Internet Banking News

May 15, 2016

Newsletter Content	FFIEC IT Security	Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - DHS sweetens cyber workforce recruiting with new bonuses - In the intense competition to hire qualified cybersecurity professionals, the government’s advantage has always been its appeal to a sense of mission, not necessarily large salaries. http://federalnewsradio.com/cybersecurity/2016/05/dhs-sweetens-cyber-workforce-recruiting-new-bonuses/

FYI - Insider likely culprit in breach at CDOT - Fingers are pointing to an unidentified former employee of the Colorado Department of Transportation (CDOT) as the perp behind a breach that could lead to a "risk of identity theft," the Denver Post reports. http://www.scmagazine.com/insider-likely-culprit-in-breach-at-cdot/article/494773/

FYI - 17 percent of IT pros confident they can defeat cyberattacks - A recent study conducted by IT auditing firm found that only 17 percent of IT professionals were confident in their ability to defeat cyber attacks and too few resources may be to blame. http://www.scmagazine.com/too-few-resources-human-error-obstacles-in-cyber-defenses/article/494906/

FYI - Android's security patch quagmire probed by US watchdogs - Feds finally wake up to sorry state of firmware fixes - Mobile carriers and gadget makers will be investigated over how slow they push important software security patches to people. The probe will be carried out by US trade watchdog the FTC and America's internet mall cop the FCC. http://www.theregister.co.uk/2016/05/09/fcc_ftc_android_updates/

FYI - Malware scan stalled misconfigured med software, mid-procedure - RTFM. No, really, read it - A user or reseller who couldn't be bothered configuring their antivirus properly has hit the headlines for interrupting doctors trying to insert a vascular catheter into a patient. http://www.theregister.co.uk/2016/05/09/malware_scan_stalled_misconfigured_med_software_midprocedure/

FYI - Proposed Legislation Aims to Elevate HHS CISO Role - Move Would Mirror Private Sector CISO Trend - A bipartisan bill proposing to elevate the position of CISO within the Department of Health and Human Services seeks to emulate moves that some larger private sector organizations - mostly outside of healthcare - have made in recent years. http://www.govinfosecurity.com/proposed-legislation-aims-to-elevate-hhs-ciso-role-a-9080

FYI - Florida security expert demoing flaw charged for unauthorized access - Although his intent to reveal security weaknesses seemed honorable, a Florida man who logged into a computer system with appropriated credentials and carried out SQL attacks now faces felony charges. http://www.scmagazine.com/florida-security-expert-demoing-flaw-charged-for-unauthorized-access/article/495516/

FYI - IT pros in financial services assert ability to detect breaches - Data breaches in the worlds of banking, credit and finance have nearly double between 2014 and 2015, according to a report. http://www.scmagazine.com/it-pros-in-financial-services-assert-ability-to-detect-breaches/article/495985/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - ‘Stupid’ Locky Network Breached - For the second time in recent months, a white hat hacker appears to have broken into a C&C server for a major malware threat. http://www.darkreading.com/endpoint/stupid-locky-network-breached/d/d-id/1325421

FYI - Spearphishing attack nets $495K from investment firm - An employee at a Troy, Mich., investment firm was tricked via a spearphishing attack into transferring almost $500,000 to a Hong Kong bank. http://www.scmagazine.com/spearphishing-attack-nets-495k-from-investment-firm/article/494645/

FYI - Kroger warns past, present employees of possible compromise after Equifax W-2Express breach - Kroger alerted current and former employees this week that their data – including Social Security numbers and birth dates – may have been compromised as a result of a breach at Equifax's W-2Express website. http://www.scmagazine.com/kroger-warns-past-present-employees-of-possible-compromise-after-equifax-w-2express-breach/article/495023/

