Internet Banking News

January 14, 2018

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma. For more information go to On-site FFIEC IT Audits.

FYI - Top Security Challenges for 2018 https://www.scmagazine.com/top-security-challenges-for-2018--part-2/article/735763/

Data Breaches Plague Organizations for Years - Once an organization's network is breached, extinguishing the flames is just the first step in a long, painful and costly journey to recovery. https://www.scmagazine.com/data-breaches-plague-organizations-for-years/article/734269/

SEC Plans Cybersecurity Guidance Refresh: What to Expect - The U.S. Securities and Exchange Commission is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches to investors. http://www.govinfosecurity.com/sec-plans-cybersecurity-guidance-refresh-what-to-expect-a-10554

SWIFT framework took effect Jan. 1 - After a bevy of cyber heists in 2017 – one at Bangladesh Bank that raked in $80 million for the modern day bankrobber, the SWIFT Customer Security Controls Framework went into effect January 1, 2018 requiring all 11,000 SWIFT member banks in more than 200 countries to comply or face regulatory and economic consequences. https://www.scmagazine.com/swift-framework-took-effect-jan-1/article/734615/

With WPA3, Wi-Fi security is about to get a lot tougher - Finally, a security reprieve for open Wi-Fi hotspot users. At last, Wi-Fi security -- or lack of -- is about to get its day in the sun. http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/

FTC fines VTech toy firm over data breach - The Federal Trade Commission (FTC) fined toy firm VTech $650,000 as part of a settlement for violating a U.S. children's privacy laws. https://www.scmagazine.com/vtech-fined-650000-as-part-of-a-settlement-for-violating-a-us-childrens-privacy-law/article/735932/

North Carolina introduces data breach legislation, after incidents rise in 2017 - More than 5.3 million residents of North Carolina were victims of data breaches in 2017 – an escalating trend that has prompted state Attorney General Josh Stein (D) and state Rep. Jason Saine (R) to introduce newly proposed legislation to prevent further incidents and protect the public. https://www.scmagazine.com/north-carolina-introduces-data-breach-legislation-after-incidents-rise-in-2017/article/735761/

FakeBank malware accesses sensitive SMS banking messages - A newly discovered mobile malware program that primarily targets Russian banking customers can take over victims' SMS capabilities, allowing cybercriminals to intercept text messages that contain bank security codes, and then use those codes to reset bank account passwords. https://www.scmagazine.com/fakebank-malware-accesses-sensitive-sms-banking-messages/article/736311/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DHS data breach affects 250,000 staffers, investigation subjects and witnesses - More than 250,000 Department of Homeland Security (DHS) employees along with individuals involved in on-going DHS criminal investigations, including witnesses, had their personally identifiable information (PII) compromised in a data breach. https://www.scmagazine.com/dhs-data-breach-affects-250000-staffers-investigation-subjects-and-witnesses/article/734755/

India's 1.2 billion citizen national database reportedly breached - India's national ID database containing the information of nearly 1.2 billion people was breached with cybercriminals selling access to the information for $8, though officials deny the extent of the incident. https://www.scmagazine.com/access-to-indias-national-citizen-database-reportedly-sold-for-8/article/735276/

Breach possibly exposed sensitive data on up to 30K Florida Medicaid recipients - A phishing attack on an employee at Florida's Agency for Health Care Administration resulted in the exposure of sensitive information on 30,000 Medicaid patients, the agency said in a Saturday notification. https://www.scmagazine.com/breach-possibly-exposed-sensitive-data-on-up-to-30k-florida-medicaid-recipients/article/735618/

Taiwanese police reward malware laced USB sticks as prizes for cybersecurity quiz - Taiwanese police handed out malware-laden USB sticks as prizes for a security quiz given during an infosec conference in December 2017. https://www.scmagazine.com/taiwanese-cops-give-out-malware-laced-usb-prizes-at-cybersecurity-event/article/736108/

Belle Fourche (S.D.) city hall hit with ransomware - The small city of Belle Fourche, S.D. was hit with a ransomware attack late last week with the malware encrypting at least some files and demanding a ransom. https://www.scmagazine.com/belle-fourche-sd-city-hall-hit-with-ransomware/article/736278/

Jason's Deli reports possible POS data breach - The 266-location Jason's Deli is notifying its customers that their payment card information may have been compromised through a point of sale data breach. https://www.scmagazine.com/jasons-deli-reports-possible-pos-data-breach/article/736308/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

  Due Diligence in Selecting a Service Provider - Contract Issues

  Termination

  The extent and flexibility of termination rights sought can vary depending upon the service. Contracts for technologies subject to rapid change, for example, may benefit from greater flexibility in termination rights. Termination rights may be sought for a variety of conditions including change in control (e.g., acquisitions and mergers), convenience, substantial increase in cost, repeated failure to meet service levels, failure to provide critical services, bankruptcy,
  company closure, and insolvency.

  Institution management should consider whether or not the contract permits the institution to terminate the contract in a timely manner and without prohibitive expense (e.g., reasonableness of cost or penalty provisions). The contract should state termination and notification requirements with time frames to allow the orderly conversion to another provider. The contract must provide for return of the institution’s data, as well as other institution resources, in a timely manner and in machine readable format. Any costs associated with transition assistance should be clearly stated.

  Assignment

  The institution should consider contract provisions that prohibit assignment of the contract to a third party without the institution’s consent, including changes to subcontractors.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

  Data Integrity

  Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.

  Authentication

  Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.3 Configuration Management

Closely related to software support is configuration management -- the process of keeping track of changes to the system and, if needed, approving them. Configuration management normally addresses hardware, software, networking, and other changes; it can be formal or informal. The primary security goal of configuration management is ensuring that changes to the system do not unintentionally or unknowingly diminish security. Some of the methods discussed under software support, such as inspecting and testing software changes, can be used.

Note that the security goal is to know what changes occur, not to prevent security from being changed. There may be circumstances when security will be reduced. However, the decrease in security should be the result of a decision based on all appropriate factors.

A second security goal of configuration management is ensuring that changes to the system are reflected in other documentation, such as the contingency plan. If the change is major, it may be necessary to reanalyze some or all of the security of the system.

For networked systems, configuration management should include external connections. Is the computer system connected? To what other systems? In turn, to what systems are these systems and organizations connected?

14.4 Backups

Support and operations personnel and sometimes users back up software and data. This function is critical to contingency planning. Frequency of backups will depend upon how often data changes and how important those changes are. Program managers should be consulted to determine what backup schedule is appropriate. Also, as a safety measure, it is useful to test that backup copies are actually usable. Finally, backups should be stored securely, as appropriate.

Users of smaller systems are often responsible for their own backups. However, in reality they do not always perform backups regularly. Some organizations, therefore, task support personnel with making backups periodically for smaller systems, either automatically (through server software) or manually (by visiting each machine).

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.