologizing for accidentally knocking
TalkTalk and Post Office internet subscribers offline, a hacker by
the name of BestBuy claims to have now intentionally pushed a
malicious firmware update to 3.2 million home routers using a
modified Mirai-powered botnet.
https://www.scmagazine.com/hacker-claims-to-have-seized-32m-home-routers-by-pushing-malicious-firmware-update/article/578020/
Privacy groups say talking dolls asking kids private questions - A
consortium of privacy and consumer advocacy groups has filed a
complaint with the Federal Trade Commission requesting an
investigation and injunction on two internet-connected talking toys
that may be recording and transmitting children's personal
information.https://www.scmagazine.com/privacy-groups-say-talking-dolls-asking-kids-private-questions/article/578026/
Cyberspies stole secrets from industrial giant ThyssenKrupp -
Germany-based industrial conglomerate ThyssenKrupp was hit by a
cyberespionage attack earlier this year that resulted in data being
stolen from its industrial solutions and steel producing units.
http://computerworld.com/article/3148254/security/cyberspies-stole-secrets-from-industrial-giant-thyssenkrupp.html
University of Wisconsin-Madison data breach impacts 1000-plus former
law school applicants - The University of Wisconsin-Madison on
Tuesday announced that a database at its law school suffered a data
breach on Nov. 3, exposing personally identifiable information
belonging to over 1,000 former applicants.
https://www.scmagazine.com/university-of-wisconsin-madison-data-breach-impacts-1000-plus-former-law-school-applicants/article/578173/
When it comes to IoT, more security is needed - Sometimes it takes a
monumental event for an industry to change. The Target hack during
the holiday season of 2013 – in which some 40 million credit card
numbers were stolen – changed people's attitudes about security
forever. And the same holds true with the attack on DNS provider Dyn
last October: Internet of Things (IoT) devices were compromised and
turned into bots that slowed access and, in some cases, shut down
frequently visited websites such as Amazon, Twitter and PayPal.
https://www.scmagazine.com/when-it-comes-to-iot-more-security-is-needed/article/578654/
Legion hacking group attacking high profile Indian officials - The
hacking group responsible for hijacking the Twitter accounts of
several high profile Indian officials is now claiming to have access
to 40 thousand plus servers, including those of India's biggest
private hospital chain, Apollo.
https://www.scmagazine.com/hackers-claim-access-to-largest-private-hospital-chain-in-india/article/578642/
Hack of Quest Diagnostics App Exposes Data of 34,000 Patients - A
medical laboratory company based in New Jersey said Monday that it
was investigating a recent hack that exposed the personal health
information of about 34,000 people.
http://www.nytimes.com/2016/12/12/us/hack-of-quest-diagnostics-app-exposes-data-of-34000-patients.html
Attackers use hacked home routers to hit 5 Russian banks - The
routers were likely hacked through a recent vulnerability in the TR-069
management protocol - Botnets made up of hacked home routers were
used to launch distributed denial-of-service attacks against the
five largest financial organizations in Russia.
http://computerworld.com/article/3149030/security/attackers-use-hacked-home-routers-to-hit-5-russian-banks.html
Data on 1B Yahoo users stolen in second breach - Data on one billion
Yahoo users was likely stolen by an unauthorized third party in a
data breach that occurred in August 2013, the company said in a
Wednesday press release that also noted the breach is “likely
distinct” from a breach previously disclosed in September.
https://www.scmagazine.com/data-on-1b-yahoo-users-stolen-in-second-breach/article/579323/
Ancient breach discovered, 1K former Maryland public students
affected - Data on about 1,000 former students in Frederick County
Public Schools in Maryland was likely exposed in a data breach that
occurred prior to 2010 but which was only discovered in September of
this year.
https://www.scmagazine.com/ancient-breach-discovered-1k-former-maryland-public-students-affected/article/579311/
Breach at Peachtree Orthopedics impacted 531K, report - A breach at
Atlanta-based Peachtree Orthopedics, first announced in the fall, is
now said to have affected more than half a million clients.
https://www.scmagazine.com/breach-at-peachtree-orthopedics-impacted-531k-report/article/579283/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Supervision.
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 2 of 2)
Finally, the Board and senior management should ensure that
its risk management processes for its e-banking activities are
integrated into the bank's overall risk management approach. The
bank's existing risk management policies and processes should be
evaluated to ensure that they are robust enough to cover the new
risks posed by current or planned e-banking activities. Additional
risk management oversight steps that the Board and senior management
should consider taking include:
1) Clearly establishing the banking organization's risk appetite in
relation to e-banking.
2) Establishing key delegations and reporting mechanisms, including
the necessary escalation procedures for incidents that impact the
bank's safety, soundness or reputation (e.g. networks penetration,
employee security infractions and any serious misuse of computer
facilities).
3) Addressing any unique risk factors associated with ensuring the
security, integrity and availability of e-banking products and
services, and requiring that third parties to whom the banks has
outsourced key systems or applications take similar measures.
4) Ensuring that appropriate due diligence and risk analysis are
performed before the bank conducts cross-border e-banking
activities.
The Internet greatly facilitates a bank's ability to distribute
products and services over virtually unlimited geographic territory,
including across national borders. Such cross-border e-banking
activity, particularly if conducted without any existing licensed
physical presence in the "host country," potentially subjects banks
to increased legal, regulatory and country risk due to the
substantial differences that may exist between jurisdictions with
respect to bank licensing, supervision and customer protection
requirements. Because of the need to avoid inadvertent
non-compliance with a foreign country's laws or regulations, as well
as to manage relevant country risk factors, banks contemplating
cross-border e-banking operations need to fully explore these risks
before undertaking such operations and effectively manage them.
Depending on the scope and complexity of e-banking activities, the
scope and structure of risk management programs will vary across
banking organizations. Resources required to oversee e-banking
services should be commensurate with the transactional functionality
and criticality of systems, the vulnerability of networks and the
sensitivity of information being transmitted.
Return to
the top of the newsletter
FFIEC IT SECURITY
-
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION -
REMOTE ACCESS
Many financial institutions use modems, remote - access servers
(RAS), and VPNs to provide remote access into their systems or to
allow remote access out of their systems. Remote access can support
mobile users through wireless, Internet, or dial-in capabilities. In
some cases, modem access is required periodically by vendors to make
emergency program fixes or to support a system.
Remote access to a financial institution's systems provides an
attacker with the opportunity to remotely attack the systems either
individually or in groups. Accordingly, management should establish
policies restricting remote access and be aware of all remote access
devices attached to their systems. These devices should be strictly
controlled. Good controls for remote access include the following
actions:
! Disallow remote access by policy and practice unless a compelling
business justification exists.
! Disable remote access at the operating system level if a business
need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by
default, to enable modems only for specific, authorized external
requests, and disable the modem immediately when the requested
purpose is completed.
! Configure modems not to answer inbound calls, if modems are for
outbound use only.
! Use automated callback features so the modems only call one
number (although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses
a different prefix than internal numbers and does not respond to
incoming calls.
! Log and monitor the date, time, user, user location, duration,
and purpose for all remote access.
! Require a two-factor authentication process for all remote access
(e.g., PIN-based token card with a one-time random password
generator).
! Implement controls consistent with the sensitivity of remote use
(e.g., remote system administration requires strict controls and
oversight including encrypting the authentication and log-in
process).
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet
access, to provide a consistent authentication process, and to
subject the inbound and outbound network traffic to firewalls.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue
the series on the National Institute of Standards and Technology
(NIST) Handbook.
Chapter 9 - Assurance
9.3 Design and
Implementation Assurance
Design and implementation assurance addresses whether the features
of a system, application, or component meets security requirements
and specifications and whether they are they are well designed and
well built. Design and implementation assurance examines system
design, development, and installation. Design and implementation
assurance is usually associated with the development/acquisition and
implementation phase of the system life cycle; however, it should
also be considered throughout the life cycle as the system is
modified.
As stated earlier, assurance can address whether the product or
system meets a set of security specifications, or it can provide
other evidence of quality. This section outlines the major methods
for obtaining design and implementation assurance.
Design and implementation assurance should be examined from two
points of view: the component and the system. Component assurance
looks at the security of a specific product or system component,
such as an operating system, application, security add-on, or
telecommunications module. System assurance looks at the security of
the entire system, including the interaction between products and
modules.
9.3.1 Testing and Certification
Testing can address the quality of the system as built, as
implemented, or as operated. Thus, it can be performed throughout
the development cycle, after system installation, and throughout its
operational phase. Some common testing techniques include functional
testing (to see if a given function works according to its
requirements) or penetration testing (to see if security can be
bypassed). These techniques can range from trying several test cases
to in-depth studies using metrics, automated tools, or multiple
detailed test cases.
Certification is a formal process for testing components or systems
against a specified set of security requirements. Certification is
normally performed by an independent reviewer, rather than one
involved in building the system. Certification is more often
cost-effective for complex or high-risk systems. Less formal
security testing can be used for lower-risk systems. Certification
can be performed at many stages of the system design and
implementation process and can take place in a laboratory, operating
environment, or both. |
®