Internet Banking News

January 3, 2016

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. Independent pen-testing is part of any financial institution's cybersecurity defense. To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.

FYI - Morgan Stanley adviser sentenced for hacking firm's network - A former financial adviser at Morgan Stanley received three year's probation and will pay $600,000 in restitution for his illegal accessing of the firm's confidential client data "in order to use it for his personal advantage as a private wealth management adviser at the Bank," the FBI stated in a release on Tuesday. http://www.scmagazine.com/morgan-stanley-adviser-sentenced-for-hacking-firms-network/article/461465/

FYI - Internet-connected homes open the door to hackers - Baby monitors, thermostats, kitchen gadgets and other "smart" devices add convenience to our daily lives. What are manufacturers doing to make sure they don't make life easier for criminals too? http://www.cnet.com/news/internet-connected-homes-open-the-door-to-hackers/

FYI - Lessons learned from 2015 cyber attacks - Following an onslaught year of massive breaches, 2016 promises to usher in more of the same, but with each breach there was a lesson to be learned, according to a Trend Micro report. http://www.scmagazine.com/trend-micro-lessons-learned-from-2015-cyber-attacks/article/461877/

FYI - T.S.A. Moves Closer to Rejecting Some State Driver’s Licenses for Travel - As soon as next year, a driver’s license may no longer be enough for airline passengers to clear security in some states, if the Department of Homeland Security has its way. http://www.nytimes.com/2015/12/29/business/tsa-moves-closer-to-rejecting-some-state-drivers-licenses-for-travel.html?_r=0

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hyatt investigates malware found on payment processors - Hyatt Hotels Corp. reported late last week that it had found malware on the computers that operates the company's payment processing systems and is now conducting an investigation to discover the extent of the breach.
http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hotels/
http://www.scmagazine.com/hyatt-hotel-announced-malware-found-on-payment-processing-computers/article/461847/

FYI - Livestream alerts registered users of suspected hack - Livestream, the web-based video broadcaster, alerted its registered users of a suspected data breach, urging them to change their passwords. http://www.scmagazine.com/livestream-alerts-registered-users-of-suspected-hack/article/461854/

FYI - Massive trove of US voter data discovered on Web - More than 191 million voter records, including personal information and voting activity, have been exposed. It's not clear who owns the server. http://www.cnet.com/news/massive-trove-of-voters-election-data-discovered-on-web/

FYI - Gaming souk Steam spews credit card, personal info in Xmas Day security meltdown - Updated Video game marketplace Steam is leaking people's personal information – including their payment details and billing addresses – to strangers.
http://www.theregister.co.uk/2015/12/25/steam_snafu/
http://www.theregister.co.uk/2015/12/24/livestream_fesses_up_to_hack/

FYI - UConn website hacked and used to spread malware - The University of Connecticut (UConn) became the most recent institution of higher learning to be hit with a cyberattack when it was hacked on Dec. 27 and used to distribute malware. http://www.scmagazine.com/uconn-website-hacked-and-used-to-spread-malware/article/462265/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft. (Part 2 of 6)

Characteristics of Identity Theft

At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses. Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.

Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

ROLES AND RESPONSIBILITIES (1 of 2)

Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:

1) Central oversight and coordination,
2) Areas of responsibility,
3) Risk measurement,
4) Monitoring and testing,
5) Reporting, and
6) Acceptable residual risk.

Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.

Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 4.5 Malicious Hackers

The term malicious hackers, sometimes called crackers, refers to those who break into computers without authorization. They can include both outsiders and insiders. Much of the rise of hacker activity is often attributed to increases in connectivity in both government and industry. One 1992 study of a particular Internet site (i.e., one computer system) found that hackers attempted to break in once at least every other day.
The hacker threat should be considered in terms of past and potential future damage. Although current losses due to hacker attacks are significantly smaller than losses due to insider theft and sabotage, the hacker problem is widespread and serious. One example of malicious hacker activity is that directed against the public telephone system.

Studies by the National Research Council and the National Security Telecommunications Advisory Committee show that hacker activity is not limited to toll fraud. It also includes the ability to break into telecommunications systems (such as switches), resulting in the degradation or disruption of system availability. While unable to reach a conclusion about the degree of threat or risk, these studies underscore the ability of hackers to cause serious damage.

The hacker threat often receives more attention than more common and dangerous threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons for this.

      First, the hacker threat is a more recently encountered threat. Organizations have always had to worry about the actions of their own employees and could use disciplinary measures to reduce that threat. However, these measures are ineffective against outsiders who are not subject to the rules and regulations of the employer.

      Second, organizations do not know the purposes of a hacker -- some hackers browse, some steal, some damage. This inability to identify purposes can suggest that hacker attacks have no limitations.

      Third, hacker attacks make people feel vulnerable, particularly because their identity is unknown. For example, suppose a painter is hired to paint a house and, once inside, steals a piece of jewelry. Other homeowners in the neighborhood may not feel threatened by this crime and will protect themselves by not doing business with that painter. But if a burglar breaks into the same house and steals the same piece of jewelry, the entire neighborhood may feel victimized and vulnerable.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.