R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 3, 2018

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Email fraud still a substantial threat to business - Business email compromise still most popular and most effective attack vector. The bulk of email fraud gangs still operate out of Nigeria, according to new research. https://www.scmagazine.com/email-fraud-still-a-substantial-threat-to-business/article/768376/

Lack of cooperation between contractors creates lasting vulnerabilities for DoD, official says - Competition among U.S. weapons makers keeps them from collaborating on cybersecurity problems, and it�s causing new and lasting vulnerabilities for the military, a senior U.S. official said Tuesday. https://www.cyberscoop.com/lack-cooperation-contractors-creates-lasting-vulnerabilities-dod-official-says/

Pentagon Tightens Rules for Personal Mobile Devices - A US Defense Department (DoD) policy memo released on May 22, 2018, says that all Pentagon personnel, contractors, and visitors are no longer permitted to have personal mobile devices in areas involved in "processing, handling, or discussion of classified information." https://media.defense.gov/2018/May/22/2001920731/-1/-1/1/PENTAGON-MOBILE-DEVICE-POLICY.PDF

US-CERT - What is home network security? - Home network security refers to the protection of a network that connects devices to each other and to the internet within a home. https://www.us-cert.gov/ncas/tips/ST15-002

Banks Adopt Military-Style Tactics to Fight Cybercrime - In a windowless bunker here, a wall of monitors tracked incoming attacks � 267,322 in the last 24 hours, according to one hovering dial, or about three every second � as a dozen analysts stared at screens filled with snippets of computer code. https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html

Cobalt shrugs off arrests, resumes cyberattacks on banks - The arrest of several leaders of the Cobalt cybergang, including its leader, has not stopped the group from launching additional attacks with the most recent being tracked late last week. https://www.scmagazine.com/cobalt-shrugs-off-arrests-resumes-cyberattacks-on-banks/article/769127/

Face, iris scanners gaining ground on fingerprint readers as a security measure - The biometric side of the cybersecurity equation is getting ready to put fingerprint readers in its rear-view mirror as newer technologies coming into the market prove more capable. https://www.scmagazine.com/face-iris-scanners-gaining-ground-on-fingerprint-readers-as-a-security-measure/article/769591/

Cybercriminals on average have seven-day window of opportunity to attack - Once a vulnerability is announced, the average attacker has a seven-day window of opportunity to exploit the flaw before a defender is even aware they are vulnerable. https://www.scmagazine.com/cybercriminals-on-average-have-seven-day-window-of-opportunity-to-attack/article/769593/

Court dismisses Kaspersky suits challenging U.S. government ban - A U.S. District Court Judge Wednesday ruled that a ban on Kaspersky Lab products by the U.S. government set to take effect October 1 is constitutional and tossed two lawsuits filed by the Russia-based security firm. https://www.scmagazine.com/court-dismisses-kaspersky-suits-challenging-us-government-ban/article/769596/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

 FYI - VPNFilter malware with bricking capabilities poses major threat after infecting 500,000+ networking devices - A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world. https://www.scmagazine.com/malware-with-bricking-capabilities-poses-major-threat-after-infecting-500000-networking-devices/article/768231/

Luxury hackers crack Bimmers and Benzes, a tale of BMW's bugs and Mercedes-Benz thugs - Hackers with a taste for some of the finer things in life found a host of vulnerabilities in multiple BMW vehicles while tech-savvy car thieves managed to hack into and steal a Mercedes-Benz in 23 seconds. https://www.scmagazine.com/luxury-hackers-crack-bimmers-and-benzes-a-tale-of-bmws-bugs-and-mercedes-benz-thugs/article/768267/

Coca-Cola hit with insider breach, 8,000 affected - The Coca-Cola Company announced a data breach today possibly affecting about 8,000 workers due to a former employee having in their possession an external hard drive containing employee personal data. https://www.scmagazine.com/coca-cola-hit-with-insider-breach-8000-affected/article/769135/

Canadian banks warn data breach may have affected 90,000 customers - Cybercriminals may have the stolen data of nearly 90,000 customers from two of Canada's largest banks in what appears to be the first significant cyberattack on a Canadian financial institution. https://www.scmagazine.com/canadian-banks-warn-data-breach-may-have-affected-90000-customers/article/769080/

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.
  
  Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)
  
  Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).
  
  Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.
  
  Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.
  
  8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.
  
  9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs. 
  
  10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.
  
  11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND AUTHENTICATION
 
 16.2.2 Smart Tokens (2 of 2)
  
 There are other types of protocols, some more sophisticated and some less so. The three types described above are the most common.
 
 Benefits of Smart Tokens
 
 Smart tokens offer great flexibility and can be used to solve many authentication problems. The benefits of smart tokens vary, depending on the type used. In general, they provide greater security than memory cards. Smart tokens can solve the problem of electronic monitoring even if the authentication is done across an open network by using one-time passwords.
 
 1)  One-time passwords. Smart tokens that use either dynamic password generation or challenge-response protocols can create one-time passwords. Electronic monitoring is not a problem with one-time passwords because each time the user is authenticated to the computer, a different "password" is used. (A hacker could learn the one-time password through electronic monitoring, but would be of no value.)
 
 2)  Reduced risk of forgery. Generally, the memory on a smart token is not readable unless the PIN is entered. In addition, the tokens are more complex and, therefore, more difficult to forge.
 
 3)  Multi-application. Smart tokens with electronic interfaces, such as smart cards, provide a way for users to access many computers using many networks with only one log-in. This is further discussed in the Single Log-in section of this chapter. In addition, a single smart card can be used for multiple functions, such as physical access or as a debit card.
 
 Problems with Smart Tokens
 
 Like memory tokens, most of the problems associated with smart tokens relate to their cost, the administration of the system, and user dissatisfaction. Smart tokens are generally less vulnerable to the compromise of PINs because authentication usually takes place on the card. (It is possible, of course, for someone to watch a PIN being entered and steal that card.) Smart tokens cost more than memory cards because they are more complex, particularly challenge-response calculators.
 
 Need reader/writers or human intervention. Smart tokens can use either an electronic or a human interface. An electronic interface requires a reader, which creates additional expense. Human interfaces require more actions from the user. This is especially true for challenge-response tokens with a manual interface, which require the user to type the challenge into the smart token and the response into the computer. This can increase user dissatisfaction.
 
 Substantial Administration. Smart tokens, like passwords and memory tokens, require strong administration. For tokens that use cryptography, this includes key management.
 
 Electronic reader/writers can take many forms, such as a slot in a PC or a separate external device. Most human interfaces consist of a keypad and display.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.