FYI - 2,800 St. Agnes Medical Center workers compromised in W-2 attack - St. Agnes Medical Center in Fresno, Calif., reported that about 2,800 staffers had their W-2 information compromised by a spearphishing attack earlier this month. http://www.scmagazine.com/2800-st-agnes-medical-center-workers-compromised-in-w-2-attack/article/494770/

FYI - Kiddicare suffers a data breach! 794,000 customer details are exposed - Kiddicare, a specialist child and baby retailer in the UK, has suffered a data breach and warned close to 800,000 customers that their personal data was exposed by hackers. http://www.scmagazine.com/kiddicare-suffers-a-data-breach-794000-customer-details-are-exposed/article/495363/

FYI - Tax payer info exposed in five breaches, FDIC - The cases were reported only because of requirements that mandate that the FDIC – which provides banks with deposit insurance – disclose any breach exceeding 10,000 records. http://www.scmagazine.com/tax-payer-info-exposed-in-five-breaches-fdic/article/495508/

FYI - Bangladesh bank investigators reportedly find three separate network intruders - The investigation into the online heist that cost Bangladesh's central bank $81 million has taken a byzantine turn, as a new report surfaced of multiple hacking groups infiltrating the bank's network. http://www.scmagazine.com/bangladesh-bank-investigators-reportedly-find-three-separate-network-intruders/article/495870/

FYI - 300 Wendy's restaurants affected by POS malware attack earlier this year - Wendy's executives today released some details of its internal investigation into a hacking incident that was discovered earlier this year when customers began reporting unusual activity on payment cards that were used at some company restaurants. http://www.scmagazine.com/300-wendys-restaurants-affected-by-pos-malware-attack-earlier-this-year/article/495673/

FYI - UAE InvestBank hacked, nearly 100k recycled data records leaked? - A 10 gigabyte file holding sensitive financial data compromised from an InvestBank in the United Arab Emirates (UAE) has been leaked online. The file contains information on tens of thousands of customers from a bank based in Sharjah. http://www.scmagazine.com/nearly-100k-recycled-data-records-leaked-in-uae-investbank-breach/article/495837/

FYI - Securities fraudsters who stole from 100M people to be extradited from Israel - Two Israeli men accused of securities fraud and hacks into media outlets and nine financial institutions, including JPMorgan Chase, Fidelity Investments and E*Trade Financial Corp., will be extradited to the U.S. http://www.scmagazine.com/securities-fraudsters-who-stole-from-100m-people-to-be-extradited-from-israel/article/495688/

FYI - Scammers impersonate legit cyber-security companies - A scammer syndicate has been caught impersonating the services of cyber-security companies and charging high fees for doing very little. http://www.scmagazine.com/scammers-impersonate-legit-cyber-security-companies/article/495984/

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds.

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page. Subsidiary web pages that advertise deposits must contain the official advertising statement. Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Shared Secret Systems (Part 2 of 2)

Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.

! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.

Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.

! An additional attack method targets a specific account and submits passwords until the correct password is discovered.

Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.

! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.

Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.

! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

! Some attacks depend on patience, waiting until the logged - in workstation is unattended.

Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.

! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.

Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.

! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

Controls include a policy that forbids the same or similar password on particular network devices.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 6 - COMPUTER SECURITY PROGRAM MANAGEMENT

6.4 System-Level Computer Security Programs

While the central program addresses the entire spectrum of computer security for an organization, system-level programs ensure appropriate and cost-effective security for each system. This includes influencing decisions about what controls to implement, purchasing and installing technical controls, day-to-day computer security administration, evaluating system vulnerabilities, and responding to security problems. It encompasses all the areas discussed in the handbook.

System-level computer security program personnel are the local advocates for computer security. The system security manager/officer raises the issue of security with the cognizant system manager and helps develop solutions for security problems. For example, has the application owner made clear the system's security requirements? Will bringing a new function online affect security, and if so, how? Is the system vulnerable to hackers and viruses? Has the contingency plan been tested? Raising these kinds of questions will force system managers and application owners to identify and address their security requirements.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.