Internet Banking News

February 21, 2016

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. Independent pen-testing is part of any financial institution's cybersecurity defense. To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.

FYI - White House to hire its first chief information security officer - The new hire will have "oversight of relevant agency cybersecurity practices, and implementation across federal information technology system," according to the job description. http://www.zdnet.com/article/white-house-wants-to-hire-its-first-chief-information-security-officer/

FYI - A Worldwide Survey of Encryption Products - Data security is a worldwide problem, and there is a wide world of encryption solutions available to help solve this problem. https://www.schneier.com/cryptography/archives/2016/02/a_worldwide_survey_o.html

FYI - FBI budget calls for big boost to battle encryption - The FBI is requesting $38 million in funding to combat the risk of “going dark” - a 23-percent increase over what the agency spent last year to counter the growing use of encryption technology. http://thehill.com/policy/cybersecurity/269013-fbi-budget-calls-for-big-boost-to-battle-encryption

FYI - Drone shooter pleads guilty - Technically Incorrect: A New Jersey man who nailed a drone that hovered somewhere near his house has pleaded guilty to criminal mischief. http://www.cnet.com/news/man-who-shot-down-drone-pleads-guilty/

FYI - 'Right to be forgotten' extended to all Google domains in EU - To extend the “right to be forgotten” ruling, Google will start removing certain search results across all domains in the European Union. http://www.scmagazine.com/right-to-be-forgotten-extended-to-all-google-domains-in-eu/article/473723/

FYI - Insiders pose greater threat to businesses than outsiders - The Insider Threat is the most dangerous way to gain inside access to sensitive information. http://www.scmagazine.com/insiders-pose-greater-threat-to-businesses-than-outsiders/article/473725/

FYI - Russian police prevented massive banking sector cyber-attack -The Russian Interior Ministry's department of cyber-crimes announced that it has uncovered a criminal group which had planned a series of massive cyber-attacks on the Russian banking system and international payment systems. http://www.scmagazine.com/russian-police-prevented-massive-banking-sector-cyber-attack/article/473982/

FYI - Recognizing and overcoming insider threats - Cyber attacks can come from anywhere. It could be a nation state trying to unlock your recent break-through in advanced manufacturing techniques or perhaps a competitor trying to discover your sales prospect list. http://www.scmagazine.com/recognizing-and-overcoming-insider-threats/article/477827/

FYI - California AG data breach report: 24M records compromised in 2015 - California's attorney general Kamala Harris released the state's third data breach report and found an increase in both the number of breaches and size of breaches reported in previous years. http://www.scmagazine.com/california-ag-data-breach-report-24m-records-compromised-in-2015/article/477786/

FYI - 44% of ransomware victims in the UK have paid to recover their data - A Bitdefender global study with respondents from the UK, the US, France, Germany, Denmark and Romania was conducted by iSense Solutions to discover what motivates victims to pay ransoms and how much they value their data. http://www.scmagazine.com/44-of-ransomware-victims-in-the-uk-have-paid-to-recover-their-data/article/475582/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom - No matter where you work, you don’t want to be told there is an “internal emergency” and you can’t use the computers, but that is precisely the situation at a Hollywood hospital which is a ransomware victim.
http://www.scmagazine.com/ransomware-goes-to-hollywood-medical-centre/article/474167/
http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html

FYI - This Android Trojan steals banking creds and wipes your phone - A new Trojan banker for Android is capable of wiping compromised smartphones as well stealing online banking credentials, security researchers are warn. http://www.theregister.co.uk/2016/02/15/android_trojan_mazar_bot/

FYI - FireEye flaw enabled attackers to whitelist malware files - Security researchers has uncovered a flaw that allows malware to dodge FireEye's analysis engine and end up whitelisted. http://www.scmagazine.com/fireeye-flaw-enabled-attackers-to-whitelist-malware-files/article/475585/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY RISK ASSESSMENT

PRIORITIZE RESPONSES

This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.

In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY

5.2 Issue-Specific Policy

Whereas program policy is intended to address the broad organization-wide computer security program, issue-specific policies are developed to focus on areas of current relevance and concern (and sometimes controversy) to an organization. Management may find it appropriate, for example, to issue a policy on how the organization will approach contingency planning (centralized vs. decentralized) or the use of a particular methodology for managing risk to systems. A policy could also be issued, for example, on the appropriate use of a cutting-edge technology (whose security vulnerabilities are still largely unknown) within the organization. Issue-specific policies may also be appropriate when new issues arise, such as when implementing a recently passed law requiring additional protection of particular information. Program policy is usually broad enough that it does not require much modification over time, whereas issue-specific policies are likely to require more frequent revision as changes in technology and related factors take place.

In general, for issue-specific and system-specific policy, the issuer is a senior official; the more global, controversial, or resource-intensive, the more senior the issuer.

5.2.1 Example Topics for Issue-Specific Policy

Both new technologies and the appearance of new threats often require the creation of issue-specific policies. There are many areas for which issue-specific policy may be appropriate. Two examples are explained below.

Internet Access. Many organizations are looking at the Internet as a means for expanding their research opportunities and communications. Unquestionably, connecting to the Internet yields many benefits - and some disadvantages. Some issues an Internet access policy may address include who will have access, which types of systems may be connected to the network, what types of information may be transmitted via the network, requirements for user authentication for Internet-connected systems, and the use of firewalls and secure gateways.

E-Mail Privacy. Users of computer e-mail systems have come to rely upon that service for informal communication with colleagues and others. However, since the system is typically owned by the employing organization, from time-to-time, management may wish to monitor the employee's e-mail for various reasons (e.g., to be sure that it is used for business purposes only or if they are suspected of distributing viruses, sending offensive e-mail, or disclosing organizational secrets.) On the other hand, users may have an expectation of privacy, similar to that accorded U.S. mail. Policy in this area addresses what level of privacy will be accorded e-mail and the circumstances under which it may or may not be read.

Other potential candidates for issue-specific policies include: approach to risk management and contingency planning, protection of confidential/proprietary information, unauthorized software, acquisition of software, doing computer work at home, bringing in disks from outside the workplace, access to other employees' files, encryption of files and e-mail, rights of privacy, responsibility for correctness of data, suspected malicious code, and physical emergencies.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.