FYI - The Department of Justice (DOJ) has made clear that it interprets the ADA as applicable to websites.  Is your web site compliant with the Americans with Disabilities Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com.

FYI - NIST updates Cybersecurity Framework, seeks comment - The National Institute of Standards and Technology (NIST) issued a draft update on Tuesday to its Framework for Improving Critical Infrastructure Cybersecurity, aka the Cybersecurity Framework, aimed at forging stronger cybersecurity measures. https://www.scmagazine.com/nist-updates-cybersecurity-framework-seeks-comment/article/630892/

FYI - The TBA and IBAT filed a barratry lawsuit in Tarrant County District Court challenging the Carlson Lynch Pennsylvania law firm and its solicitation letters to Texas banks relative to ADA website compliance. Additionally, a complaint was filed with the Unauthorized Practice of Law Committee of the State Bar of Texas. https://www.ibat.org/files/PDFs/IBAT_TBA_Petition_for_Injunction.pdf

Symantec caught issuing illegal certificates for second time in two years - Independent researcher Andrew Ayer spotted Symantec once again improperly issuing 108 invalidated transport layer security certificates. https://www.scmagazine.com/once-again-symantec-spotted-improperly-issuing-certs/article/633266/

BankBot created with leaked banking trojan source code - One of the newer Android banking Trojans to be found in the wild is the result of leaked banking malware source code that was found and improved upon by cybercriminals. https://www.scmagazine.com/bankbot-created-with-leaked-banking-trojan-source-code/article/633264/

80 percent of IoT devices not tested for security flaws - A recent study found 80 percent of Internet of Things apps aren't tested for vulnerabilities and there is still a lack of urgency to address the risk. https://www.scmagazine.com/iot-devices-remain-untested-and-lack-of-urgency-to-fix-problem/article/632714/

Who is Anna-Senpai, the Mirai Worm Author? - On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. http://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

China announces mass shutdown of VPNs that bypass Great Firewall - China says all VPN providers must get permission from government to operate. http://arstechnica.com/tech-policy/2017/01/china-announces-mass-shutdown-of-vpns-that-bypass-great-firewall/

GSA readies single sign-on platform - The General Services Administration is moving ahead with its Login.gov project that creates a single sign-on platform for access to federal government services. https://gcn.com/articles/2017/01/20/gsa-single-sign-on-login-gov.aspx

12 stats that tell you about the State of Federal IT - As one of his last acts as federal chief information officer, Tony Scott and the CIO Council released the State of Federal IT report Jan. 19. A team of federal IT executives, with the help of two contractors, interviewed 45 federal CIOs and deputy CIOs, and chief information security officers and deputy CISOs as well as other federal IT leaders. http://federalnewsradio.com/reporters-notebook-jason-miller/2017/01/12-stats-tell-state-federal/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data of 19K Delaware Blue Cross Blue Shield customers compromised - A ransomware attack involving the Summit Reinsurance Services, Inc. (“SummitRe”) and BCS Financial Corporation, both subcontractors of Highmark Blue Cross Blue Shield of Delaware, compromised customer data. https://www.scmagazine.com/data-of-19k-delaware-blue-cross-blue-shield-customers-compromised/article/632677/

Giuliani and top Trump White House officials hacked, passwords leaked - The Trump Presidency's new cyber tsar, former New York Mayor Rudy Giuliani has had his passwords leaked online along with a whole host of top officials. https://www.scmagazine.com/giuliani-and-top-trump-white-house-officials-hacked-passwords-leaked/article/632676/

Dodgy Dutch developer built backdoors into thousands of sites - Then hoovered out users' personal data, stole identities galore and spent up big. http://www.theregister.co.uk/2017/01/17/police_warn_of_dutch_developer_who_built_backdoors_for_carding/

Ransomware looks to take, not borrow, from St. Louis Public Library - A ransomware infection has effectively paralyzed the St. Louis Public Library System, affecting 700 public computers in 16 locations and preventing visitors from checking out books or browsing the Internet. https://www.scmagazine.com/ransomware-looks-to-take-not-borrow-from-st-louis-public-library/article/632802/

Lloyds Bank services hit by denial-of-service attack - Reports suggest a large-scale DDoS attack from overseas blocked Lloyds, Halifax, and Bank of Scotland customers from accessing online services. http://www.zdnet.com/article/lloyds-bank-services-hit-by-denial-of-service-attack/

United Airlines resumes flights after temporary ground order - United Airlines resumed operations Sunday night after a computer problem temporarily grounded all domestic mainline flights, two sources familiar with the incident told CNN. http://edition.cnn.com/2017/01/22/travel/united-grounds-domestic-flights-because-of-it-issue/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
Board and Management Oversight - Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.
  
  Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.
  
  E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.
  
  Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:
  
  1)  Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.
  
  2)  Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.
  
  3)  E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.
  
  4)  Segregation should be maintained between those developing and those administrating e-banking systems.
 

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 ENCRYPTION - HOW ENCRYPTION WORKS
 
 In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.
 
 The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.4.1 Audit Methods and Tools
 
 An audit conducted to support operational assurance examines whether the system is meeting stated or implied security requirements including system and organization policies. Some audits also examine whether security requirements are appropriate, but this is outside the scope of operational assurance. Less formal audits are often called security reviews.
 
 Audits can be self-administered or independent (either internal or external). Both types can provide excellent information about technical, procedural, managerial, or other aspects of security. The essential difference between a self-audit and an independent audit is objectivity. Reviews done by system management staff, often called self-audits/ assessments, have an inherent conflict of interest. The system management staff may have little incentive to say that the computer system was poorly designed or is sloppily operated. On the other hand, they may be motivated by a strong desire to improve the security of the system. In addition, they are knowledgeable about the system and may be able to find hidden problems.
 
 The independent auditor, by contrast, should have no professional stake in the system. Independent audit may be performed by a professional audit staff in accordance with generally accepted auditing standards.
 
 There are many methods and tools, some of which are described here, that can be used to audit a system. Several of them overlap.
 
 A person who performs an independent audit should be free from personal and external constraints, which may impair their independence and should be organizationally independent.
 
 9.4.1.1 Automated Tools
 
 Even for small multiuser computer systems, it is a big job to manually review security features. Automated tools make it feasible to review even large computer systems for a variety of security flaws.
 
 There are two types of automated tools: (1) active tools, which find vulnerabilities by trying to exploit them, and (2) passive tests, which only examine the system and infer the existence of problems from the state of the system.
 
 Automated tools can be used to help find a variety of threats and vulnerabilities, such as improper access controls or access control configurations, weak passwords, lack of integrity of the system software, or not using all relevant software updates and patches. These tools are often very successful at finding vulnerabilities and are sometimes used by hackers to break into systems. Not taking advantage of these tools puts system administrators at a disadvantage. Many of the tools are simple to use; however, some programs (such as access-control auditing tools for large mainframe systems) require specialized skill to use and interpret.