R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 28, 2014

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - NY bank regulator's cybersecurity plan has strong authentication, identity - New York is upgrading its evaluation of banks operating in the state to include specific questions and examinations on use of multi-factor authentication and identity and access management systems. http://www.zdnet.com/article/ny-bank-regulators-cybersecurity-plan-includes-strong-authentication-identity/

FYI - State-sponsored or not, Sony Pictures malware “bomb” used slapdash code - Malware was just good enough to do the job, perhaps what North Korea intended. Analysis by researchers at Cisco of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures revealed that the code was full of bugs and anything but sophisticated. http://arstechnica.com/security/2014/12/state-sponsored-or-not-sony-pictures-malware-bomb-used-slapdash-code/

FYI - Neglected Server Provided Entry for JPMorgan Hackers - The computer breach at JPMorgan Chase this summer — the largest intrusion of an American bank to date — might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack.


FYI - Park-n-Fly Online Card Breach - Multiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly, an Atlanta-based offsite airport parking service that allows customers to reserve spots in advance of travel via an Internet-based reservation system. http://krebsonsecurity.com/2014/12/banks-park-n-fly-online-card-breach/

FYI - Roughly 1.16 million payment cards may have been affected in Staples breach - Staples announced on Friday that malware infected its point-of-sale systems at 115 of its 1,400 U.S. retail stores, possibly affecting roughly 1.16 million payment cards. http://www.scmagazine.com/roughly-116-million-payment-cards-may-have-been-affected-in-staples-breach/article/389369/

FYI - 40,000 federal employees impacted by contractor breach - The personal information of more than 40,000 federal workers may be at risk following a data breach at KeyPoint Government Solutions, a prominent federal contractor. http://www.scmagazine.com/40000-federal-employees-impacted-by-contractor-breach/article/389347/

FYI - Spearfishing campaign compromises ICANN systems - The Internet Corporation for Assigned Names and Numbers (ICANN) is investigating an apparent spear phishing attack that began in November and led to the exposure of information in some of ICANN's systems.

FYI - Northwestern Memorial HealthCare laptop stolen, patient data at risk - A Northwestern Memorial HealthCare (NMHC) laptop was stolen from an employee's vehicle, putting Northwestern Lake Forest Hospital, Northwestern Memorial Hospital, and Northwestern Medical Group patient data at risk. http://www.scmagazine.com/northwestern-memorial-healthcare-laptop-stolen-patient-data-at-risk/article/389596/

FYI - Hackers pop German steel mill, wreck furnace - Phishing proves too hot - Talented hackers have caused "serious damage" after breaching a German steel mill and wrecking one of its blast furnaces. http://www.theregister.co.uk/2014/12/22/hackers_pop_german_steel_mill_wreck_furnace/

FYI - Sneaky Russian hackers slurped $15 MILLION from banks - ATM malware, remote employee monitoring - you name it, they did it - Millions of dollars, credit cards and intellectual property have been stolen by a newly discovered group of cyber criminals. http://www.theregister.co.uk/2014/12/22/russian_cyber_heist_gang_rakes_in_15m/

FYI - Staples: 6-Month Breach, 1.16 Million Cards - Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. http://krebsonsecurity.com/2014/12/staples-6-month-breach-1-16-million-cards/

FYI - Hackers pop German steel mill, wreck furnace - Phishing proves too hot for plant - Talented hackers have caused "serious damage" after breaching a German steel mill and wrecking one of its blast furnaces. http://www.theregister.co.uk/2014/12/22/hackers_pop_german_steel_mill_wreck_furnace/

FYI - Gang Hacked ATMs from Inside Banks - An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. http://krebsonsecurity.com/2014/12/gang-hacked-atms-from-inside-banks/

FYI - North Korea's internet access unstable - Just a few days after President Obama said the U.S. would react proportionately to North Korea's likely role in the Sony breach, access to the internet within the country has been unstable the past 24 hours, according to the website North Korea Tech. http://www.scmagazine.com/slowdown-makes-access-undependable/article/389485/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)

 4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
 a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.
 5. Banks should develop appropriate contingency plans for outsourced e-banking activities.
 a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.
 b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.
 c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.
 6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.
 a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Automated Intrusion Detection Systems
(IDS) (Part 4 of 4)
Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.
 Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.
 The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.
 Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter


We continue the series on the National Institute of Standards and Technology (NIST) Handbook.


19.1 Basic Cryptographic Technologies

Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a key. In modern cryptographic systems, algorithms are complex mathematical formulae and keys are strings of bits. For two parties to communicate, they must use the same algorithm (or algorithms that are designed to work together). In some cases, they must also use the same key. Many cryptographic keys must be kept secret; sometimes algorithms are also kept secret.

There are two basic types of cryptography: "secret key" and "public key."

There are two basic types of cryptography: secret key systems (also called symmetric systems) and public key systems (also called asymmetric systems). The table compares some of the distinct features of secret and public key systems. Both types of systems offer advantages and disadvantages. Often, the two are combined to form a hybrid system to exploit the strengths of each type. To determine which type of cryptography best meets its needs, an organization first has to identify its security requirements and operating environment.

NUMBER OF KEYS Single Key. Pair of keys.
TYPES OF KEYS Key is secret. One key is private, and one key is public.
PROTECTION OF KEYS Disclosure and modification. Disclosure and modification for private keys and modification for public keys.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated