Internet Banking News

February 24, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Hackers can easily breach Emergency Alert Systems - Security researchers warn that many emergency alert system devices used by radio and TV stations are susceptible to cyberattacks, which could cause widespread panic.
http://news.cnet.com/8301-1009_3-57569322-83/hackers-can-easily-breach-emergency-alert-systems/?tag=nl.e757&s_cid=e757&ttag=e757
http://www.nbcnews.com/technology/technolog/hackers-use-alert-system-zombie-warnings-1C8364739

FYI - Executive Order Aims to Facilitate Sharing of Information on Threats - President Barack Obama signed an executive order on Tuesday designed to make it easier to disseminate classified information on threats against critical infrastructure systems and to lay the groundwork for obtaining information from the private sector that would help the government protect critical infrastructures in the U.S. http://www.wired.com/threatlevel/2013/02/executive-order-cybersecurity/

FYI - Pentagon will require security standards for critical infrastructure networks - The first-ever cybersecurity certification requirements for private utilities and other vital infrastructure supporting the military are set to be released this fall and take effect within a year, Pentagon officials told Nextgov. http://www.nextgov.com/cybersecurity/2013/02/pentagon-will-require-security-standards-critical-infrastructure-networks/61328/

FYI - Two charged in $3m Chase, Capital One skimming bust - Two men have been indicted in Manhattan on charges they operated a nationwide ATM skimming ring that defrauded bank customers out of more than $3 million, the U.S. attorney's office has announced. http://www.scmagazine.com/two-charged-in-3m-chase-capital-one-skimming-bust/article/280287/

FYI - Experts say DoD cyber workers undertrained - The Defense Department wants to hire thousands of new cyber experts to create a large force of skilled cyber warriors. But first, it has to address concerns about the experts the agency already has. http://www.federaltimes.com/article/20130216/DEPARTMENTS01/302160001/Experts-say-DoD-cyber-workers-undertrained?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE

FYI - Pentagon will require security standards for critical infrastructure networks - The first-ever cybersecurity certification requirements for private utilities and other vital infrastructure supporting the military are set to be released this fall and take effect within a year, Pentagon officials told Nextgov. http://www.nextgov.com/cybersecurity/2013/02/pentagon-will-require-security-standards-critical-infrastructure-networks/61328/?oref=ng-channelriver

FYI - Data protection awareness up as firms seek to avoid fines - Awareness of data protection requirements is increasing in Ireland, with 80pc of a survey group saying they now have a named person responsible for this area in their organisations. http://www.siliconrepublic.com/strategy/item/31526-data-protection-awareness/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Exploit Sat on LA Times Website for 6 Weeks - The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks. http://krebsonsecurity.com/2013/02/exploit-sat-on-la-times-website-for-6-weeks/

FYI - iPhone passcode flaw opens device to intruders - A major flaw affecting iPhone 5s running iOS 6.1 allows an intruder to bypass the phone's passcode security feature, which is supposed to lock the device and protect stored data. http://www.scmagazine.com/iphone-passcode-flaw-opens-device-to-intruders/article/280639/?DCMP=EMC-SCUS_Newswire

FYI - Accusations of Chinese Hacking in Coke’s Failed Big Deal - A new report on Chinese hackers depicts a wide-ranging cyberwar campaign against an array of American targets, from computer security providers to power plant suppliers. http://dealbook.nytimes.com/2013/02/19/accusations-of-hacking-in-cokes-failed-big-deal/

FYI - Facebook devs HACKED in 'sophisticated' Java zero-day attack - Company laptops impounded, no evidence user data compromised - Facebook's systems were "targeted in a sophisticated attack" in January after some of the company's developers visited a mobile-developer website that had been compromised, the company wrote on Friday afternoon. http://www.theregister.co.uk/2013/02/15/facebook_hacked/

FYI - Apple hacked in "sophisticated" attack - The computing giant told news agency Reuters on Tuesday that a "small number" of its employees' Mac laptops were compromised by malware, although it is not aware of any data that had been exfiltrated.
http://www.scmagazine.com/report-apple-hacked-in-sophisticated-attack/article/280950/?DCMP=EMC-SCUS_Newswire
http://news.cnet.com/8301-1009_3-57570096-83/apple-employee-computers-were-targeted-in-hack-attack/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - China slams cyberattack accusations over lack of proof - China is refuting a report that names its military as the source of recent cyberattacks against the U.S. http://news.cnet.com/8301-1009_3-57570316-83/china-slams-cyberattack-accusations-over-lack-of-proof/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - Phishing emails use fake Mandiant China spy report bait to target victims - Security researchers are warning users to be on the lookout for spear phishing emails that include a PDF attachment claiming to lead to a widely read report released this week by forensic firm Mandiant that chronicled the inner workings of a Chinese military cyber espionage unit. http://www.scmagazine.com/phishing-emails-use-fake-mandiant-china-spy-report-bait-to-target-victims/article/281424/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 1 of 4)

Purpose and Background

This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services.1 Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers. While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services.

Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address. This guidance covers four elements of a risk management process: risk assessment, selection of
service providers, contract review, and monitoring of service providers.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Logical Access Controls (Part 1 of 2)

If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others.

Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well.

Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless.

When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 2 of 6)

Notice Duties to Customers:

In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times.

1) A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulations describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship.

2) A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship.

3) Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service.

4) When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.