R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 18, 2016

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Is your web site compliant with the American Disability Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com

FYI - The FDIC and the OCC do not have a requirement that financial institutions change third-party vendors on a periodic basis.  Any such decision is a management decision not a regulatory decision.  Refer to http://www.yennik.com/occ_10-12-16_rotation_letter.pdf and at http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf.

NIST report: Approaches to reduce software vulnerabilities - A just-released report from the National Institute of Standards and Technology (NIST) offers advice for how coders could adopt their approaches to make software less vulnerable. https://www.scmagazine.com/nist-report-approaches-to-reduce-software-vulnerabilities/article/577211/

Only 25% of businesses can effectively detect and respond to data breaches - A survey that shows businesses might not be as well prepared as they think they are for a data breach. https://www.scmagazine.com/only-25-of-businesses-can-effectively-detect-and-respond-to-data-breaches/article/577867/

Sony kills off secret backdoor in 80 internet-connected CCTV models - Magic 'secret key' HTTP request opens up admin control - Sony has killed off what, charitably, looks like a debug backdoor in 80 of its web-connected surveillance cameras that can be exploited to hijack the devices. http://www.theregister.co.uk/2016/12/06/sony_ip_camera_backdoor/

​WA Auditor General recommends inter-agency cooperation to counter malware - The state's Office of the Auditor General has made six recommendations to prevent the threat of malware after investigating six West Australian government agencies. http://www.zdnet.com/article/wa-auditor-general-recommends-inter-agency-cooperation-to-counter-malware/

House Homeland Security Committee Chairman Michael McCaul announced plans Wednesday to push for the creation of a new federal agency during the Trump administration that would consolidate the government’s disjoined cybersecurity efforts. https://www.cyberscoop.com/mccaul-new-cybersecurity-agency/

Attacks continue to impact SWIFT banking network - Attacks on bank systems using SWIFT are only evolving, although officials at the global bank transfer system say their security processes have toughened. https://www.scmagazine.com/attacks-continue-to-impact-swift-banking-network/article/579271/

Uber sued over unfettered use of "God View" and poor security practices - A former Uber employee is suing the ride sharing tech firm claiming that Uber allowed staff to abuse the “God View” feature to spy on high-profile individuals such as Beyoncé as well as private citizens. https://www.scmagazine.com/uber-sued-over-unfettered-use-of-god-view-and-poor-security-practices/article/579275/


FYI - Hacker claims army of 3.2M home routers seized via malicious firmware update - After apologizing for accidentally knocking TalkTalk and Post Office internet subscribers offline, a hacker by the name of BestBuy claims to have now intentionally pushed a malicious firmware update to 3.2 million home routers using a modified Mirai-powered botnet. https://www.scmagazine.com/hacker-claims-to-have-seized-32m-home-routers-by-pushing-malicious-firmware-update/article/578020/

Privacy groups say talking dolls asking kids private questions - A consortium of privacy and consumer advocacy groups has filed a complaint with the Federal Trade Commission requesting an investigation and injunction on two internet-connected talking toys that may be recording and transmitting children's personal information.https://www.scmagazine.com/privacy-groups-say-talking-dolls-asking-kids-private-questions/article/578026/

Cyberspies stole secrets from industrial giant ThyssenKrupp - Germany-based industrial conglomerate ThyssenKrupp was hit by a cyberespionage attack earlier this year that resulted in data being stolen from its industrial solutions and steel producing units. http://computerworld.com/article/3148254/security/cyberspies-stole-secrets-from-industrial-giant-thyssenkrupp.html

University of Wisconsin-Madison data breach impacts 1000-plus former law school applicants - The University of Wisconsin-Madison on Tuesday announced that a database at its law school suffered a data breach on Nov. 3, exposing personally identifiable information belonging to over 1,000 former applicants. https://www.scmagazine.com/university-of-wisconsin-madison-data-breach-impacts-1000-plus-former-law-school-applicants/article/578173/

When it comes to IoT, more security is needed - Sometimes it takes a monumental event for an industry to change. The Target hack during the holiday season of 2013 – in which some 40 million credit card numbers were stolen – changed people's attitudes about security forever. And the same holds true with the attack on DNS provider Dyn last October: Internet of Things (IoT) devices were compromised and turned into bots that slowed access and, in some cases, shut down frequently visited websites such as Amazon, Twitter and PayPal. https://www.scmagazine.com/when-it-comes-to-iot-more-security-is-needed/article/578654/

Legion hacking group attacking high profile Indian officials - The hacking group responsible for hijacking the Twitter accounts of several high profile Indian officials is now claiming to have access to 40 thousand plus servers, including those of India's biggest private hospital chain, Apollo. https://www.scmagazine.com/hackers-claim-access-to-largest-private-hospital-chain-in-india/article/578642/

Hack of Quest Diagnostics App Exposes Data of 34,000 Patients - A medical laboratory company based in New Jersey said Monday that it was investigating a recent hack that exposed the personal health information of about 34,000 people. http://www.nytimes.com/2016/12/12/us/hack-of-quest-diagnostics-app-exposes-data-of-34000-patients.html

