Internet Banking News

January 15, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The Department of Justice (DOJ) has made clear that it interprets the ADA as applicable to websites. Is your web site compliant with the Americans with Disabilities Act? For the past 20 years, our bank web site audits have covered the ADA guidelines. Help reduce any liability, please contact me for more information at examiner@yennik.com.

FYI - NIST updates Cybersecurity Framework, seeks comment - The National Institute of Standards and Technology (NIST) issued a draft update on Tuesday to its Framework for Improving Critical Infrastructure Cybersecurity, aka the Cybersecurity Framework, aimed at forging stronger cybersecurity measures. https://www.scmagazine.com/nist-updates-cybersecurity-framework-seeks-comment/article/630892/

The Importance of understanding finance as a CISO - As we all know, the job of a CISO has changed significantly over the past several years. https://www.scmagazine.com/the-importance-of-understanding-finance-as-a-ciso/article/629740/

Hackers are having a field day with stolen credentials - Luckily, we can rain on their parade by following simple, common sense industry best practices. https://www.scmagazine.com/hackers-are-having-a-field-day-with-stolen-credentials/article/630029/

FTC goes after D-Link for shoddy security in routers, cameras - Security experts have been warning about the dangers with poorly secured IoT products. http://computerworld.com/article/3155090/security/ftc-goes-after-d-link-for-shoddy-security-in-routers-cameras.html

Deploying ransomware is now a crime in California - Previously, prosecutors had to rely on the state's extortion statute. As of January 1, the delivery of ransomware is illegal in California thanks to Senate Bill 1137 going into effect. http://arstechnica.com/tech-policy/2017/01/watch-out-hackers-deploying-ransomware-is-now-a-crime-in-california/

3 in 10 agency websites miss OMB deadline to migrate to HTTPS - The White House-imposed deadline for federal agencies to transition their websites to the HTTPS communications protocol passed on New Year's Eve, but some agencies' conversions remain a work in progress. https://fcw.com/articles/2017/01/03/secure-site-standard-gunter.aspx

Nearly every US state (47 to be exact) requires companies to disclose when a breach affects their citizens, and most track this data internally. That data is usually a public records request away from you, the consumer, who could actually use it to inform your digital habits. https://www.wired.com/2017/01/states-now-actually-help-figure-youve-hacked/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hacker leaks 1.5 million ESEA after failed extortion attempt - An attacker leaked an E-Sports Entertainment Association (ESEA) database containing 1.5 million player profiles after an alleged failed extortion attempt. https://www.scmagazine.com/15-million-esea-accounts-compromised-in-botched-extortion-attempt/article/630513/

Anthem breach caused by nation state - The California Department of Insurance reported that the 2015 Anthem breach was the result of a nation-state attack. https://www.scmagazine.com/examination-report-finds-foreign-government-behind-anthem-breach/article/630347/

123 Reg again hit with DDoS attack - The UK domain registration site 123 Reg was hit with a Distributed Denial of Service (DDoS) attack, its second in six months, late last week. https://www.scmagazine.com/123-reg-again-hit-with-ddos-attack/article/630342/

Ukraine rules December power outage cyberattack - Researchers investigating a power outage which hit the Ukraine capital, Kiev, last month ruled the incident a cyberattack. https://www.scmagazine.com/cyberattack-caused-ukraine-power-outage-last-month/article/631061/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet. (Part 2 of 2)

  The bank must determine which authentication methods to use based on management's assessment of the risk posed by the e-banking system as a whole or by the various sub-components. This risk analysis should evaluate the transactional capabilities of the e-banking system (e.g. funds transfer, bill payment, loan origination, account aggregation etc.), the sensitivity and value of the stored e-banking data, and the customer's ease of using the authentication method.

  Robust customer identification and authentication processes are particularly important in the cross-border e-banking context given the additional difficulties that may arise from doing business electronically with customers across national borders, including the greater risk of identity impersonation and the greater difficulty in conducting effective credit checks on potential customers.

  As authentication methods continue to evolve, banks are encouraged to monitor and adopt industry sound practice in this area such as ensuring that:

  1) Authentication databases that provide access to e-banking customer accounts or sensitive systems are protected from tampering and corruption. Any such tampering should be detectable and audit trails should be in place to document such attempts.

  2) Any addition, deletion or change of an individual, agent or system to an authentication database is duly authorized by an authenticated source.

  3) Appropriate measures are in place to control the e-banking system connection such that unknown third parties cannot displace known customers.

  4) Authenticated e-banking sessions remain secure throughout the full duration of the session or in the event of a security lapse the session should require re-authentication.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)

Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.

Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.

Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.

Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 9 - Assurance

9.3.9 Self-Certification

A vendor's, integrator's, or system developer's self-certification does not rely on an impartial or independent agent to perform a technical evaluation of a system to see how well it meets a stated security requirement. Even though it is not impartial, it can still provide assurance. The self-certifier's reputation is on the line, and a resulting certification report can be read to determine whether the security requirement was defined and whether a meaningful review was performed.

A hybrid certification is possible where the work is performed under the auspices or review of an independent organization by having that organization analyze the resulting report, perform spot checks, or perform other oversight. This method may be able to combine the lower cost and greater speed of a self-certification with the impartiality of an independent review. The review, however, may not be as thorough as independent evaluation or testing.

9.3.10 Warranties, Integrity Statements, and Liabilities

Warranties are another source of assurance. If a manufacturer, producer, system developer, or integrator is willing to correct errors within certain time frames or by the next release, this should give the system manager a sense of commitment to the product and of the product's quality. An integrity statement is a formal declaration or certification of the product. It can be backed up by a promise to (a) fix the item (warranty) or (b) pay for losses (liability) if the product does not conform to the integrity statement.

9.3.11 Manufacturer's Published Assertions

A manufacturer's or developer's published assertion or formal declaration provides a limited amount of assurance based exclusively on reputation.

9.3.12 Distribution Assurance

It is often important to know that software has arrived unmodified, especially if it is distributed electronically. In such cases, checkbits or digital signatures can provide high assurance that code has not been modified. Anti-virus software can be used to check software that comes from sources with unknown reliability (such as a bulletin board).

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.