R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

January 27, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

 FYI - DHS issues emergency directive to protect federal domains from DNS hijacking campaign - The Department of Homeland Security on Tuesday issued an emergency directive instructing federal government agencies to take preventative measures against an ongoing DNS hijacking campaign that has recently affected several executive branch domains. https://www.scmagazine.com/home/security-news/government-and-defense/dhs-issues-emergency-directive-to-protect-federal-domains-from-dns-hijacking-campaign/

Data breaches, cyberattacks are top global risks alongside natural disasters and climate change - Increased connectivity in society and rapidly evolving threats are leaving the world open to damaging large-scale cyberattacks, warns the World Economic Forum. https://www.zdnet.com/article/data-breaches-cyber-attacks-are-top-global-risks-alongside-natural-disasters-and-climate-change/

ACLU suit seeks social media surveillance records from seven fed agencies - The U.S. government’s social media surveillance activities, including the monitoring of immigrants and visa applications under the Trump administration’s extreme vetting effort, are in the crosshairs of a Freedom of Information (FOIA) lawsuit filed by the American Civil Liberties Union (ACLU) and the ACLU of Northern California. https://www.scmagazine.com/home/security-news/government-and-defense/aclu-suit-seeks-social-media-surveillance-records-from-seven-fed-agencies/

Why modernize the enterprise security stack? Recent breaches point the way - Cathay Pacific, Eurostar, British Airways – it’s fair to say last October was a bit of a nightmare for security departments across the world, and for consumers. https://www.scmagazine.com/home/opinion/why-modernize-the-enterprise-security-stack-recent-breaches-point-the-way/

Security firm identifies cyberattacks on West African financial groups - A cybersecurity firm has identified four different cyberattack campaigns against various banks and other financial institutions in West African countries. https://thehill.com/policy/cybersecurity/425724-security-firm-identifies-cyberattacks-on-west-african-financial-groups

Senators worry that new D.C. Metro railcars could carry cyber risk - Senators who represent the Washington, D.C., area have raised concerns about added cybersecurity risks in the region’s Metro system after reports that a Chinese state-owned manufacturing company could win a $1 billion procurement for railcars. https://www.cyberscoop.com/dc-metro-wmata-china-cars-cybersecurity-risk/

Balancing AI with Human Intelligence in Cybersecurity - Although artificial intelligence (AI) has been around for more than half a century, the advancements and hype surrounding the technology over the past couple of decades have led to much discussion and confusion about whether machines will someday replace humans in the workforce. https://www.scmagazine.com/home/opinion/balancing-ai-with-human-intelligence-in-cybersecurity/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - Collection 1 breach prompts calls for security updates, investment - While the Collection 1 data dump – a whopping 773 million unique emails – dazzled with its size, it also underscored the need to shift away from reliance on passwords and renewed calls for investments in more up-to-date and reliable security.
https://www.scmagazine.com/home/security-news/collection-1-breach-prompts-calls-for-security-updates-investment/
https://www.scmagazine.com/home/security-news/collection-1-breach-exposes-773m-unique-emails-21m-passwords/

South Korea reckons mystery hackers cracked open advanced weapons servers - No idea who could have been behind this one... The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by North Korea unknown hackers. https://www.theregister.co.uk/2019/01/17/south_korea_defense_ministryt_hacked/

Oklahoma gov data leak exposes FBI investigation records, millions of department files - Updated: An Oklahoma Department of Securities server allowed anyone to download government files. esearchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations. https://www.zdnet.com/article/oklahoma-gov-data-leak-exposes-millions-of-department-files-fbi-investigations

Amadeus booking system flaw could have exposed info on millions of travelers - A recently discovered vulnerability in the Amadeus online reservation system made it possible to access and change reservations with just a booking number. https://www.scmagazine.com/home/security-news/amadeus-booking-system-flaw-could-have-exposed-info-on-millions-of-travelers/

Cyberattack forces Health Sciences North to place systems on downtime at 24 hospitals - A cyberattack on Health Sciences North in Sudbury, Ontario, yesterday has reportedly disrupted multiple systems at 24 of the Canadian health provider’s hospital facilities in the northeastern part of the province. https://www.scmagazine.com/home/security-news/cyberattack-forces-health-sciences-north-to-place-systems-on-downtime-at-24-hospitals/

Popular WordPress plugin hacked by angry former employee - Hacker defaced the company's website and sent a mass email to all its customers, alleging unpatched security holes. https://www.zdnet.com/article/popular-wordpress-plugin-hacked-by-angry-former-employee/

Microsoft partner portal 'exposes 'every' support request filed worldwide' today - Exclusive Alarmed Microsoft support partners can currently view support tickets submitted from all over the world, in what appears to be a very wide-ranging blunder by the Redmond-based biz. https://www.theregister.co.uk/2019/01/18/microsoft_partner_portal_support_request_data_visible/

4M applications for youth org internships exposed - An unprotected Elasticsearch database exposed at least four million “opportunity applications” for internships at AIESEC, billed as “the world’s largest youth-run organization” with more than 100,000 members in 127 countries. https://www.scmagazine.com/home/security-news/4m-applications-for-youth-org-internships-exposed/

Online gamblers lose big as casinos leave Elasticsearch database open - An unknown number of online gamblers lost more than a few bucks when several unnamed online casinos left an Elasticsearch database open exposing the details of 108 million bets. https://www.scmagazine.com/home/security-news/data-breach/online-gamblers-lose-big-as-casinos-leave-elasticsearch-database-open/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Over the next few weeks, we will cover some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Executive Summary
 
 Continuing technological innovation and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carries risks as well as benefits. 
 
 The Basel Committee on Banking Supervision expects such risks to be recognized, addressed and managed by banking institutions in a prudent manner according to the fundamental characteristics and challenges of e-banking services. These characteristics include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third parties that provide the necessary information technology. While not creating inherently new risks, the Committee noted that these characteristics increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks, thereby influencing the overall risk profile of banking. 
 
 Based on these conclusions, the Committee considers that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  AUTHENTICATION - Biometrics (Part 2 of 2)
  
  Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user's thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.
  
  Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.
  
  Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 19 - CRYPTOGRAPHY
 
 Cryptography is a branch of mathematics based on the transformation of data. It provides an important tool for protecting information and is used in many aspects of computer security. For example, cryptography can help provide data confidentiality, integrity, electronic signatures, and advanced user authentication. Although modern cryptography relies upon advanced mathematics, users can reap its benefits without understanding its mathematical underpinnings.
 
 This chapter describes cryptography as a tool for satisfying a wide spectrum of computer security needs and requirements. It describes fundamental aspects of the basic cryptographic technologies and some specific ways cryptography can be applied to improve security. The chapter also explores some of the important issues that should be considered when incorporating cryptography into computer systems.
 
 Cryptography is traditionally associated only with keeping data secret. However, modern cryptography can be used to provide many security services, such as electronic signatures and ensuring that data has not been modified.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.