Attackers use hacked home routers to hit 5 Russian banks - The routers were likely hacked through a recent vulnerability in the TR-069 management protocol - Botnets made up of hacked home routers were used to launch distributed denial-of-service attacks against the five largest financial organizations in Russia. http://computerworld.com/article/3149030/security/attackers-use-hacked-home-routers-to-hit-5-russian-banks.html

Data on 1B Yahoo users stolen in second breach - Data on one billion Yahoo users was likely stolen by an unauthorized third party in a data breach that occurred in August 2013, the company said in a Wednesday press release that also noted the breach is “likely distinct” from a breach previously disclosed in September. https://www.scmagazine.com/data-on-1b-yahoo-users-stolen-in-second-breach/article/579323/

Ancient breach discovered, 1K former Maryland public students affected - Data on about 1,000 former students in Frederick County Public Schools in Maryland was likely exposed in a data breach that occurred prior to 2010 but which was only discovered in September of this year. https://www.scmagazine.com/ancient-breach-discovered-1k-former-maryland-public-students-affected/article/579311/

Breach at Peachtree Orthopedics impacted 531K, report - A breach at Atlanta-based Peachtree Orthopedics, first announced in the fall, is now said to have affected more than half a million clients. https://www.scmagazine.com/breach-at-peachtree-orthopedics-impacted-531k-report/article/579283/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 2 of 2)
Finally, the Board and senior management should ensure that its risk management processes for its e-banking activities are integrated into the bank's overall risk management approach. The bank's existing risk management policies and processes should be evaluated to ensure that they are robust enough to cover the new risks posed by current or planned e-banking activities. Additional risk management oversight steps that the Board and senior management should consider taking include:
 1) Clearly establishing the banking organization's risk appetite in relation to e-banking.
 2) Establishing key delegations and reporting mechanisms, including the necessary escalation procedures for incidents that impact the bank's safety, soundness or reputation (e.g. networks penetration, employee security infractions and any serious misuse of computer facilities).
 3) Addressing any unique risk factors associated with ensuring the security, integrity and availability of e-banking products and services, and requiring that third parties to whom the banks has outsourced key systems or applications take similar measures.
 4) Ensuring that appropriate due diligence and risk analysis are performed before the bank conducts cross-border e-banking activities.
 The Internet greatly facilitates a bank's ability to distribute products and services over virtually unlimited geographic territory, including across national borders. Such cross-border e-banking activity, particularly if conducted without any existing licensed physical presence in the "host country," potentially subjects banks to increased legal, regulatory and country risk due to the substantial differences that may exist between jurisdictions with respect to bank licensing, supervision and customer protection requirements. Because of the need to avoid inadvertent non-compliance with a foreign country's laws or regulations, as well as to manage relevant country risk factors, banks contemplating cross-border e-banking operations need to fully explore these risks before undertaking such operations and effectively manage them.
 Depending on the scope and complexity of e-banking activities, the scope and structure of risk management programs will vary across banking organizations. Resources required to oversee e-banking services should be commensurate with the transactional functionality and criticality of systems, the vulnerability of networks and the sensitivity of information being transmitted.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  

 Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.
 Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:
 ! Disallow remote access by policy and practice unless a compelling business justification exists.
 ! Disable remote access at the operating system level if a business need for such access does not exist.
 ! Require management approval for remote access.
 ! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
 ! Configure modems not to answer inbound calls, if modems are for outbound use only.
 ! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
 ! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
 ! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
 ! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
 ! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
 ! Appropriately patch and maintain all remote access software.
 ! Use trusted, secure access devices.
 ! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 9 - Assurance


9.3 Design and Implementation Assurance
 Design and implementation assurance addresses whether the features of a system, application, or component meets security requirements and specifications and whether they are they are well designed and well built. Design and implementation assurance examines system design, development, and installation. Design and implementation assurance is usually associated with the development/acquisition and implementation phase of the system life cycle; however, it should also be considered throughout the life cycle as the system is modified.
 As stated earlier, assurance can address whether the product or system meets a set of security specifications, or it can provide other evidence of quality. This section outlines the major methods for obtaining design and implementation assurance.
 Design and implementation assurance should be examined from two points of view: the component and the system. Component assurance looks at the security of a specific product or system component, such as an operating system, application, security add-on, or telecommunications module. System assurance looks at the security of the entire system, including the interaction between products and modules.
 9.3.1 Testing and Certification
 Testing can address the quality of the system as built, as implemented, or as operated. Thus, it can be performed throughout the development cycle, after system installation, and throughout its operational phase. Some common testing techniques include functional testing (to see if a given function works according to its requirements) or penetration testing (to see if security can be bypassed). These techniques can range from trying several test cases to in-depth studies using metrics, automated tools, or multiple detailed test cases.
 Certification is a formal process for testing components or systems against a specified set of security requirements. Certification is normally performed by an independent reviewer, rather than one involved in building the system. Certification is more often cost-effective for complex or high-risk systems. Less formal security testing can be used for lower-risk systems. Certification can be performed at many stages of the system design and implementation process and can take place in a laboratory, operating environment, or both.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated