R. Kinney Williams - Yennik, Inc.ģ
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 24, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- FCC votes to repeal net neutrality, could increase cybersecurity threats - Despite calls for Federal Communications Commission (FCC) Chairman Ajit Pai to temporarily suspend the vote on net neutrality until an investigation into fake comments on the public docket could be completed, the commission decided today to repeal the regulations put in place under the Obama administration, prompting criticism that the move would not only choke freedom but would compromise security and privacy. https://www.scmagazine.com/fcc-votes-to-repeal-net-neutrality-could-increase-cybersecurity-threats/article/718769/

N.C.'s Mecklenberg County CIO details recent ransomware attack - Mecklenberg County officials reported additional progress restoring its systems following a ransomware attack earlier this month. https://www.scmagazine.com/ncs-mecklenberg-county-cio-details-recent-ransomware-attack/article/718751/

Pentagon Delays Deadline For Military Suppliers to Meet Cybersecurity Rules - The goal of the new regulations is to secure sensitive data on the computers and networks at smaller companies. http://www.nextgov.com/cio-briefing/2017/12/pentagon-delays-deadline-military-suppliers-meet-cybersecurity-rules/144562/

AHA calls for more oversight of medical device cybersecurity as FDA outlines plans to modernize approvals - The American Hospital Association wants the Food and Drug Administration to ramp up efforts to ensure medical device manufacturers minimize the risks of a cyberattack. https://www.fiercehealthcare.com/privacy-security/aha-fda-medical-device-cybersecurity-guidance-oversight-approval

Air Force Pays Out Governmentís Biggest Bug Bounty Yet - On Dec. 9, a group of elite hackers once again found themselves deep within critical Air Force networks, probing for security gaps that could put the branchís online operations at risk. And this time, military cyber specialists joined them in the hunt. http://www.nextgov.com/cybersecurity/2017/12/air-force-pays-out-governments-biggest-bug-bounty-yet/144640/


FYI - Hackers target private schools in U.K. - Hackers apparently are taking advantage of poorly secured systems at private schools in the U.K., nicking identifying data, typically through phishing attacks, that they could then use to target parents with fake invoices and other means of cybercrime. https://www.scmagazine.com/hackers-target-private-schools-in-uk/article/718744/

Starbucks free Wi-Fi caught secretly mining cryptocurrency - A tech CEO noticed the free Wi-Fi at his local Starbucks didn't exactly come without a price after discovering the network was secretly jacking his computing power to mine cryptocurrency. https://www.scmagazine.com/buenos-aires-starbucks-free-wi-fi-secretly-charges-cpu-to-mine-monero/article/718218/

Database aggregating 1.4B credentials found on dark web - A single file on the dark web with a database of 1.4 billion clear text credentials not only is the largest aggregate found there but it opens a trove of credentials to even the least sophisticated hackers. https://www.scmagazine.com/database-aggregating-14b-credentials-found-on-dark-web/article/713543/

Millions of California voter records exposed in unprotected MongoDB - California officials are investigating a report that an unprotected MongoDB database has been discovered possibly containing the names of every California voter. https://www.scmagazine.com/millions-of-california-voter-records-exposed-in-unprotected-mongodb/article/719028/

Attackers exploit old WordPress to inject sites with code enabling site redirection, takeover - Attackers have exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers. https://www.scmagazine.com/attackers-exploit-old-wordpress-to-inject-sites-with-code-enabling-site-redirection-takeover/article/719049/

Pyramid scheme: AnubisSpy Android malware steals data, seemingly links to old Sphinx campaign - A newly discovered Android spyware that victimizes Arabic-speakers has been potentially linked to the 2014-15 Sphinx cyber espionage campaign, which was launched by the threat group APT-C-15 to target PC users in the Middle East. https://www.scmagazine.com/pyramid-scheme-anubisspy-android-malware-steals-data-seemingly-links-to-old-sphinx-campaign/article/719741/

Return to the top of the newsletter

Risk Management of Outsourced Technology Services
  Due Diligence in Selecting a Service Provider - Contract Issues
 Business Resumption and Contingency Plans
 The contract should address the service providerís responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institutionís business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.
 Sub-contracting and Multiple Service Provider Relationships
 Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service providerís significant subcontractors.

 The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases.

Return to the top of the newsletter

We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."
  Risk Mitigation Components - Wireless Internet Devices
For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.
  As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.
  The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 13.7 Interdependencies
 Training can, and in most cases should, be used to support every control in the handbook. All controls are more effective if designers, implementers, and users are thoroughly trained.
 Policy. Training is a critical means of informing employees of the contents of and reasons for the organization's policies.
 Security Program Management. Federal agencies need to ensure that appropriate computer security awareness and training is provided, as required under the Computer Security Act of 1987. A security program should ensure that an organization is meeting all applicable laws and regulations.
 Personnel/User Issues. Awareness, training, and education are often included with other personnel/user issues. Training is often required before access is granted to a computer system.
 13.8 Cost Considerations
 The major cost considerations in awareness, training, and education programs are:
 1)  the cost of preparing and updating materials, including the time of the preparer;
 2)  the cost of those providing the instruction;
 3)  employee time attending courses and lectures or watching videos; and
 4)  the cost of outside courses and consultants (both of which may including travel expenses), including course maintenance.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated