Internet Banking News

June 4, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The Federal Financial Institutions Examination Council published a Press Release announcing an update to the Cybersecurity Assessment Tool. www.ffiec.gov/press/pr053117.htm

Malware can be spotted via network traffic, study - Studying network traffic going to suspicious domains could indicate to security administrators that their network is infected with malware – months before they might capture a sample of the invasive malware, says a new study out of the Georgia Institute of Technology. https://www.scmagazine.com/malware-can-be-spotted-via-network-traffic-study/article/664222/

'Thousands' of known bugs found in pacemaker code - Pacemakers, insulin pumps and other devices in hospitals harbour security problems that leave them vulnerable to attack, two separate studies warn. http://www.bbc.com/news/technology-40042584

Target to pay out $18.5M to states in breach settlement - In a settlement with the attorneys general of 47 states and the District of Columbia, retailer Target will fork over $18.5M as penalty for a breach which exposed the contact information of more than 60 million customers. https://www.scmagazine.com/target-to-pay-out-185m-to-states-in-breach-settlement/article/663905/

FTC finds thieves attempt to use stolen data within 9 min of breach - In an effort to see what happens after a data breach, the Federal Trade Commission leaked a database of 100 fake customers and found it only took 9 minutes for crooks to attempt to access the information. https://www.scmagazine.com/ftc-finds-data-breach-info-exploited-in-under-9-minutes/article/664540/

Malware can be spotted via network traffic - Studying network traffic going to suspicious domains could indicate to security administrators that their network is infected with malware – months before they might capture a sample of the invasive malware. https://www.scmagazine.com/malware-can-be-spotted-via-network-traffic-study/article/664222/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Harvard site defaced as Facebook CEO returns for commencement - Facebook CEO Mark Zuckerberg, who dropped out of Harvard 12 years ago to launch what would become the world's most popular online platform, received a rude welcome from the school newspaper upon his return to campus. https://www.scmagazine.com/harvard-site-defaced-as-facebook-ceo-returns-for-commencement/article/664722/

Chipotle's latest bug hurts your wallet, not your stomach - The Mexican food chain tells its customers Friday that their credit card information has been stolen by hackers. https://www.cnet.com/news/chipotles-hacked-customer-credit-card-information/

British Airways: Thousands disrupted as flights axed amid IT crash - Serious problems with British Airways' IT systems have led to thousands of passengers having their plans disrupted, after all flights from Heathrow and Gatwick were cancelled. http://www.bbc.com/news/uk-40069865

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (2 of 12)

The Importance of an Incident Response Program

A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.

First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits. Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.

Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999. These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs. This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information. Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.

Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

  LOGGING AND DATA COLLECTION (Part 2 of 2)

  When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.

  Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:

  ! Encrypting log files that contain sensitive data or that are transmitting over the network,
  ! Ensuring adequate storage capacity to avoid gaps in data gathering,
  ! Securing backup and disposal of log files,
  ! Logging the data to a separate, isolated computer,
  ! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
  ! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
  ! Setting logging parameters to disallow any modification to previously written data.

  The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.

  When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS

A computer security contingency is an event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions. Such an event could be a power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster.

To avert potential contingencies and disasters or minimize the damage they cause organizations can take steps early to control the event. Generally called contingency planning, this activity is closely related to incident handling, which primarily addresses malicious technical threats such as hackers and viruses.

Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization.

This chapter presents the contingency planning process in six steps:

1) Identifying the mission- or business-critical functions.

2) Identifying the resources that support the critical functions.

3) Anticipating potential contingencies or disasters.

4) Selecting contingency planning strategies.

5) Implementing the contingency strategies.

6) Testing and revising the strategy.

Contingency planning directly supports an organization's goal of continued operations. Organizations practice contingency planning because it makes good business sense.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.