Internet Banking News

February 23, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - NIST Releases Cybersecurity Framework - Voluntary Guide for Critical Infrastructure Sectors - The National Institute of Standards and Technology has unveiled its long-awaited cybersecurity framework, which provides best practices for voluntary use in all critical infrastructure sectors, including, for example, government, healthcare, financial services and transportation. http://www.govinfosecurity.com/nist-releases-cybersecurity-framework-a-6497

FYI - Study finds attack detection takes too long - Critical shortcomings in the current approach to cyber security and incident response are putting companies at risk, with 86 percent of respondents to a study saying that it takes too long to detect a cyber attack. http://www.scmagazine.com/study-finds-attack-detection-takes-too-long/article/333988/

FYI - OIG to Review Medical Device Security - The HHS Office of Inspector General plans to scrutinize a number of security-related activities in the healthcare sector in fiscal 2014, including reviewing whether hospitals' security controls over networked medical devices are sufficient to effectively protect patients' information. http://www.govinfosecurity.com/oig-to-review-medical-device-security-a-6490

FYI - South Korean credit card firms suspended over data breach - South Korea's financial watchdog has suspended the activity of three credit-card issuers after the firms failed to prevent a high-profile breach resulting in the theft of data of as many as 104 million cards. http://www.zdnet.com/south-korean-credit-card-firms-suspended-over-data-breach-7000026406/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Federal law enforcement investigating hack of Sands casino websites - Law enforcement are investigating the hack of several websites operated by the Las Vegas Sands casino. http://www.scmagazine.com/federal-law-enforcement-investigating-hack-of-sands-casino-websites/article/333984/

FYI - Missing thumb drive puts 3,500 Texas cancer center patients at risk - More than 3,500 patients of The University of Texas MD Anderson Cancer Center may have had personal information compromised after a researcher's unencrypted USB thumb drive went missing. http://www.scmagazine.com/missing-thumb-drive-puts-3500-texas-cancer-center-patients-at-risk/article/333867/

FYI - Worst DDoS attack of all time hits French site - Summary: A website in France was hammered on Monday by a Distributed Denial of Service attack that hit it at a rate from 325Gbps to 400Gbps making it the strongest DDoS attack ever. http://www.zdnet.com/worst-ddos-attack-of-all-time-hits-french-site-7000026330/

FYI - DON'T PANIC! No credit card details lost after hackers crack world's largest casino group - IT administrators at the Las Vegas Sands casino are having a tough time restoring their systems after hackers successfully got inside the corporation's firewall, but it appears that the most valuable sections of the network are safe, according to the Nevada Gaming Control Board. http://www.theregister.co.uk/2014/02/13/dont_panic_no_credit_card_details_lost_after_hackers_crack_worlds_largest_casino_group/

FYI - New, sophisticated ATM heist used a malware-laden USB stick to hijack the machine -- one arrest is made - In what could be a sign of what's ahead in ATM fraud, a highly sophisticated and well-funded criminal gang targeted an overseas bank and commandeered at least four of its ATM machines with malware-rigged USB sticks in order to empty them of cash. http://www.darkreading.com/attacks-breaches/criminals-control-cash-out-banks-atm-mac/240166070

FYI - Kickstarter hacked, user data stolen - The crowd-funding site says hackers broke into its systems and made off with data. Apparently credit card numbers escaped the attack. Hackers hit crowd-funding site Kickstarter and made off with user information, the site said Saturday. http://news.cnet.com/8301-1009_3-57618976-83/kickstarter-hacked-user-data-stolen/

FYI - The Syrian Electronic Army Hacked Forbes and Dumped 1 Million Credentials - In a brief statement, Forbes said it had been compromised; that email addresses had been exposed (so beware of phishing attempts); and that passwords had been stolen ('encrypted', but change them anyway); and that law enforcement had been informed. It doesn't name the attackers, but there is more to this news. http://www.infosecurity-magazine.com/view/36971/the-syrian-electronic-army-hacked-forbes-and-dumped-1-million-credentials/

FYI - THOUSANDS of Tesco.com logins and passwords leaked online - Customers locked out of accounts, some discount vouchers AWOL - Thousands of Tesco customers have had their emails and passwords posted online after hackers got their hands on the login details. http://www.theregister.co.uk/2014/02/14/tesco_login_details_leaked/

FYI - Credentials for thousands of FTP sites compromised, NYTimes among impacted - Hackers were able to access the credentials for more than 7,000 file transfer protocol (FTP) sites and, in some instances, uploaded malware to FTP servers with their newfound access. http://www.scmagazine.com/credentials-for-thousands-of-ftp-sites-compromised-nytimes-among-impacted/article/334165/

FYI - Hackers access Bank of the West job applicant data - An undisclosed number of individuals who applied online for a position with San Francisco-based Bank of the West may have had personal information – including Social Security numbers – compromised after an unauthorized party gained access to a job application system that contained the data. Hackers access Bank of the West job applicant data. http://www.scmagazine.com/hackers-access-bank-of-the-west-job-applicant-data/article/334055/

FYI - Syrian Electronic Army takes over FC Barcelona Twitter account - Futbol Club (FC) Barcelona is the latest high-profile entity to have its Twitter account hijacked by the Syrian Electronic Army (SEA). http://www.scmagazine.com/syrian-electronic-army-takes-over-fc-barcelona-twitter-account/article/334711/

FYI - Hackers breach Texas college server, thousands compromised - Texas State Technical College (TSTC) Waco is notifying almost 3,000 former students and fewer than 2,000 employees that personal information may have been compromised after an unauthorized party remotely gained access to a server that contained the data. http://www.scmagazine.com/hackers-breach-texas-college-server-thousands-compromised/article/334663/

FYI - Three nursing homes' security info discovered online - Security researchers discovered new documents online that put multiple nursing homes' electronic medical records and payment information at risk. The information details the type of equipment the homes use, as well as the passwords to network firewalls and the locations of computers and printers within the facilities. http://www.scmagazine.com/three-nursing-homes-security-info-discovered-online/article/334962/

FYI - University of Maryland breach impacts more than 300,000 - More than 300,000 current and former University of Maryland students, faculty and staff had personal information compromised on Tuesday morning. No financial, academic, health or contact information was stolen. http://www.scmagazine.com/university-of-maryland-breach-impacts-more-than-300000/article/334869/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 2 of 2)

Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.

DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.

Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

37. For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]