Internet Banking News

March 12, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - NIST as Enforcer? House Committee Passes Bill to Expand Agency's Responsibilities - Republicans on the House Science Committee forwarded legislation Wednesday that would vastly increase the operational responsibilities of the government’s cybersecurity standards agency and task that body with auditing other federal agencies’ cyber protections. http://www.nextgov.com/cybersecurity/2017/03/nist-enforcer-house-committee-passes-bill-expand-agencys-responsibilities/135805/

FCC puts data security protections on hold - Chairman Ajit Pai followed through on a promise to stop a new rule from taking effect, one which would have required internet service providers to take steps to protect consumer personal data. https://www.cnet.com/news/fcc-puts-data-security-protections-on-hold-privacy/

Yahoo CEO forgoes bonus as 32M breach victims revealed - A recent regulatory filing from Yahoo has revealed more victims of its 2014 breach. This time, it is not just users but Yahoo's senior executives.
https://www.scmagazine.com/yahoo-ceo-forgoes-bonus-as-32m-breach-victims-revealed/article/641513/
http://computerworld.com/article/3176486/security/yahoo-execs-botched-its-response-to-2014-breach-investigation-finds.html

One million Yahoo and Gmail account passwords for sale on the dark web - More than 1 million Yahoo and Gmail accounts – including usernames, email addresses and plain text passwords – are reportedly for sale on the dark web. https://www.scmagazine.com/one-million-yahoo-and-gmail-account-passwords-for-sale-on-the-dark-web/article/642319/

House Bill Would Give Companies Some Leeway to Hack Back - House legislation floated Friday would give companies attacked by hackers free rein to penetrate those hackers' networks so long as they don’t destroy anything while they’re there. http://www.nextgov.com/cybersecurity/2017/03/house-bill-would-give-companies-some-leeway-hack-back/135892/

Experts not surprised by CIA's leaked cyber weapons, but stunned agency failed to protect them - Upon publishing a batch of documents that exposed various cyber espionage tools allegedly used by the CIA, WikiLeaks claimed that the anonymous source who supplied the so-called Vault 7 materials wanted to spark discussion around the use of cyber weapons. https://www.scmagazine.com/experts-not-surprised-by-cias-leaked-cyber-weapons-but-stunned-agency-failed-to-protect-them/article/642924/

You've Got Ransomware, Now What? - So, the unthinkable has happened: your corporate server (or maybe just a few employees) has been infected with ransomware. At least you're not alone. https://www.scmagazine.com/youve-got-ransomware-now-what/article/642726/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - New malware attack shutters London hospital - A previously unseen malware is being blamed for an attack on a London hospital that forced the facility to shut down a segment of its systems for a few days as a precautionary measure. https://www.scmagazine.com/new-malware-attack-shutters-london-hospital/article/641548/

Here’s Why Amazon’s Cloud Suffered a Meltdown This Week - Apparently all it takes to bring down the Internet isn't a virus or malware or a well-organized, state-sponsored attack. A typo will do the trick. http://fortune.com/2017/03/02/amazon-cloud-outage/

Data on 3.2K patients exposed at Vanderbilt University Medical Center - Two employees in the patient transport department of Vanderbelt University Medical Center accessed patient data. https://www.scmagazine.com/data-on-32k-patients-exposed-at-vanderbilt-university-medical-center/article/641999/

Major spam operation suffers data leak containing 1.4 billion records - A spamming group called River City Media, led by well known spammers Alvin Slocombe and Matt Ferrisi, has had its database of 1.4 billion records leaked. https://www.scmagazine.com/major-spam-operation-suffers-data-leak-containing-14-billion-records/article/642322/

Data of 7.5M Georgia voters at risk - The FBI has been called in to investigate the possibility of a breach at Kennesaw State University's Center for Election Systems, the organization that oversees the state of Georgia's election operations and voting machines. https://www.scmagazine.com/data-of-75m-georgia-voters-at-risk/article/642146/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 12: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.

  Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:

  1) The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.

  2) Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.

  3) Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.

  4) Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.

  5) The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE

Financial institution system development, acquisition, and maintenance functions should incorporate agreed upon security controls into software prior to development and implementation. Management should integrate consideration of security controls into each phase of the system development process. For the purposes of this section, system development could include the internal development of customized systems, the creation of database systems, or the acquisition of third-party developed software. System development could include long-term projects related to large mainframe-based software projects with legacy source code or rapid Web-based software projects using fourth-generation programming. In all cases, institutions need to prioritize security controls appropriately.

SOFTWARE DEVELOPMENT AND ACQUISITION

Security Requirements

Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage. Based on the risks posed by the system, management may use a defined methodology for determining security requirements, such as ISO 15408, the Common Criteria.23 Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. A member of senior management should document acceptance of the security requirements for each new system or system acquisition, acceptance of tests against the requirements, and approval for implementing in a production environment.

Development projects should consider automated controls for incorporation into the application and the need to determine supporting manual controls. Financial institutions can implement appropriate security controls with greater cost effectiveness by designing them into the original software rather than making subsequent changes after implementation. When evaluating purchased software, financial institutions should consider the availability of products that have either been independently evaluated or received security accreditation through financial institution or information technology-related industry groups.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section III. Operational Controls - Chapter 10

10.1.1 Groundbreaking -- Position Definition

Early in the process of defining a position, security issues should be identified and dealt with. Once a position has been broadly defined, the responsible supervisor should determine the type of computer access needed for the position. There are two general principles to apply when granting access: separation of duties and least privilege.

Separation of duties refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process. For example, in financial systems, no single individual should normally be given authority to issue checks. Rather, one person initiates a request for a payment and another authorizes that same payment. In effect, checks and balances need to be designed into both the process as well as the specific, individual positions of personnel who will implement the process. Ensuring that such duties are well defined is the responsibility of management.

Least privilege refers to the security objective of granting users only those accesses they need to perform their official duties. Data entry clerks, for example, may not have any need to run analysis reports of their database. However, least privilege does not mean that all users will have extremely little functional access; some employees will have significant access if it is required for their position. However, applying this principle may limit the damage resulting from accidents, errors, or unauthorized use of system resources. It is important to make certain that the implementation of least privilege does not interfere with the ability to have personnel substitute for each other without undue delay. Without careful planning, access control can interfere with contingency plans.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.